Smart Machines & Factories
Cyber-attacks on smart factories are on the rise
Published:  23 May, 2019

A series of major cyber-attacks on manufacturing enterprises has highlighted the extreme and growing risks that such attacks pose. Contributing editor Tony Sacks has been reading a new report that looks at how the interconnected nature of smart factories makes them particularly vulnerable – especially because many manufacturers still rely on outdated versions of Windows, which are no longer receiving security updates.

In March of this year, the global operations of the Norwegian aluminium and energy producer, Norsk Hydro, were hit by a ransomware cyber-attack that paralysed parts of the company’s business and led to losses amounting to more than $40m. Although most of its systems were operating again within a week, some were still not back to full capacity a month after the attack. Rather than paying the hackers to unlock its files, Norsk Hydro restored them from backup files.

Also in March, one of America’s largest beverage manufacturers, Arizona Beverages, was the victim of a ransomware attack that knocked out more than 200 of its servers and networked computers. Unlike Norsk Hydro, its backup systems hadn’t been configured correctly, so the company had to bring in expensive consultants to retrieve the data and restore its operations – a task that cost “hundreds of thousands” of dollars and took several weeks to complete.

Then, last month, Aebi Schmidt, a Swiss manufacturer of airport maintenance and road-cleaning vehicles, was reportedly targeted by a similar ransomware attack affecting is operations worldwide.

These cases represent the tip of the iceberg. Many victims of cyber-attacks never go public about the intrusions into their electronic systems.

According to a recent report from the cyber-analyst Malwarebytes, cyber-threats against businesses have increased by more than 200% over the past year (while attacks on consumers fell by 40%). Ransomware attacks in the first quarter of 2019 were 195% higher than in the last three months of 2018.

Manufacturers are particularly vulnerable to cyber-attacks. In a new report, the cyber-security analyst Trend Micro warns that the closer links between IT and shopfloor networks that are essential to Industry 4.0 are posing increased risks to production processes and to intellectual property.

The risks are exacerbated by the fact that many manufacturers are still running old versions of Microsoft’s Windows operating system, making them more vulnerable to cyber-attacks. In particular, Trend’s report, Securing Smart Factories: Threats to Manufacturing Environments in the Era of Industry 4.0, reveals that 4.4% of Windows users in manufacturing are still relying on Windows XP, an OS that Microsoft stopped supporting in 2014.

Although this figure may seem small, it is much higher than in other industries (which average 2.5%) and leaves users vulnerable to attacks from malware for which Microsoft is no longer providing security updates. Trend reports that it has detected old network-based worms such as Downad (also known as Conficker), in large numbers in manufacturing environments.

Workers at Arizona Beverages have reported that many of the company’s servers were was running outdated versions of Windows and that most hadn’t received security updates in years

Even manufacturers that are running more recent versions of Windows may not be applying security patches effectively because they want their systems to operate with minimal interruptions, and some regard updates as interfering with the smooth operation of their businesses.

The report highlights what it sees as a “unique” triple threat facing manufacturing, including the risks associated with IT, OT (operational technology) and IP (intellectual property). Manufacturers are investing heavily in converging traditional OT systems with IT networks. Some are connecting previously isolated OT networks to their IT networks to drive efficiencies, but this exposes insecure proprietary protocols and potentially decades-old OT equipment that is often not patched frequently enough.

Trend says that there is a “harsh disparity” between the significant operations performed by these systems and the fact that some operate for years with known vulnerabilities.

“Industry 4.0 offers unparalleled opportunities to increase productivity, enhance process efficiencies, and realise on-demand manufacturing, but it also dramatically alters the threat risk model for these facilities,” says Steve Quane, Trend’s executive vice-president for network defence and hybrid cloud security. “As this research outlines, the convergence of IT and OT could unwittingly have a serious impact on production lines, and could lead to the loss of IP and competitive advantage.”

Turning to the types of ICS (industry control system) equipment that could be targeted by cyber-attacks, Trend reports that HMIs are potentially the most vulnerable, accounting for 60.6% of the 132 ICS/Scada exploits listed on the ExploitDB database of publicly available exploits. This puts HMIs far ahead of PLCs on 9.8%, IP cameras on 6.8% and gateways on 6.1%.

The cyber-researchers point out that many items of ICS equipment, such PLCs and HMIs, are designed for isolated environments, and therefore may not have adequate cyber-security measures in place. As a result of the increasing connections between OT and IT networks, the ICSs could thus be exposed to the Internet.

According to Trend, the most common security problems affecting HMIs involve memory corruption (stack- and heap-based buffer overflows and out-of-bounds read/write vulnerabilities), poor credential management (use of hard-coded passwords, storing passwords in recoverable format, and insufficiently protected credentials), and a lack of authentication and unsecure defaults (clear text transmission, missing encryption, and unsafe ActiveX controls).

Of 343 ICS and Scada vulnerabilities that have been reported to the US Government’s ICS-Cert (ICS Computer Emergency Response Team) service, Trend found that 12.2% affected Siemens equipment, followed by Rockwell Automation (on 10.5%) and Schneider Electric (9.9%). But it points out that this distribution is “not surprising since these vendors have a wide range of products and the highest market shares in this industry”.

Trend reports that new vulnerabilities are being discovered more frequently than ever before in industrial control systems. For example, zero-day vulnerabilities in HMIs increased by more than 200% in 2018 compared to 2017.

One factor that makes the manufacturing industry potentially attractive for attackers is IP. They could be motivated to steal intelligence on processes, products, or technologies, which may include blueprints of confidential designs, secret formulas or assembly processes. CAD (computer-aided design) or document files, for instance, contain proprietary information, and these can be obtained illicitly and used to produce counterfeit goods, or even infected or trojanised to enable attackers to gain access to critical systems.

Manufacturers, Trend adds, are also being exposed to commodity malware, including cryptocurrency mining attacks that could harm key production processes by consuming processing power and causing network latency. And, as the recent incidents demonstrate, ransomware is also a major threat to manufacturers if the attack affects production.

To help mitigate the impact of Industry 4.0 threats, Trend Micro recommends that manufacturers restrict user access to their networks and machinery, disable directory listings, and identify and prioritise key assets to protect.

You can download Trend Micro’s report from