How Serious Are You About Cybersecurity?

This content originally appeared in our sister brand, Production Machining. For more insights and information about precision machining, visit productionmachining.com.

---

When machine shop owners and managers consider possible damaging scenarios that can befall their operations, incidents that come to mind might include a machine crash, broken tool, fire or perhaps natural disasters.

Add cyber attacks in the form of ransomware to that list.

Ransomware is a form of malware (malicious software) that can block access to a computer system commonly by encrypting data or programs to extort a ransom payment(s) from the hacked company in exchange for decrypting the information and restoring access to its systems or data. Once the ransomware payment is made, the company will be given a key to decrypt its files and restore access to systems or data.

The notion that U.S. manufacturers are today’s prime targets was reinforced multiple times at the recent Navigating Cybersecurity Summit hosted by Cincinnati, Ohio’s, TechSolve, a manufacturing and business consultant, and the Manufacturing Extension Partnership (MEP) for Southwest Ohio.

The event’s keynote speaker, David Kennedy, founder of Binary Defense and TrustedSec, noted that hackers began singling out manufacturers in late 2020, making them the targets of ransomware operations. Thus, manufacturing has experienced more ransomware attacks recently than the U.S. government, education, technology and health care sectors. This is because manufacturers tend to have weak cybersecurity protection, making them attractive low-hanging fruit for hackers.

Kennedy says it’s not a matter of if you will be targeted, but when.

Ransomware hacking operations have become sophisticated businesses which continue to develop new tactics, techniques and procedures as they attack the supply chain for maximum impact, he notes. These groups tend to be based in Russia, however, they are spreading across the globe. These “businesses” are now multimillion-dollar operations.

It’s not a matter of if you will be targeted, but when.

Kennedy says attacks are commonly a result of password reuse, common password patterns and engaging with phishing emails. He recommends creating complex passwords that are at least 15 characters long and considering password manager apps such as Lastpass so you don’t have to memorize those passwords. But, just as importantly, he strongly urges everyone to use multifunction authentication (MFA) which requires two forms of user evidence for the app. This provides another layer of protection on top of the typical username and password that hackers can often easily steal from victims.

Jonathan Theders says the average ransomware payment has ballooned over the past few years. Theders is CEO of the RiskSource Clark-Theders insurance agency in which 70% of its clients are manufacturers. He notes that in 2017, the average ransomware payment was $9,000. This increased to $25,000 in 2018, $300,000 in 2019 and $800,000 in 2020.

The threat is so significant that insurance agencies are currently pushing clients to adopt a much more sophisticated cybersecurity posture. In some cases, they won’t offer cyber insurance to companies that are not using MFA. Theders urges manufacturers not using MFA to make it a priority to have it in place before the insurance renewal process because it is essentially a prerequisite at this point.

Some agents won’t offer cyber insurance to companies that are not using MFA.

Insurance agencies have also become more proactive in educating clients and potential clients about cybersecurity basics. Theders reminds companies to mind the “321 backups” concept in which three copies of data are stored in two different media formats with one being stored off-site.

In addition, he explains that endpoint detection and response (EDR) can help companies get a better insurance rate. EDR is an integrated endpoint security solution that combines real-time continuous monitoring and collection of endpoint data with rules-based automated response and analysis capabilities. A computer workstation in a network is an example of an endpoint. Insurance agencies will still offer coverage to companies that don’t have EDR in place, but this can make a company less attractive to insure.

Why is this? Theders says it’s due in part to a drastic increase in insurance quotes underwriters are receiving. One underwriter noted that one year ago it received quote requests from 1,300 companies. This has recently ballooned to an unreachable 13,000 quote requests. So, like any business that has such an increase in volume, they are becoming more selective in the types of companies they will quote. Not only might these be those that offer the highest margins and are good companies with which to work in general, but perhaps those that have MFA and EDR in place. Moving forward, underwriters will not surprisingly focus quoting efforts on best-in-class companies in that regard.

Should You Simply Pay?

While the promise of getting your business back up and running by quickly paying your ransomware hacker might be enticing, cyber experts say don’t do it. In fact, such payments might fund terrorism organizations and, thus, could become illegal.

In September 2021, The U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) issued an updated advisory to highlight the sanction risks associated with ransomware payments. The advisory states “ransomware payments made to sanctioned persons or to comprehensively sanctioned jurisdictions could be used to fund activities adverse to the national security and foreign policy objectives of the United States. Such payments not only encourage and enrich malicious actors, but also perpetuate and incentivize additional attacks.” As a result, “OFAC may impose civil penalties for sanctions violations based on strict liability, meaning that a person subject to U.S. jurisdiction may be held civilly liable even if it did not know or have reason to know it was engaging in a transaction with a person that is prohibited under sanctions laws and regulations administered by OFAC.”

Steps to Take After an Incident

If your company is the unfortunate victim of a cyber security incident, what should be your first steps? Shawn Waldman, former law enforcement officer and current CEO of Secure Cyber Defense who spoke at the TechSolve event, suggests the following:

1. Call your insurance company. It’s imperative that you notify your carrier as soon as possible to avoid possible exclusion issues.

2. Activate your IRP. Start your incident response plan and begin implementing the actions for which you’ve prepared and practiced.

3. Call an incident response company. You should have a prearranged relationship with an incident response and forensics firm if cybersecurity insurance wasn’t available.

4. Notify federal law enforcement. Ransomware and breaches are a federal crime and you’ve just become a crime victim. Rather than contacting local law enforcement, which can’t help, contact the FBI, U.S. Secret Service and the Cybersecurity and Infrastructure Security Agency (CISA).

5. Disconnect from the internet. Unplug the network cable, but don’t turn off the firewall as this serves to protect evidence.

6. Don’t turn off devices. Evidence preservation is extremely important and will help in answering the who, what, when, where and why questions later. Unplug network cables, but don’t power off devices until a trained cyber evidence expert approves it.

7. Start documenting. Have someone document everything that is happening and by whom. Document all calls and actions. Also, note the date and time, and who took the actions or was involved.

8. Find “Patient Zero.” One of the most important actions to take is to find the offending device that started the outbreak. Failure to find this device could result in reinfections at a later time.

9. Don’t talk to the hacker. Neither engage with the hacker nor get on the dark web for any reason. Let professionals handle the communication and negotiations.

Embrace Cybersecurity

The Navigating Cybersecurity Summit covered many more topics than I can address in this article. Regardless, my two primary takeaways from the event are that manufacturers must take cybersecurity seriously right now. Similar to lean manufacturing, cybersecurity must become part of a company’s culture to function as it should. In addition, preparedness is of utmost importance. It only takes one vulnerable access point to enable a hacker to weave its way through your systems causing severe business interruption and lost profits.