Everyday operations in a modern mining setup consists of drilling, controlled detonation, excavation, loading, haulage, crushing and mineral processing whilst manufacturing in South Africa is dominated by industries such as textiles, agro-processing, automotive, chemicals, information and communication technology, electronics, metals, clothing and footwear.
EDITORIAL SUPPLIED BY PwC
Today, the uptake of smart systems that use advanced technologies such as machine learning and the Internet of Things (IoT) have added an additional level of complexity.
Termed ‘Smart Manufacturing/Smart Mining’, South African based industry leaders recognise that the terms encompass everything from Artificial Intelligence (AI) to robotics and cybersecurity. A multination PwC survey on 4IR adoption found that:
“87% of business leaders of industrial products companies agreed that 4IR technologies give companies a competitive advantage, and 79% agreed it creates new revenue streams.”
Though there are obvious benefits in the convergence of these advanced systems and the Operational Technology (OT) that makes up the backbone of the sectors, it is also important to highlight that the reliance on such inter-connected and internet-dependent systems is not without its own risks.
READ MORE ARTICLES ABOUT TECHNOLOGY
A 2019 survey by Fortinet found that 74% of OT-reliant businesses had experienced significant IT security breaches in the preceding 12 months.
These incidents had a host of adverse impacts on each organisation. These include, but are not limited to, loss in revenue, compromise of business-critical data, and damage to brand reputation.
The technologies most targeted by attackers within the sectors are Industrial Control Systems (ICS). ICS are embedded computer devices that are responsible for a myriad of automated process controls in industries (e.g., measuring instruments, packaging machinery and all other components of an assembly line that make parts of any production process).
ICS devices are generally lesser known than enterprise information technology (IT) devices such as laptops, desktops and smartphones as they are typically unique to industries and utilised for specialised systems or operations.
The mining sector has been quick to adopt autonomous vehicles, remotely controlled excavators, Wi-Fi based site location tracking and smart adaptive ventilation systems whilst the manufacturing sector uses smart technologies for optimisation, quality checks and widespread systems controls.
Cyber risks to these devices generally remain unknown and therefore unaddressed by organisations.
The COVID-19 pandemic served to exacerbate the problem; in the first six months of 2020 the manufacturing industry had seen a dramatic increase in intrusion activity with at least an 11% increase in network attacks compared to the same period in 2019.
In FY20 alone an estimated 70 cybersecurity incidents targeted the Australian mining and resources sector. This escalation was not only in terms of sophistication but also in terms of the types of threat actors entering the space of attacking the sectors. In the rest of this document, we will examine and highlight the different threats to ICS technologies and the profiles of the actors perpetrating these attacks.
We will also highlight notable incidents to help demonstrate the complexity and subsequent impact of ICS attacks.
Depending on the motivation there are a range of different tactics, techniques and procedures (TTPs) used by each attacker. This not only determines the impact of each attack but also the means by which organisations get targeted and subsequently compromised. Generally, we note that insiders can be part of any threat group.
Organisations who are mindful that a security breach in the sectors can take several different forms and originate from several different places are in a better position to imagine ways of implementing the correct defences. To begin with, we highlight notable breaches within the sector that PwC has responded to.
PwC response to manufacturing and mining industry attacks
In February 2019, PwC South Africa responded to a ransomware attack where the operations of a major food manufacturing business were affected by a previously unknown strain of malware.
This is commonly referred to as a ‘zero-day exploit’ by security practitioners. The ransomware affected some of the foreign operations of the organisation and then promulgated across the network affecting at least three countries.
This resulted in key corporate and financial systems being offline for over a week until the network had been rebuilt and cleaned of the malware. However, in the initial stages of the attack, PwC was able to separate the OT networks and corporate networks — which allowed manufacturing operations to continue.
The attack could have had a far more devastating effect on the organisation had this not been done. At the tail end of 2019, a joint response was launched by PwC’s German, Belgian, UK, Canada and US incident response teams. A manufacturer in the aerospace sector had experienced an incident that disrupted operations across regions. In this instance, IT systems which were within the OT/ICS networks were freely allowed to access the internet and email. Further to this, in order to accommodate the needs of different partners, the organisation had provided data to them using outdated communications protocols that were retrofitted to use TCP/IP networks.
Effectively, IT, OT, ICS and ERP systems were compromised and brought down by attackers.
PwC South Africa responded to attacks on two major mining companies in 2019. In both cases, the attacker had exploited weak security measures on both the organisations’ networks following a migration of their email systems to cloud-based mailing platforms. Once on the network, the attacker was able to alter legitimate invoices and impersonate individuals involved in the settlement of payments in an attempt to get funds transferred from the business to an account they controlled. PwC was able to determine the list of compromised accounts and assist both businesses in implementing stronger security on their newly implemented cloud-hosted platforms.
Other notable attacks in the sector
In July 2018 Level One Robotics and Controls Inc, a vendor specialising in automation solutions for several companies, suffered an attack where sensitive data of over 100 companies in the manufacturing industry was stolen from its servers. Notable from this incident is how a single supply chain breach resulted in the loss of critical business data and intellectual property of over 100 companies, the consequences of which cannot be easily quantified.
In 2019, the MIT Technology Review published an alert on a new piece of malware called Triton. This malware was designed to disable safety systems which are built to prevent catastrophic industrial accidents.
Initially discovered in an attack launched on a Saudi Arabian based power station, the malware has since been adopted and altered by other hackers to launch attacks all over the world.
