What’s Wrong with Manufacturing?

In last year’s edition of security navigator We noticed that the manufacturing industry appeared to be completely overrepresented in the cyber-extortion victims dataset. .

Manufacturing is also the most represented industry in the CyberSOC dataset, contributing to more incidents than any other sector.

This trend has been confirmed in 2023. So let’s explore some possible explanations.

and expose them.

Look for possible explanations

Manufacturing remains the most affected industry in the 2023 Cyber ​​Extortion dataset, tracked by monitoring double extortion leak sites. In fact, since he began monitoring leaked sites in early 2020, the sector now accounts for more than 20% of all victims.

Approximately 28% of all clients belong to the manufacturing industry, which accounts for 31% of all potential incidents investigated.

58% of incidents handled by this industry are internal, 32% are external, and 1% are classified as “partners” or third parties. When external attackers caused her security incidents, her top three threat actions were web attacks, port scans, and phishing.

On the other hand, the manufacturing industry has the lowest number of identified security vulnerabilities per IT asset in the vulnerability scan dataset. Meanwhile, our pentesting team reports 4.81 CVSS results per day. This is well above the 3.61 average for all other industries.

It raises a few questions, which we will consider here.

1. What role does operational technology play?
2. Are Manufacturing Companies More Vulnerable?
3. Are manufacturing being targeted intentionally?
4. Are your manufacturing clients experiencing more incidents?

What role does OT play?

A tempting assumption is that manufacturing sector businesses are being compromised more frequently via notoriously insecure operational technology (OT) or Internet of Things (IoT) systems. Manufacturing is an easy target for extortionists, as plants and factories often cannot afford to shut down or shut down.

It certainly sounds plausible. The problem is that these theories are not supported by data.

The attack on US energy giant Colonial Pipeline is perhaps the most notable recent example of a successful attack on an industrial facility.

In July of this year, US intelligence agencies even warned about a hacking toolset called “Pipedream” designed to target specific industrial control systems. However, it is not clear if and when these tools have ever been used in the wild. Aside from his infamous 2010 Stuxnet attack, he has trouble remembering a single cybersecurity incident where an OT system was the entry point.

In Colonial Pipeline, the backend “traditional” management system was compromised first. Looking more closely, this is the case for almost all reported incidents at industrial facilities.

Are companies in the manufacturing sector more vulnerable to attacks?

To answer this question, we examined a sample of 3 million vulnerability scan results and 1,400 ethical hacking reports.

We have derived three metrics that facilitate somewhat normalized comparisons across client-based industries.

VOC scan results by asset, time to patch, and pen test results per test day.

Ranking the industries by their performance on each of these metrics, sorted from worst to best, clients in the manufacturing sector rank fifth out of 12 comparable industries.

The chart below shows the overall *ranking* of manufacturing clients in comparable industries.

VOC specific findings/assets

There were seven other industries that performed better than manufacturing on this metric.

The scan dataset has a relatively large number of assets from clients in the manufacturing industry, but the findings per asset are reported to be much lower than the average across all industries. In fact, almost one tenth.

time to patch

Six other industries ranked higher than manufacturing in this indicator. The average age of all findings in this industry is 419 days, which is a worrying number and worse than recorded for the other eight industries in this dataset.

pen test results

We can see that the average CVSS per day is 4.81 and the average for clients in all other sectors in the dataset is 3.61, which is 33% higher.

Are extortionists targeting manufacturing more?

When classifying clients, we use the North American Industry Classification System (NAICS) classification system.

Looking at the number of double extortion victims by industry reveals some very interesting patterns. Of the 10 industries with the most victims recorded in the dataset, 7 are among the industries with the largest number of entities.

However, manufacturing is clearly a trend breaker.

Another factor begs the question. If a manufacturing company is willing to pay the ransom, it will be more attractive as a victim. However, we expect such companies to appear less frequently on the “Name and Shame” leak site, but not more.

Are your manufacturing clients experiencing more incidents?

Manufacturing again generated the largest number of incidents as a percentage of the entire CyberSOC dataset. 31% of all incidents are against 28% of clients in this sector.

Incident data, however, has no context. To establish a baseline for comparison, we assign customers a “coverage score” ranging from 0 to 5 in eight different “domains” of threat detection. The maximum total detection score is 40.

Use the coverage score to normalize the number of incidents. Simply put, the lower the client’s assessed coverage score, the more “increased” the number of incidents in this comparison by this adjustment. The logic is that a small amount of coverage means that many incidents will not be seen even though they are very likely to occur.

Even after adjusting for true-positive and false-positive incidents as above, the number of incidents per customer in the manufacturing industry is more than seven times higher than the average across all industries.

In a similar comparison, limited to perimeter security only and midsize companies only, manufacturing ranks first among seven comparable industries for the highest number of incidents per customer.

Conclusion

We focused on regular IT systems as we ruled out the high impact of OT security vulnerabilities. Our scanning team evaluated a large number of targets, but reported relatively few vulnerabilities per asset. Overall, in terms of vulnerability, manufacturing ranks him fifth or sixth weakest among all industries.

The question as to why the proportion of casualties from manufacturing is consistently recorded at such a high rate is not readily answered with the data we have. We believe it ultimately comes down to the level of vulnerability, which is best reflected in the elapsed time data for penetration testing and findings.

All our data points to the fact that attackers are mostly opportunistic. Instead of intentionally identifying industries, it just compromises vulnerable businesses.

Customers represented in our dataset have worked with us for vulnerability assessments or managed detections, and therefore represent relatively “mature” examples of their industry. We can speculate that the average company in this sector would be a worse benchmark in terms of vulnerability. Is the high number of victims observed on the attacker’s leak site a direct reflection of the sector’s overall high victim numbers, or is it a distortion of the industry that refused to grant the initial ransom demands? It is not entirely clear whether this is a reflection of

However, vulnerability is likely to be a major factor in determining which businesses are compromised and extorted.

This is an excerpt of the analysis. For more information on how different industries performed compared to others, as well as CyberSOC, pentesting, and VOC data (among many other interesting research topics), visit security navigatorIt’s free, so please take a look. Worth it!

Note: This article was written and contributed by Charl van der Walt, Head of Security Research at Orange Cyberdefense.