Manufacturing industry hard hit by ransomware, Akamai finds
Recent findings by Akamai Technologies has revealed that nearly 30% of ransomware attacks worldwide launched by the world's largest ransomware gang, Conti, targeted the manufacturing industry. The business services and retail industries were the next most frequently targeted at 13.37% and 11.14%, respectively.
According to Forrester, as many as three in four manufacturers in Asia Pacific are prioritising innovation and automation for greater operational efficiency and resilience. As manufacturers begin to implement smart factories and adopt the Industrial Internet of Things (IIoT), more machines are getting networked to the internet. This has widened the attack surface and created new in-roads for attackers to enter a manufacturers network.
Dean Houari, director of security technology and strategy for APJ at Akamai, says, "Manufacturing is one of Asia Pacific's most valuable industries; it is estimated that the region can generate up to $600 billion a year in additional manufacturing output by 2030."
Houari continues, “Attackers remain financially motivated, and the manufacturing industry presents a prime target for ransomware attacks, since they cannot afford downtime and disruption especially when long supply chains depend on parts or products. Very often, manufacturers end up paying the ransom to reduce disruption to operations or the delivery of products to customers."
Akamai's findings are based on research into Conti, one of the worlds most prolific Ransomware-as-a-Service (RaaS) providers. Gangs like Conti have been leveraging the industry's rapid digitalisation for their benefit.
In providing RaaS, these gangs make their most effective tactics, techniques and procedures (TTPs) available by selling them to other hackers.
In the context of manufacturing, attacks can have far-reaching consequences, including supply chain disruptions. When disruptions happen in critical industries such as pharmaceuticals, food and beverage, transportation and even medical devices, the impact on the lives of citizens can be significant and long-term, the researchers state.
The ransomware attack on JBS SA, the largest meat producer globally, is an example that demonstrates the far-reaching impact of attacks on manufacturers. In the JBS case, attackers were able to forcibly shutdown all its U.S. beef plants, effectively stopping the production of a quarter of American meat supplies.
Ransomware attacks are, by definition, a lateral movement attack to paralyse a manufacturer's operations. Intruders should not be able to move laterally from system to system to encrypt data on critical servers and their backups and steal intellectual property, the researchers state.
Contrary to popular belief, segmentation does not need to be accomplished at the infrastructure layer, which can be complex and require multiple approaches when an organisation adopts new technologies.
Instead, manufacturers should start with a flat, underlying network and then apply a software-defined overlay that can work consistently across all of its environments and technologies, Akamai states. This will shrink the attack surface by breaking their network into small segments. Manufacturers should enforce this with a tight security policy between segments which they can set up based on environment, BUs, applications, compliance enclaves and so on.
All manufacturers are now a target for advanced persistent threats (APT). As such, they should preemptively create and plan breach mitigation policies to reduce response time once malware is detected, in the event that a persistent attacker gets in.
More importantly, plans should also be created for the recovery process to consider which applications and sections need to come back online first and create policies accordingly to keep them secure while the rest of the network is restored. To maximise damage, ransomware campaigns usually target the organisations backup application to encrypt the stored backup data.
Akamai concludes, to mitigate this, manufacturers should ring fence their critical applications or crown jewel servers and their backup. This will ensure that attackers do not gain additional leverage and prevent critical systems and business operations from coming to a halt.