Until now, attacks on manufacturing IT systems tended to be hit or miss. Sometimes they succeeded, but mostly they did not. That won’t be the case for long. Many of these facilities are poorly equipped to fend off cyberattacks.
In March, the aluminum manufacturer Norsk Hydro was a target of a cyberattack. The hackers managed to insert malware known as LockerGoga into the corporate network of the global company. And then it activated the software.
Countless documents, presentations and Excel files on Norsk Hydro servers and workplace computers were encrypted, dealing a severe blow to company operations. A month later, on April 12, most of the company’s 35,000 employees reportedly could still no longer do their jobs. Almost a month after that, according to a company bulletin, its IT systems only had limited functionality in three of five company areas.
In many cases, Norsky Hydro processes were still not fully running according to plan and had to be reworked manually or implemented totally by hand. This is widely known in rich detail because the company responded to the attack with unusual openness. Top executives communicated with the public and made their process largely transparent.
The auto industry tends to be less communicative than Norsk Hydro. More than four years ago, Renault was the victim of a similar attack, in its case using the encryption Trojan horse WannaCry. All that became public was that the French automaker had to shut down one of its biggest assembly lines for at least a day so it could extract the cyber pest from its IT equipment.
Renault behaves the way practically every other manufacturer does: When cyber risks loom, the industry retreats into its shell and reacts with a kind of taciturn optimism. What you usually hear is “Our IT is secure.” Yet the idea that automakers, out of all the industries at risk, would be spared from cyberattacks is nothing more than pious wish.
Malware developers continue to expand their illicit activities, Germany’s Federal Office for Security in Information Technology (BSI) said in its most recent report on the problem. The availability of easy-to-use malware generators on the dark net is playing a role. So is the opportunity for a criminal to put together a made-to-order attack package with a few clicks on a keyboard while visiting the dark side.
The attack is then automatically exported over leased botnets, creating a kind of “hacking as a service.” This greatly increases hacker productivity.
In 2016 and 2017, 70 percent of all companies in Germany were victims of cyberattacks. More current statistics are not available, but that figure is certainly more likely to have increased than declined. The number of available malware programs has definitely risen, even as they take aim at an increasingly broad array of IT resources (see graphic).
So far, there have rarely been direct attacks on the complex, highly networked IT control production facilities that are typical of the auto industry. Experts believe that even the production shutdown at Renault was more likely to be collateral damage caused by the usual blackmailers rather than the result of a carefully thought-out attack.
But the industry should avoid complacency. These facilities’ exposure to cyberattacks is expanding as the degree of digitalization increases. “The number of IP addresses in auto production is now rising rapidly,” said Jens Wiesner, the BSI division chief who specializes in manufacturing issues.
The number of IP addresses is growing due to increased networking, especially in production-related sensors and actuators. And wherever IP addresses multiply, shady characters can find more and more targets.
The cyberattacks don’t even need to aim directly at manufacturing facilities to shut down an assembly line as the digitalization and networking within the processes lead to reduced robustness. “Problems with business IT carry over into production more quickly today,” Wiesner said.
“Problems with business IT carry over into production more quickly today,”
Consider the example of Norsk Hydro: The cyberattack resulted in a malfunction of the warehousing computer. According to a statistic from the company published for the Hannover Messe, nearly all of its industrial computers were attacked last year.
Kaspersky says the most important cause was a lack of “security hygiene” — the malware was installed by accident or through sheer negligence. Insiders talk about operating systems and application software in built-in control computers often having security gaps because they are outmoded and no longer updated, or manufacturers no longer offer security upgrades. That’s the flipside of the long operating lives of these IT systems.
While servers and computers are replaced every four to five years in offices, it is not unusual to find PCs in industrial facilities that were first turned on 15 years ago. And then there is the above-average fragmentation of the auto industry’s supply chain.
The BSI’s Wiesner confirms that auto manufacturers have become highly security-conscious. He points out that robotic production lines at all vehicle manufacturers have a uniform IT architecture that takes cybersecurity into consideration.
The risk is greater for suppliers, especially smaller ones. “They often lack the capacity and resources to perform the appropriate measures,” Wiesner said. To be sure, their customers, the car manufacturers, are already applying pressure to get them to secure their manufacturing landscape. But there is “an acute need for action” in this area, Wiesner said.