Smell the Attack? Sensory-Immersive Cyber Range Training for Industry 4.0
Humanity has been through a number of industrial revolutions since the 1760s, and is now at its fourth cycle of sweeping industrial innovation, known as Industry 4.0. It is characterized by the ongoing automation of traditional manufacturing and industrial practices using modern smart technology. As such, it inherits risks and threats that apply to connected environments in new ways.
Put yourself in the following scenario. You’re a security analyst in a manufacturing company. Some of your equipment is connected to smart devices and controls, while other parts of the plant are not. You have just discovered an attacker has breached the part of your factory that produces chemicals, infecting dated Windows 7 operating systems on key production assets.
The affected Windows system is part of a human-machine interface (HMI) that enables operators to more easily control processes and settings on chemical reactors and mixing tanks. With malware on your production assets, the tank of chemicals begins to overheat, emitting light smoke. A warning light goes off in the control room as the reaction spins out of control. Control room operators frantically phone orders down to the plant floor and send runners sprinting to the control systems to manually override the compromised Windows 7 systems.
This realistic scenario is one of many IBM Security has designed into new cyber range training experiences for manufacturing companies. The smoke will not be real; it will be steam. And the overflowing tank will be water we dyed yellow. But in all other respects, the crisis will look and feel very real, down to working on networks linked to Windows 7-powered HMIs and running attack scenarios in real-time from a breach-and-attack-simulation platform that provides instant replays of real-world cyber assaults on factories and industrial facilities.
Cyber range training is designed to elicit the same sensory and cognitive experiences a team might get in a real cyberattack on a chemical plant. Operating under stress can help teams create muscle memory and confidence if ever the time comes to respond to similar situations in their plants.
The Industry 4.0 wave has pushed manufacturing companies to move quickly toward digital transformation, putting data in the cloud and using advanced analytics to improve previously opaque manufacturing processes. To acquire, aggregate and analyze data from legacy industrial assets, industrial companies are placing sensors and control systems on top of existing technologies. This is empowering factory teams to make better decisions about operating and production processes and giving finance teams and the C-suite better insights into plant performance and costs.
The dark side of Industry 4.0 is the risks it creates for manufacturing companies. More plant systems that were once air-gapped are now connected to the outside world and even accessible to the public internet in some cases. The risks in this digital world are much higher than in other realms. You can’t just shut down a production line or a power plant to ensure that all systems are properly patched. In fact, any changes to production-facing systems are considered incredibly risky because of the law of unintended consequences. Industrial companies are even reluctant to run standard network scanning and vulnerability detection tools against their systems for fear of overloading networks, impacting performance and increasing communications latency.
This reticence is understandable. Unlike attacks on a bank or a gaming company, attacks on manufacturing plants and industrial facilities physically impact our world. An attack on a plant or an industrial installation, such as a water filtration facility or a nuclear power plant, has real-world and often dangerous kinetic consequences that can affect human lives. Chemical and nuclear plants can explode. Dams can flood densely populated areas. Water pumps can deliver contaminated water to our homes. Drug production plants may lose delicate batches of biologic drugs that can poison people on top of the loss of tens of millions of dollars. Power plant shutdowns can plunge regions into darkness and risk traffic fatalities and chaos.
On top of these threats, connected manufacturing environments, which are very sensitive to downtime, have been a target for cybercriminals looking to turn a profit using ransomware. IBM Security X-Force has observed a general shift in ransomware attacks that now hit manufacturing companies hardest. These account for nearly a quarter of all the incidents the team responded to in 2020. Moreover, 41% of all ransomware attacks IBM Security X-Force analyzed in 2020 targeted organizations with operational technology (OT) networks. Because these are often high-stakes situations, ransom demands are increasing exponentially. In some cases, IBM Security X-Force is seeing ransom demands of more than \$40 million per incident.
IBM’s industrial clients are looking to train their teams for cyberattacks in the most realistic scenarios possible. This means accessing new ways to run attack scenarios, down to the same log file readings and security control failures they see in their own networks. What they are asking for the most is the same cyber-experience their teams might encounter in real-world attacks. Those attack scenarios for a mixed IT and OT environment must go beyond the computer screen and into cyber range training, the realm of sight, sound and even smell.
A number of factors have come together to fuel growth in attacks on the industrial infrastructure of the world. To start, industrial companies are using new analytics platforms in their plants and moving data into the cloud where they can apply modern machine learning to find productivity improvements and operational anomalies. Inside these companies, a growing number of industrial assets are on the network, attached to an IP address.
