Hackers, ransomware and cyberattacks: What does it mean to a modern packaging production facility where connectivity is crucial? And what can be done?
Your production operations have been optimized with advanced servo-driven machinery, wireless communications, remote access for troubleshooting and other advanced automation resources and tools that deliver higher efficiency, lower downtime and ongoing cost savings.
What’s not to like? That would be the potential for opportunistic hackers and criminals to attack those systems with ransomware and other forms of cyberattacks. Seems there’s a dark cloud behind every silver lining and perhaps more so than ever for packagers and machinery builders in a highly connected, industrial internet of things (IIoT) environment.
Besides well-publicized cyberattacks attacks with names like WannaCry and Petya and others that have targeted countries and companies including Equifax and Target Stores, in 2017 cybercriminals struck consumer packaged goods brands including Mondelez Intl., which had Q2 2017 revenue growth reduced by 3% due to a global cyberattack, and Merck, which was rocked by a ransomware attack in June.
Cybersecurity for packaging operations is a cautionary tale articulated by industry experts across two days during PMMI’s annual meeting held in early November in Richmond, VA, starting with a Day 1 keynote panel discussion entitled “Cybersecurity: Its impact on you and your customers.”
Moderator Brendan Rooney is the cyber practice leader with AHT Insurance, which offers customers an option to transfer cyberattack risk through the Ensconce Risk Management and Insurance Platform. Rooney pointed out that cybercriminals are opportunists. Unfortunately, among the vulnerabilities they target are industrial control systems, including those for supervisory control and data acquisition (SCADA) that are common in processing and packaging operations.
In one example of criminal opportunism
Jennifer Coughlin, a founding partner of Mullen Coughlin, a law firm “uniquely dedicated exclusively to representing organizations facing data privacy events, information security incidents, and the need to address these risks before a crisis hits,” cited the case of an 11-year old student who hacked into the high-school library simply using his library log-in. It also showed that cybercriminals come in all ages.
Hackers don’t have to look far afield for resources. Did you know about the Shodan database, the “world’s first search engine for Internet-connected devices?” Intended for research, business and personal use, the searchable online database houses a listing of 40,000 automated machine systems and is accessible by anyone, including hackers.
Case Study: ei3 Corp.
Spencer Cramer of ei3 Corp., which assists companies for the “the internet of things for manufacturing,” referenced a 2013 hack of the Rye Brook, NY, dam by an Iranian team that was kept secret by the FBI until 2016; fortunately the dam was not near capacity when the breach via cellular modem and programmable logic controller occurred. PLCs are, of course, a popular component of numerous production systems.
Jason Rebholz, vp, Crypsis Group, noted that while brand owners realize the risks, it’s difficult for his firm to conduct a gap/prevention assessment on manufacturing operations because “once those lines are up and running, they don’t want to touch them.” Rebholz also offered these observations:
- Cyberattacks are becoming stealthier, more sophisticated, more targeted and more impactful;
- Prepare when you can, not when you have to;
- Implement and augment security controls at all levels;
- Events can be internal by disgruntled or ex-employees or external;
- Trust, but verify.
It’s not only remote access situations that can pose problems. Cramer noted that conventional on-site visits by technicians who bring their own laptops into a facility can expose operations and company networks to malware and viruses.
Beware of Ransomware
A more intimate setting provided the backdrop for a focused three-person panel discussion of ransomware, defined by moderator Rooney as “a type of malicious software that prevents or limits users from accessing their system, either by locking the system's screen or by locking the users' files unless a ransom is paid.” Files that are targeted include Word, Excel, PDFs and others.
Rebholz said Crypsis Group has responded to 300-400 plant-floor system hacks. “In the good-old days, one person could be impacted, until hackers realized the wider opportunities they had and cranked up the business model to encompass networks and organizations,” he said. “Ransomware now has a bigger impact, is weaponized and automated, and management is not going to be able to retrieve their data unless they pay up.”
A question was posed about any guarantees that, once paid, would the cybercriminals do what they said they’d do and decrypt the information?
Rebholz indicated that a standard part of the arrangement is that the hackers decryptify a small sample as proof. He rarely sees a ransomware transaction that isn’t successful once it is paid using Bitcoin.
“These are business people, albeit illegal business, and there’s honor among thieves,” he pointed out.
Rob Spiegel, chief editor on sister publication Design News, quoted these sobering words in an article posted earlier this month, Detecting the Cyber Enemy Within: “There are two kinds of companies: those that know they’ve been hacked and those that don’t know they’ve been hacked.”