The Industry Destroyer Attack
Industroyer is a modularised piece of malware that is designed to disrupt various types of critical ICS infrastructure and processes. In 2016 it was used to launch an attack against the Ukrainian power grid that cut energy supplies to much of the city of Kiev. This was an important reminder that while the target may be businesses in the sector, the consequences can potentially affect entire populations.
The attacks mentioned above are not isolated; 2020 has also seen its fair share of attacks.
Some matters include the following:
- Tower Semiconductor, a semiconductor chip manufacturer from Israel, suffered a cyberattack that halted some of its manufacturing operations.
- In December 2020, Rio Tinto was named as one of the organisations affected by the widespread SolarWinds supply chain attack. As a result, the hackers had access to privileged accounts and widespread monitoring of all affected organisations.
- In June 2020, the Australian beverage maker, Lion, also suffered a cyberattack which affected its internal systems and disrupted its manufacturing process.
- In North America, the Tesla factory in Nevada was targeted in a serious cybersecurity attack, where a Russian hacker attempted to recruit an employee to introduce malware onto their systems. The employee disclosed this to the company and, with help of law enforcement, was able to thwart the attack. It is important to note that local regulator stipulations and disclosure laws play a major role in the number of incidents that are reported and, as a by-product, known to the public. Laws tailored to cater for these areas are maturing.
Motivation and attack vectors
Espionage has been growing as one of the driving forces behind cyberattacks in the manufacturing industry. Cybercriminals gain access to the networks of businesses in the sectors with the aim of stealing trade secrets and intellectual property. However, our research revealed that although in 2020 there was a notable uptick of espionage-motivated incidents as compared to the same period last year, the majority of the attacks have predominantly been financially motivated (63-95%).
The sophistication of attacks varies widely depending mostly on existing security controls. Attackers elect to exploit common and publicly accessible technologies then propagate across the network once an initial foothold has been gained.
We have also drawn on our experience conducting cybersecurity assessments and penetration tests from across our global network to identify the ten most common security vulnerabilities in OT/ICS networks. Generally, the most common attacks noted by PwC’s incident response teams over 2019 and 2020 were:
- Infiltration of insecure email platforms following cloud adoption.
- Insecure remote access platforms (VPN, remote login etc).
Once attackers have a foothold in an organisation, the tools and tactics used by them are usually designed to monetise their attacks by the simplest means possible. Currently, the most common tool in the hacker’s arsenal is ransomware. Ransomware is a type of malicious software (malware) that holds your systems or data to ransom.
The current trend is for attackers to encrypt data and to displays messages demanding a ransom be paid to the attacker before they can allow access to the data.
At a global level, PwC tracked ransomware attacks across various industries for 2020. The graph above represents the proportion of data advertised on ‘leak’ sites due to ransomware attacks.
Of these, 17% affected the manufacturing sector but no data appears to have been advertised from the mining sector. Based on our experience, the nature of attacks in the mining sector have largely been focused on electronic payment fraud, industrial espionage and sabotage. Given the nature of ransomware attacks, organisations in the mining sector should not ignore the threat posed by these attacks.
Data available for the African continent is limited, however we believe this to be a representation of how susceptible African organisations in the sectors are to these types of attacks. The Verizon 2020 Data Breach Investigations Report notes that attacks on the sectors made up 11% of the cases they investigated globally in 2019, whilst Kivu noted that 18% of the cases, they investigated globally were in the manufacturing sector. Kivu further notes that despite this rather modest percentage, businesses in the manufacturing industry represented 62% of the ransoms that were paid in 2019 with over $6.9M paid to attackers.
There are several different types of ransomware, each controlled by different hacker groups and built to propagate across networks and exploit targets in various ways. Some of the variants commonly known to have affected businesses in the sectors in 2020 include, but are not limited to:
- Conti, a ransomware variant that targeted the Volkswagen Group.
- Maze, a threat group that claims to have extracted data from and encrypted the systems of the semiconductor manufacturer SK Hynix, electronics giant LG and steel sheet manufacturer Hoa Sen Group.
- RansomEXX, the variant that affected the technology manufacturer Konica Minolta.
- DopplePaymer, the ransomware group that targeted Amphastar Pharmaceuticals, a manufacturer of specialist inhalation products.
A common misconception is that cyberattacks are exclusively an IT problem. However, the reality is that the problem is becoming more pronounced as technology is being embedded in operational processes. Apart from the loss of data and intellectual property, the risk to the core business operations becomes heightened and could lead to severe disruption through cyberattacks. In addition, safety, health, environment and quality (SHEQ) systems could also be impacted as there is a growing dependence on smart devices to support these processes and functions.
In all, the combination of emerging technologies, immature understanding of the risks these present to organisations, high dependence for operations and, in many organisations among the sectors, insufficient spending on cybersecurity, present a fertile ground for threat actors to launch attacks.
Another key area which is often overlooked by clients we have dealt with is incident response processes and the ability to deal with a large-scale cyberattack. PwC has dealt with at least three large clients who had to completely disconnect from the Internet for extended periods while crisis and remediation efforts were underway.
In one instance, a significant portion of the client’s server estate was damaged during a cyberattack. The recovery efforts had to be carried out over two months with systems being gradually phased into operation over this time.
Organisations in the manufacturing and mining sectors face a myriad of different cyber threats.
Recent experiences with clients in these sectors lead us to believe that organisations in this space have not been paying enough attention to these threats. They are also not prioritising the implementation of the appropriate mitigation strategies, whilst threat actors are starting to take an interest in organisations operating in this space.
Due to the increasing level of technology adoption, the consequences of attacks on organisations in the sectors can be widespread and potentially devastating. It is therefore important for businesses to understand key risk areas, attack vectors and vulnerabilities to ensure that they employ the correct controls to improve security and protect their assets.