The National Security Administration and the FBI have recently raised alarms over the growing threat of destructive Chinese cyberattacks on American critical infrastructure.
While manufacturers have certainly had their fair share of cyber threats over the years, most notably a recent surge in ransomware attacks, these attacks use different tactics, ones that manufacturers may be unfamiliar with.
Share Your Opinions on Manufacturing Technology
IndustryWeek is in the midst of our annual technology survey. We'd love to hear your thoughts on how well technology suppliers are supporting manufacturing and what's working (and not working) with your tech investments. People who complete the survey will enter a drawing for one of two $50 Amazon gift cards. Please take some time and share your thoughts.
Cyber threat actors in China, such as “Volt Typhoon,” are more technically advanced and well-resourced than other cybercriminal or ransomware groups in operation today. They are able to evade existing defenses and sneak inside manufacturers’ networks without being detected, hide inside them for many years, and launch sudden attacks to cripple operational technology (OT) systems.
China isn’t the only country doing this. Other foreign adversaries – particularly Russia and Iran – are developing similar capabilities that can be used across critical infrastructure sectors.
It is important for all companies to develop greater “cyber resilience” within their operational technology systems, to both prevent and recover from these attacks. Here are five steps toward doing so.
1. Maintain Accurate IoT/OT Asset Inventory
Sophisticated threat actors like Volt Typhoon move laterally across a network through a stealth tactic called “living off the land” (LOTL).
LOTL is different from a conventional cyber breach because instead of using malware, which is “noisy” and easier to detect, the threat actor takes advantage of legitimate assets already in use on the organization’s network. This makes it significantly harder for security teams to detect malicious activity. It’s important for manufacturers to follow CISA’s best practices, such as implementing detailed and centralized logging, proactively hardening IT and OT devices and monitoring IoT/OT devices for configuration and state drift—and most importantly, maintaining a current asset inventory of all connected devices.
2. Conduct Regular Device Risk Posture Assessments
Volt Typhoon first gains entry to an organization by compromising exposed IP-connected devices, such as routers, VPNs and firewalls. This is usually done by exploiting weak or stolen credentials or unpatched vulnerabilities.
This tactic is increasingly common among sophisticated attackers. That’s because the vast majority of network and IoT devices are not properly secured or managed. It is vital that manufacturers fix these basic problems. Our research has found that within major industries like manufacturing, 70% of these devices contain unpatched high to critical state vulnerabilities and 75% have default passwords.
3. Focus on Fundamental Device Security Hygiene
The ultimate goal of these attacks is to access the company’s operational technology systems. To do this, the threat actor will frequently hijack remote access accounts that employees and contractors use to manage OT systems, or compromise unmanaged/unmonitored IP-connected devices such as network gateways. Attackers also use their own custom tools from inside the manufacturer’s network – however, in most cases they still take advantage of default or stolen credentials, or an unpatched vulnerability, to get into the device.
This is why it is critical for manufacturers to maintain basic security hygiene across all of their connected devices, including password rotations, configuration management and firmware updates. Those basic steps will counteract the vast majority of even highly sophisticated cyber attacks.
4. Establish and Maintain Secure Device Configurations
State-sponsored cyber actors are actively using industrial control system (ICS) attack frameworks that take advantage of the native functionality and built-in weaknesses of OT/ICS devices. These malicious frameworks can gain control and subvert ICS devices by exploiting and weaponizing insecure features or settings, such as open remote network services and excessive privileges.
These product design weaknesses pose a fundamental challenge for manufacturer security. However, it is possible to mitigate these risks by hardening ICS devices, such as removing risky permissions and disabling remote services.
5. Remove Dangerous Devices
In 2022, the FCC issued a ban on the sale or importation of devices made by several Chinese manufacturers that it considers to pose “an unacceptable risk to national security of the United States or the security or safety of United States persons.” CISA Director Jen Easterly also recently warned that Chinese-made technologies, which are increasingly prevalent within U.S. critical infrastructure, are “ultimately controlled by the CCP.”
What this means for manufacturers is that legitimate devices – from camera systems and sensors to ICS equipment (or components) – could be used for covert data collection or to provide unauthorized access into the manufacturer’s systems through concealed backdoors. Future firmware updates to these devices could also install new malicious features that will bypass detection.
Manufacturers can reduce this risk by identifying and removing all high-risk devices. If removal isn’t possible, then they can take several device-level actions to limit these potential risks, such as changing passwords, disabling services and reducing connectivity.
Shifting to a “Left of Boom” Strategy
With the growing threat of destructive cyber attacks, manufacturers should evolve their security strategies to develop greater resilience within their OT systems. This means shifting from a passive “monitor and detect” strategy to a more proactive “left of boom” approach that focuses on preventing attacks by hardening the attack surface, limiting lateral movement and preventing the subversion of OT systems.
This requires hardening all IoT, OT and ICS assets by fixing common cyber-hygiene issues, including default passwords, outdated firmware, unpatched vulnerabilities, risky configurations (especially active remote network services) and more. It also requires constant device-centric drift monitoring to instantly alert the security team if any device suddenly deviates from this secure state – which may be a sign of an active attempt underway to hack the device.
Sonu Shankar, chief strategy officer of Phosphorus, has over 15 years of senior leadership experience in the cybersecurity industry where he's long been focused on trustworthy technologies, threat detection and cybersecurity strategy. He began his security career as a researcher at the Los Alamos National Laboratory in New Mexico. Sonu holds an MBA from The Fuqua School of Business at Duke University and a degree in computer engineering from Texas A&M University.