6 Common IIoT Cyberattacks Manufacturers Should Know
Over the past few years, the manufacturing industry has experienced nearly every possible setback. From rising labor and material costs to supply chain issues, manufacturers find themselves seeing year-over-year profit losses. In September 2023, the US Census Bureau reported an overall after-tax profit loss of $64.3 billion between Q2 2022 and Q2 2023. To reduce costs, many companies adopted new Industrial Internet of Things (IIoT) technologies that enable them to reduce operating costs, manage supply chains, and anticipate maintenance needs. However, these new technologies create new risks as threat actors seek to use them during cyberattacks.
With visibility into the most common attack types facing their industry, manufacturers can improve their security posture by gaining visibility into their IIoT device deployments.
Common Attack Types
Although attackers continue to evolve their methodologies, they often use similar types of attacks that have historically been successful, especially when targeting a specific industry that has unique security issues. By understanding the most common attacks, manufacturers can implement more effective risk mitigation strategies and controls.
Ransomware
Ransomware attacks remain a primary attack method because they enable attackers to get a two-for-one benefit. In response to organizations improving backup and business recovery capabilities, attackers increasingly engage in double-extortion ransomware attacks which:
- Encrypt data, making systems unusable and only releasing the decryption key if the company pays the ransom
- Exfiltrate data, threatening to release it on the dark web unless the organization pays the ransom
Malware
Ransomware is the square to malware’s rectangle. While all ransomware is malware, not all malware is ransomware. Malicious actors deploy various types of malware variants that enable them to deploy different types of attacks.
For example, some malware that threat actors may use against manufacturers and their IIoT/IT environments include:
- Infostealer: gathers login and credentials from the compromised computer
- Botnet: gives attackers control over devices
These malware variants enable attackers to engage in the following attack types:
- Password guessing attacks: At a minimum, info stealer malware gives attackers the login IDs that people use to gain access to systems and networks. Armed with this data, they can then automate attacks that use common weak passwords to see if they can find a match that gives them unauthorized access.
- Impersonation attacks: If the info stealer malware captures a current login ID and password, then the attackers can use these to impersonate a user
- Denial of Service (DoS) attacks: These attacks are designed to cripple a target host by sending it so much traffic it cannot handle the volume.
Eavesdropping
IIoT devices lack many of the basic security functions that enterprise IT devices contain. Since they connect to the public internet, this creates both a device-level and network-level risk as attackers can compromise communications.
Two common types of eavesdropping attacks connected to IIoT devices include:
- Replay attacks: By eavesdropping on the wireless network, attackers can capture a previously sent legitimate message, modify it, and send the modified message to the intended final destination.
- Man-in-the-middle: Attackers scan networks and capture data as it travels between devices.
SQL Injection
The primary reason organizations adopt IIoT devices is that they transmit data to an associated web-based application. In a SQL injection attack, the attacker sends a query to the application so that it will return information about the underlying database. In the IIoT case, attackers can send the request to an application running on the device that forwards it to the database. When the database responds, any sensitive information is forwarded through the vulnerable application back to the attacker.
Supply Chain Attacks
No official security standards exist for IIoT devices. Often, manufacturers hardcode or embed in the underlying source code, the device’s default credentials. With access to default credentials, the attackers can access vulnerabilities within the system software or gain access to the connected application.
Further, IIoT devices lack traditional software and firmware update capabilities. IIoT devices may go months or years with unpatched vulnerabilities if the manufacturer never provides one. Meanwhile, attackers increasingly hijack firmware updates so that they can insert malware on the devices.
Unique Security IIoT Security Issues
While manufacturers have compelling reasons to pay a ransom, attackers also recognize that their digital infrastructures can be easier to compromise. The unique security issues arising from Industrial Internet of Things (IIoT) devices give threat actors additional opportunities to succeed, improving the attack’s return on investment.
Expanded Attack Surface
As manufacturers increasingly connect their IT environments to IIoT devices on the manufacturing floor, they expand their attack surface. While IIoT enables manufacturers to track assets and optimize processes, they create additional risks arising from their inherently insecure technologies.
Unpatched Vulnerabilities
IIoT software is different from traditional IT software. The devices typically run highly customized or embedded systems that include firmware, middleware, and operating systems. However, organizations struggle to identify and patch IIoT vulnerabilities, making them an easy target for attackers looking to gain access to networks.