At the same time, most of the industrial assets have Windows-powered user interfaces to simplify human control. Those Windows-powered interfaces tend to run on much older operating systems that have more security vulnerabilities than should be tolerated. Threat actors focus on exploiting these dated systems, which are often unpatched due to the reluctance of manufacturing OT teams to make changes out of fear that patching, or restarts, might cause production outages. Also, many of these systems are at end of life and no longer patched. Malicious groups know this and have made the connection that Industry 4.0 means they can finally gain access to these vulnerable systems.
Ransomware threat actors are seeking victims with a low tolerance for downtime, and manufacturing networks are a prime candidate. Organizations that require high uptime and can lose millions of dollars each day due to a shutdown may be more likely to pay a ransom to regain access to data and resume operations.
Some high-profile attacks are pulling in seven-figure payouts in a very short amount of time. This has attracted more attackers and even ransomware-as-a-service offerings for people or groups who lack the technical acumen to mount the attacks themselves. Ryuk, Sodinokibi and Valak are just a few of the malware families that have evolved into ransomware-as-a-service offerings, with their platform operators hosting ransomware operations for a cybercriminal customer base.
A growing list of advanced persistent threat (APT) groups play in both the nation-state and cyber criminal worlds. They add sophistication and stealth, making matters worse for manufacturers across the globe. This dual role of APT attackers has engendered knowledge sharing amongst them about Industry 4.0 attack types and created a larger pool of information for attackers on how to propagate these attacks. APTs are now seeking to earn money and wreak havoc — a double whammy that they view as a double win.
In the engagements IBM Security X-Force has remediated, several concerning trends have arisen in ransomware attack techniques and methodology. Of these, most concerning is a new emphasis on blended extortion-ransomware attacks — where threat actors steal sensitive company information before encrypting it. If victims refuse to pay for a decryption key, attackers will then threaten to release stolen information publicly.
This tactic places many victims in a catch-22 situation. Even if they are able to restore encrypted files from backup, they may suffer a data breach, loss of data and customer records and have to pay regulatory fines, not to mention repair a damaged reputation. In some cases, attackers were suspected of basing their ransom demands on the regulatory fines that organizations would have to pay, using that as another pressure tactic to make them consider paying.
With attackers stealing company data, ransomware attacks are also becoming data breaches, with the risk and implications that these types of incidents entail. This trend forces security management to re-assess risk and adjust incident response, disaster recovery and business continuity plans accordingly.
For the most part, Industry 4.0 attacks are crude denial-of-service or lockout attacks that primarily take over facilities and threaten to spin them out of control. The most famous industrial attack in recent memory is the Stuxnet worm that took down uranium centrifuges in Iran. But the reality is breaking directly into obscure code that controls industrial machinery is time-consuming and requires significant expertise that only exists at the very highest levels of information warfare. For Stuxnet, nation-sponsored teams likely labored for years and spent millions of dollars on research and development and staff time to penetrate the network and the centrifuges.
For Industry 4.0 attacks, it is far easier to shut down a plant or make it impossible for plant operators to control their systems by attacking the Windows HMI software rather than going deep into the obscure code of factory systems such as programmable logic controller, enterprise resource planning and manufacturing execution systems. It can be simpler for attackers to scale if they use an off-the-shelf Windows exploit that already has extensive literature online to compromise the control interface layer.
The attacks that IBM usually sees show up as one or more critical control systems suddenly becoming unresponsive and information coming from those systems becomes suspect or unreliable. For these attacks, rapid response time is crucial because they may start to spread laterally and become more challenging to contain.
IBM wants to create something that goes beyond the screen and into the physical realm. For Industry 4.0 cyberattacks, IBM wants to create a safe environment in its cyber range training where security and operations teams from industrial companies can prepare for attacks without having to risk disruptions to their own internal IT infrastructure and production lines. Beyond IT, IBM wants the attack to look and feel eerily similar to what an industrial process disruption might look like on the plant’s floor.
By engaging all the senses, teams in cyber range training will learn to think more holistically about attacks. They will get ahead of the curve in mapping indicators of compromise that appear in their threat intelligence feeds and alerts flashing in their Slack or Teams channels to the second and third-order impacts of control outages resulting from these attacks. In a future post, we will cover what we have learned in terms of how guarding against, preparing for and responding to an Industry 4.0 attack is different from other economic sectors.
IBM Security Command Center cyber range training can help you build and test incident response teams and playbooks. Experienced instructors facilitate hands-on experiences and demonstrate the most effective practices gathered from mature industries and organizations. They guide your teams through realistic breach scenarios that help them learn crisis management skills and build a better security culture that will improve your industrial cybersecurity posture.
Wish to learn more about building an effective cyber incident response with IBM Security Command Center? Start here.