You might think your company doesn’t have much in common with the largest shipping company in the world, but if you’re a manufacturer, it’s increasingly likely that your business will be targeted via ransomware.
Maersk, a Danish company, was struck especially hard in 2017 when they, like many other European businesses, fell victim to a campaign which used a modified version of the Petya ransomware, NotPetya, bringing down IT systems and operations across their board.
Ransomware has become a very lucrative tactic for malicious actors. As evidenced by the Maersk attack, no business—regardless of size—is immune from the threat of ransomware, including manufacturers.
There are lessons to be learned from the attack, as Maersk execs themselves have said, but first, a little background about the situation. Maersk has close to 90,000 employees and has offices in 130 countries. The campaign spread rapidly by utilizing the leaked US National Security Agency exploit EternalBlue, which targets Microsoft Windows Systems. The firm was forced to halt operations as the ransomware quickly spread through their systems. In total, Maersk reinstalled 4,000 servers, 45,000 PCs, and 2,500 applications in what the chairman called a "heroic effort" over ten days, one in which the executive said may have usually taken up to six months to implement (https://www.zdnet.com/article/maersk-forced-to-reinstall-4000-servers-45000-pcs-due-to-notpetya-attack/). Their Q3 results were impacted negatively by $300 million.
Maersk Chairman, Jim Hagemann Snabe, said the ransomware attack was a "very significant wake-up call for Maersk, and you could say, a very expensive one. We were basically average when it came to cybersecurity, like many companies. This was a wake-up call not just to become good, but to have cybersecurity as a competitive advantage."
The issue sometimes lies in the fact that this vertical is typically been very resistant to patches and other security updates because it can slow down production but the Maersk example shows that being proactive about security can actually save you significant time.
If some of the largest companies in the world can be brought to a grinding halt, it’s time to think about preventative steps you should take:
- Do a complete inventory of your system, spanning from the hardware that's installed all the way up to the software and patch levels. This way, if you do get a notification that there's a new vulnerability for one of those machines, you can very quickly see how many machines are affected by that.
- After your inventory check, you can install updated agents that don’t slow things down when you need to install a fix.
- Receive notifications when new machines are installed. It’s not an uncommon ploy for a malicious actor to put a machine within an unprotected network to do a little bit of reconnaissance and determine what type of vulnerabilities are there. That way, you can shut down an intruder ASAP.
- Install specialty type of inline devices which are designed to fully understand the various protocols that are running within a manufacturing operation. These are typically proprietary, so you have to make sure that you have built into your firewall or even as a separate point product an IDS or IPS solution that understands those protocols and can point out anomalous behavior on the network.
- Ensure you have visibility via a SIEM solution. There should be a single dashboard that monitors not only the operational health of the network, but the security stance and whether or not there are new risks that emerged in that network. A good SIEM solution would be an obvious choice to roll up all of your solutions but you can also leverage the dashboards that are built into the various products that you're installing.
- Consider an expert advisor. If you have CISO in your company, that person can oversee these solutions. If not, the people responsible for implementing these solutions are typically operations managers or directors. Since security isn’t necessarily their area of expertise and your entire operation can hinge on an effective and comprehensive solutions, consider a virtual CISO or bringing in a trusted advisor.