Threat actors increasingly target industrial processes because of the costly and sometimes dangerous disruptions they can cause in OT environments. Making adversaries’ jobs easier are continued manufacturing security vulnerabilities that both provide entry points to these environments and facilitate dangerous lateral movement. Here’s a look at some of the main manufacturing security vulnerabilities threat groups have been targeting lately.
Hacking the systems that manage, monitor and control industrial processes plays a big part in the types of attacks that aim to cause maximum damage in manufacturing environments (as opposed to attacks that focus on landing the biggest payday). Often, these systems, like Programmable Logic Controllers (PLCs) and Programmable Automation Controllers (PACs), run on hardware and software that were designed with reliability and uptime rather than security. Because of this, vulnerabilities often get uncovered by researchers and threat groups when probing manufacturing environments for weak points.
To take a recent real-world example, researchers at Claroty’s Team 82 recently found a security bypass vulnerability in Rockwell Automation ControlLogix 1756 devices. These PACs are widely used in industrial automation and control systems to control and monitor complex industrial processes and machinery. The vulnerability that researchers found could let
hackers move laterally to send elevated commands to the CPUs of PLC systems. While this vulnerability did require prior internal network access, it was serious enough that CISA published a dedicated advisory with tips for fixing it.
An increasingly common type of manufacturing security vulnerability stems from the growing convergence between enterprise IT and OT environments. This vulnerability relates to weak segmentation between IT and OT systems, which allows hackers to pivot attacks that originate on the IT side to infiltrate those systems that control manufacturing processes.
Attackers may exploit shared services, such as directory services or file-sharing platforms, that connect both IT and OT environments. One possible example is when you use a single Active Directory (AD) for identity management across IT and OT environments. A lack of segmentation in identity management could mean that a compromised IT user account provides access to OT systems. The same credentials might be used across both IT and OT networks, given how prevalent credential re-use is.
Another potential weak point is that many OT systems need remote access for maintenance or monitoring purposes. If you don’t effectively segment IT and OT networks, remote access tools like RDP or VPN connections can serve as gateways to jump between the two. Attackers might first gain access to remote access tools on the IT side (often through stolen credentials or exploiting vulnerabilities) and then directly connect to OT systems (this concern was part of the reason the Colonial Pipeline was rapidly shut down after a VPN account on the IT side was hacked).
Similarly, firewalls or routers that separate IT and OT networks might have misconfigured rules that allow unnecessary traffic between the two environments. For example, if a firewall permits unrestricted or poorly controlled traffic between IT and OT, hackers can use this as a pathway to access OT systems. They might exploit open ports, such as those used for file sharing (e.g., SMB) or remote management (e.g., SSH), to move laterally into your OT network.
It’s important to remember that the human factor is still one of the main categories of security vulnerabilities. In the context of manufacturing environments, weaknesses in this human element manifest as susceptibility to targeted social engineering attacks. The fact that these attacks are targeted makes them harder to spot, but adequate training can make a huge difference in boosting employee vigilance.
Savvy cybercriminals can use spear-phishing emails to target employees who have dual access to both IT and OT networks, such as engineers or IT-OT integrators. Prior due diligence on sites like LinkedIn can unearth a lot of useful info about these targets that helps refine the social engineering tactics and make any fake messages more credible.
Back in 2021, the Aggah threat group specifically targeted manufacturing companies and OT environments in Taiwan and South Korea with the dangerous WarZone remote access trojan (RAT). Other campaigns attempting to hit manufacturers with the WarZone RAT used spoofed email addresses of other industrial entities to send fake purchase orders.
A lack of visibility into OT and ICS systems makes it very difficult to detect, respond to and mitigate cyber threats that target manufacturers. Visibility is all about being able to monitor, understand and manage the network traffic, device activities and data flows within an ICS/OT environment. This includes things like:
A lack of visibility allows threats to go undetected for longer, which increases the potential for more severe harm. Advanced persistent threats (APT) excel at quietly gathering information and manipulating industrial processes, and they’re much less likely to be detected without full OT visibility. Use dedicated tools that are designed to provide deep visibility into ICS/OT networks.
Managed detection and response (MDR) services can also prove instrumental in overcoming these visibility issues that allow hackers to lurk undetected for longer. MDR gives you around-the-clock surveillance of your OT network environment, specialized threat intelligence tailored to ICS/OT environments, contextual alert analysis and rapid response capabilities. Nuspire’s managed security services help manufacturers eliminate exploitable device and network vulnerabilities. We can provide thorough cybersecurity assessments and then go beyond that to help manufacturers gain visibility across OT infrastructure and monitor network activity with MDR services. Learn more here.