Phishing Attacks in the Machinery Industry
Why Phish the Machinery Industry?
Larger businesses can sometimes shrug off phishing attempts, announcing to the public that they experienced a problem, but that it was solved and no data was lost or stolen. But what do you do when your machinery gets hacked? Do you pay off the criminals demanding money to save your expensive equipment? What if they don’t demand money and simply decide to drive it through town? Their objective of disruption and terror is easily accomplished with a machine as tall as six humans.
This mining shovel is “fly-by-wire”, meaning that you don’t operate clutches or pull on mechanical cables. It is operated by one person (and a trainee, if desired) using a joystick and foot pedals that pass instructions in a familiar way through to an operating system.
How much destruction could be caused if someone took remote control of it? Granted, it only moves at a couple of miles per hour, but that leaves plenty of time to knock down a building, drive through a parking lot crushing cars, or drive off an embankment and tip it over.
Even easier, how badly would it hurt an operation if its operating system was corrupted so it couldn’t function? That would be a huge pile of scrap metal.
It’s worth millions in lost production and replacement costs. If it is unprotected, it would be a tempting target for encryption programs like the WannaCry extortion software. As soon as it connected to the central computer, it could be compromised.
This bucket miner is not an escapee from a TRANSFORMERS® movie, but rather a device that can process thousands of tons per hour of material as it trundles along. How would you feel if it was advancing in your town? It could dig up more than 50 feet beneath the surface, destroying water pipes, electricity, natural gas distribution lines, and sewage, let alone just roll right over your house without even slowing down.
Scale is irrelevant
Ultimately, it doesn’t matter if it is a soda-pop bottling line or a missile launcher on a naval vessel. The more computerized we get, the more entry points there are for remote hackers.
Strange as it may sound, corrupting machinery could be a strategy employed by a foreign power if they thought we were about to take military action against them. The level of confusion and disruption would operate in their favor.
How Are Machinery Companies Phished?
Machinery is not immune. WannaCry took the world by storm. Such ransomware attacks happen to everyone, irrespective of industry. The Distributed Denial-of-Service (DDoS) attack near the end of 2016 affected every sort of company. These criminals are indiscriminate. Although there are several vectors aside from regular e-mail (spear phishing through SMS, the telephone, and even snail mail), e-mail is still the most common route for an assault.
Once all the personalized fields are filled in, would you be able to tell this HR notification email was a phishing trap? If not, PhishSim could help you and your team avoid catastrophe.
By and large, they are looking for victims with money. That often includes hospitals, because hospitals have had such notoriously weak security for such a long time. Now that they are improving and making themselves harder targets, the exploiters are looking for softer, easier targets.
The danger to most is that they sit around innocently believing that no one would ever attack them. Consider the German steel mill that was hacked in 2014. The hackers raised the temperature of the blast furnace until it was utterly destroyed.
Canadian mining companies have set up a Mining and Metals Information Sharing and Analysis Centre (MM-ISAC) in response to a cyberattack on one company. Stealing information is one thing, but hacking into control systems could be deadly. If you’re half a mile underground and some machinery starts misbehaving, there are likely enough people around that can shut it down if the behavior is radical enough to be noticed. Turning off the air recirculation or shutting off water pumps? That might take time to notice…
What do you do, however, when you have dozens of large trucks driving at 30 miles per hour in tunnels, using computer guidance to keep them separated, and someone turns off the integrating Wi-Fi? Yes, there are still drivers there, but it might catch someone by surprise, cause an accident, and even an underground fire. This has to be taken seriously.
Many cyber threats are lurking on the Internet. WannaCry was perceived as the most significant threat in recent memory, and it was only stopped accidentally by a security researcher, known as MalwareTech (Marcus Hutchins), then only 22 years old, who stumbled upon the deactivation key. Hutchins, albeit inadvertently, “Saved the Internet” and was celebrated as an “accidental hero.”
Four Steps for Preventing Machinery Phishing
- Don’t open attachments in e-mails unless you were specifically expecting them. Even if it’s something that you often receive from an individual, but it’s arriving at the wrong time, contact them and check to see if they sent it to you.
- The IT department can only filter out so much SPAM. It is essential to run an antivirus program, but make sure you keep it up to date (turn on the auto-update function). You still have to be attentive as you are going through your e-mail. If it is even remotely suspicious in any way, don’t open it.
- Don’t be embarrassed about asking when something looks strange. It’s worth a minute or two out of your day to keep your employer’s network up, running, and healthy. It’s much better than thinking “Oh, that should be okay” only to find out that you were wrong.
- Make backups regularly. If something goes wrong, you only lose the data back to the previous backup, which is something you can recover from. Even better is using offsite storage and computing. Some of them provide back-ups that are only minutes old.
Using multiple sites means you could be hacked, have your local server entirely encrypted, and just lock it out. Then you just switch to a mirror server in Buffalo, or Los Angeles, with no perceptible interruption. There are strategies to deal with problems, but it is so much better not to have them in the first place.
Education and Training
Phishers understand computers better than the average employee. They are well versed in how to impersonate people you know casually by taking information from their Facebook or LinkedIn accounts, or other social media, so they can make convincing references that give them believability.
You have to be able to identify their mistakes so you can scoff at them and protect your company network. That means all your fellow workers need to know the same thing.
InfoSec Institute offers self-paced tutorials, which are available to all InfoSec account holders, including those with free membership plans. A quick overview of phishing to help learners recognize suspicious emails and to discover what to do when (not if) a suspect email is received are all covered in the coursework. You may view InfoSec’s tutorials and sign up for a free account here.
Testing and Evaluation
Once you are a member, (free or subscribed) you gain access to our PhishSim tools and templates, where you can create pseudo-phishing e-mails similar to those which may be used by these crooks, and then send them to everyone who interacts with your mail system. That helps to determine how they respond to a threat.
With an extensive collection of existing templates, cloning and then modifying an existing one is probably the quickest and easiest way for you to start a phish-testing campaign.
Your organization needs to have a specific individual to whom people report perceived phishing attempts. You need to have a clear methodology for employees, clients, and customers to inform this person when phishing is suspected.
Take a look here and see how it works! SecurityIQ Phishing Simulator
Reporting every incident will allow authorities to capture individuals if they are too slow to change their IP addresses, or in other ways to cover up their tracks. Remember, the FBI, Homeland Security, Interpol, and other agencies maintain databases identifying different scams, suspects’ names, and other identifying information which they share with all law enforcement agencies, and even some private organizations. This information is used all around the world in investigations and initiatives to stop these criminals.
PhishSim “victims” incur no damage to their computer. Instead, our AwareEd system of tutorials and educational modules use a fun, low-stress series of educational moments to make even the most incautious member of your team more security savvy.
Educational modules range for 5 to 20 minutes, and include interactive learning via simple, testable actions when presented with suspicious emails or web sites.
InfoSec can assist with training your people to recognize and counter phishing attempts as well as other cyber threats. In the last 20 years, over 15,000 IT professionals have received our instruction on a host of cybersecurity areas, and our programs have consistently received industry awards and recognition.
InfoSec’s PhishSim tool, tutorials, and advanced training combine to provide IT security specialists with a complete system for combating the ever-present threat of people intent on breaching your security. Remember it takes only seconds to create a free InfoSec account, and minutes to develop and run a PhishSim test. To get started, click here to create and run your first PhishSim test.