Misconfigured Network Segmentation
To protect risky assets like IIoT, many organizations introduce protections at the network level. Network segmentation enables manufacturers to limit the connections between risky devices and their overarching IT environments. Properly segmenting networks poses a challenge for organizations with network architectures that have been in place for a long time. In many cases, misconfigurations arise to reduce the overall impact on network communication within the organization which could lead to operational outages. Unfortunately, these misconfigurations create security gaps that cybercriminals can exploit.
Best Practices for Securing IIoT Devices
As your company adopts more IIoT devices to reduce administrative costs, you should consider implementing a specialized solution for managing their security.
Identify Devices and Assess Vulnerability Risk
IIoT devices are unique in that traditional asset identification tools can disrupt service. However, a passive scanner designed with these quirks in mind can provide the device information you need and enable you to appropriately assess your risk.
A passive scanner inspects packets instead of initiating traffic that can take the device offline. However, through this packet inspection, it can build an accurate profile for each connected device that contains the following information:
- Operating system
- IP address
- MAC address
- Port numbers
- Hostname
- Version number
By integrating this data with other enterprise IT technologies like your configuration management database (CMDB), vulnerability scanners, and network access control (NAC) tools, you can create a comprehensive device risk score that enables you to better understand your overarching cybersecurity posture.
Scan for Vulnerabilities and Prioritize Remediation Actions
When you have a technology that understands your IIoT devices and environment, you can monitor and manage security more effectively. When you can aggregate and correlate multiple data points, you can more efficiently mitigate vulnerability risks across your deployment. For example, you should look for a solution that enables you to identify:
- Devices containing vulnerabilities
- Threat actors’ ability to use the insecure devices in an attack
- The impact that an attack on those devices would have on operations and human safety
However, to manage these risks efficiently, you need to prioritize your remediation activities based on the overarching risk level. To gain the insights necessary, you should look for a solution that allows you to prioritize actions by aggregating and analyzing:
- Manufacturer-supplied security data
- Open-source software components
- Vulnerability criticality
- Current attack methods using the vulnerability
If you find devices containing vulnerabilities that have no patches available, you need to implement compensating controls to mitigate risks. Your IIoT security monitoring solution should provide simple, short, and effective recommendations, like:
- Deactivating unnecessary services without impacting clinical function.
- Blocking risky services with a Network Access Control (NAC) tool.
- Hardening vulnerable devices by updating their configurations.
- Implementing micro-segmenting when altering configurations affects the IIoT device operations
Incorporate IIoT Monitoring into Detection and Response
As part of a layered approach to security, you should continuously monitor your networks and IIoT devices for anomalous behavior and incorporate the data into your security team’s alerts. With high-fidelity alerts that incorporate IIoT data, your team can improve detection capabilities while reducing time-consuming false alerts.
Further, your solution should enable them to collect and analyze technical forensic data so they can correlate it with other information like:
- RAM information from servers
- Traffic information from network devices
- Data transferred to an FTP server
With a solution that can capture network packet data, your team can trace an attack back to its root cause faster. Moreover, you have all the information necessary for providing reports to law enforcement so they can work to identify the malicious actor.
Asimily: Enhanced IIoT Security to Mitigate Cyber Attack Risks
Asimily provides holistic context into an organization’s environment when calculating Likelihood-based risk scoring for devices. Our vulnerability scoring considers the compensating controls so you can more appropriately prioritize remediation activities.
Organizations efficiently identify high-risk vulnerabilities with our proprietary, patented algorithm that cross-references vast amounts of data from resources like EPSS (Exploit Prediction Scoring System), Software Bills of Material (SBOMs), Common Vulnerability and Exposure (CVE) lists, the MITRE ATT&CK Framework, and NIST Guidelines. It understands your unique environment, so our deep contextual recommendation engine can provide real-time, actionable remediation steps to reduce risk and save time.
Asimily customers are 10x more efficient because the engine can pinpoint and prioritize the top 2% of problem devices that are High-Risk (High Likelihood of exploitation and High Impact if compromised). Asimily’s recommendations can easily be applied in several ways, including through seamless integration with NACs, firewalls, or other network enforcement solutions.
Schedule a consultation with an Asimily expert to see how you can efficiently prioritize and remediate vulnerabilities with the leading lIoT risk management platform.
Reduce Vulnerabilities 10x Faster with Half the Resources
Find out how our innovative risk remediation platform can help keep your organization’s resources safe, users protected, and IoT and IoMT assets secure.