The Colonial Pipeline ransomware is a foretelling lesson for manufacturing resiliency
By John Livingston, Verve Industrial CEO, and Ron Brash, Verve Industrial director of cybersecurity insights
At first, one might say "What does a ransomware attack on a pipeline have to do with manufacturing?"
Although this attack received a lot of press because of Colonial’s position as a major energy-delivery provider, the reality is that the attackers—as they said in their tweet on Monday—are only in it for the money, and in fact made a mistake in disrupting “society.” Today’s cyber-attackers are in it for the money and will find the most attractive targets to pay—pipelines or manufacturers.
The reality is this is only the most public attack because of its impact on society. The recent impacts on Westrock, Molson-Coors, and many other manufacturers highlight the cyber-risks to manufacturing reliability, even if they did not get as much press. Like oil-and-gas, manufacturing has complex value chains where disruptions can impact many players up and down.
Key lessons for manufacturing to learn from this incident include:
- Industrial organizations are now a cyber-target. For-profit ransomware vendors such as DarkSide, which the FBI has now named as the attacker on Colonial Pipeline, have replaced the “personal information brokers” as the driving force of cyber-threats. Because the financial impact of ransomware is so costly to industrial companies such as manufacturing, attackers find them to be attractive targets. In fact, manufacturing became the second-most targeted industry in 2020.
- Security is really about resiliency. In Colonial’s case, the company used an approach to isolate systems to protect operations from further damage. Most companies have developed robust business-continuity plans or disaster-recovery plans. But few have invested significantly in cybersecurity. Cyber is now likely one of the top three business-continuity risks that manufacturers have. Are they spending the same attention on this as they are on other supply chain risks?
- Knock-on effects or industry “externalities” mean that it’s not just your problem; it is your vendors’ and customers’ problem, too. Modern supply chains with just-in-time production and complex tiers of vendors were built on visibility and resilience of that chain. As Colonial demonstrated, a successful attack in one step has ripple effects up and down the chain—to storage at one end and customers at the other.
- This “externality” issue may drive government regulators to step in more forcefully than they have in the past. For the most part, government regulates where markets fail. When private incentives do not consider the wide range of externalities, regulations shift the incentives. We are already hearing that the administration may implement new industrial cyber-guidelines.
So, what can manufacturers do to respond in the face of this attack and be prepared to defend and respond in the future? Here are some actions to consider:
- Conduct a cyber-resiliency-assessment and tabletop exercise. What are your biggest cyber risks? What is the impact of a negative event? What is the best course of action if systems are attacked—what response allows the least damage and fastest return to normal operations?
- Bring IT and operations technology (OT) resources together to develop a cybersecurity roadmap focused on data-based assessment of the risks in both IT and OT systems. The solutions likely will differ given the sensitivity of manufacturing devices such as PLCs, drives, etc., but the overall objectives should be aligned.
- Make investments in key cyber-protection areas that can reduce the risk of outage costs for your organization. Likely investments include: network segmentation, endpoint patch and configuration management, automatic backups of critical systems, ongoing management of security controls to ensure maintenance and updating. Most manufacturing organizations are insufficiently separated, and an incident within business infrastructure will almost certainly cross over and affect operations. Cybersecurity basics go a long way into reducing risk to tolerable levels, but be ready to recover—especially where legacy and end-of-life systems exist.
- Work with supply chain partners on coordinated efforts to address risks to the end-to-end delivery of products and design cyber-contingency plans for different elements.
Overall, the Colonial Pipeline attack should be a wake-up call to make cyber a much more prominent topic among manufacturers’ risk assessments. Ultimately, this incident may be signaling a greater influence on manufacturing as a frontier of cybersecurity as the industry continues to become a highly targeted industry in 2021.
Colonial or not, ransomware is among the most prominent and disruptive threats to manufacturing and your operations; especially as we move to IIoT, the cloud, digitalization, and as we increasingly focus on optimization or data analytics.