The attack claimed its first victim just before 9.30am on 12 May. As computer monitors flickered on and workers prepared for the day ahead, the dark red, slightly retro-looking window popped up on screens at Telefónica, a Spanish telecoms company. As a countdown began and the three-day deadline ticked closer, the WannaCry ransomware demanded $300 in Bitcoins in exchange for the safe return of files.
Within a day, the ransomware infected more than 230,000 computers in 150 countries. Russia, Ukraine, India and Taiwan were the worst-affected countries, with commercial targets including FedEx and German train firm Deutsche Bahn.
Two of the most high-profile victims were Nissan and Renault, in the UK and France respectively. Production at several factories ground to a halt and did not resume for days as the manufacturers dealt with the fallout.
Weeks after the attack, its effects are still being felt around the world. Some were quick to assign blame, with many fingers pointing at a government-linked group in North Korea.
But where is the path for recovery? How should manufacturers react and how should they protect themselves from future attacks?
Some have said the WannaCry attack did not reach its full potential, and the results of other types of hacks could be worse – even fatal.
‘We need a closer look at security’
As organisations around the world scrambled to work out how they had been infected, a common factor for many of them was Windows operating systems. The Windows vulnerability was revealed in a leak of secret information from the US National Security Agency in April, and Microsoft issued security updates shortly afterwards. However, not all users updated their systems and the patch did not cover the Server 2003 and XP systems, which are used by many organisations including the National Health Service. These two failures meant that many systems were vulnerable when the attack struck on 12 May.
For manufacturers such as Nissan and Renault, experts say the main routes for hackers were so-called ‘legacy’ systems running machinery. The software is often not intended to be linked to wider networks or the internet, but gradually becomes connected over the years as manufacturers decide against replacing expensive kit that still works on a daily basis.
Even newer robots can be vulnerable, as companies strive to embrace more automation and connectivity. With the Internet of Things (IoT) expanding by the day, tens of thousands of industrial machines can be found on public IP addresses, either providing a route for malware to spread throughout factories or becoming targets for malicious remote control themselves.
“There has been a belief that plants are inherently immune to some of these breaches and that was probably historically true, because they weren’t connected to anything,” says Don Rogers, head of manufacturing practice at IT systems integrator World Wide Technology. “But as we started connecting these systems to broader networks and ultimately to the internet – even indirectly – we have significantly increased our attack surface to the inside and outside of these manufacturing plants. So we need to take a much closer look at security.”
Safeguards not in place
There are several risks to manufacturers in the event of a hack, says Rogers. Production can be halted, as it was at Nissan and Renault, potentially losing companies huge amounts of money in staff pay and other costs. Hackers could also potentially access intellectual property and designs, stealing trade secrets to sell to competitors or blackmailing the victims.
Two other risks could prove even more serious for companies, their workers and the public. If hackers access robot controls, they could create slight defects in the products being built, whether cars, electronics, train parts or anything else. If the defects are spotted in quality control, companies might have to scrap whole batches of products, potentially losing vast amounts of money.
A more serious concern is defective products slipping through the quality control process and reaching the market, potentially putting the public at risk as the defects transform into more serious issues down the line. This could lead to deaths and even injuries, says a report from security company Trend Micro and the Polytechnic University of Milan. “Should micro-defects successfully evade detection by a vendor’s multiple checks, depending on the nature of the goods themselves, injury or fatality could occur,” says the report, Rogue Robots: Testing the Limits of an Industrial Robot’s Security.
Both Rogers and the authors of the report identify another major risk for factories using large automated machinery – hackers’ ability to remotely control or switch on robots, putting workers in danger. “We are talking about big industrial equipment here,” says Rogers. “If you are able to start and stop processes at whim, without regard to human safety, unauthorised control of those production lines could lead to injuries or fatalities. It is very dangerous, especially if you consider the ability of hackers to bypass safety systems which would normally prevent a worker from being injured.”
The report authors say they are in close communication with the makers of the robot they hacked during experiments. The vendor has issued patches to fix security flaws and worked with manufacturers to ensure they are used. However, the authors say that safety measures such as kill-switches and fences around robots are sometimes not used, meaning workers could still be at risk. “We have anecdotal evidence that these safeguards are not in place,” says Federico Maggi from Trend Micro. “Sometimes the safeguards are only a red line painted on the floor.”
Using physical barriers between workers and machinery is also being corroded by the rise of collaborative robots (see feature on page 24). The machines, known as cobots, are designed to work in harmony with human ‘colleagues’, physically interacting to complete a shared goal. The switch between manual and automatic control of the cobots is sometimes on ‘teach pendants’, handheld devices that can be wired or wireless, instead of hardwired physical switches. If a hacker gains control of the pendant, the report says, “the human operator would trust the robot when in manual mode and operate near it while an attacker could be silently changing the mode of operation and moving the robot arm at full speed, causing physical harm to the nearby human”.
With new technology such as cobots and IoT systems spreading, and fresh security issues bubbling to the surface as manufacturers connect old machinery to the internet, experts say firms need to act quickly to protect themselves, their workers and the public.
Build in protection
The Rogue Robots authors say three “fundamental laws” need to be built into manufacturing robots to protect against damage from hacks: they must refuse to execute orders to damage themselves; they must accurately ‘read’ from the physical world with sensors and ‘write’ with motors and tools; and they must never harm humans.
Practical cyber-security steps for manufacturers include extending practices accepted as standard in enterprise businesses, says Rogers. Manufacturers must monitor traffic content coming in and out of factories, and information security officers must confirm the identity of people operating machines, not limiting authentication for computing and network devices, he says.
Cyber security has often been an afterthought, says Rogers. He says IT organisations and manufacturers “haven’t enjoyed a close working relationship” but they must come together after the WannaCry attack highlighted issues.
Other experts say lawmakers should lead the way in ‘cyber hygiene’. Oliver Welch, head of security at manufacturers’ organisation the EEF, says the government “should be the trailblazer for the practice”.
The UK government has a list of cyber essentials that must be followed by any company working with a public body, including using boundary firewalls, malware protection and ‘patch management’. Any organisation can follow the checklist and apply for a cyber-essentials badge but the points should become part of mandatory accreditation from bodies such as the new National Cyber Security Centre, says Welch.
Next year, the EU General Data Protection Regulation will come into force. It extends the scope of European data protection laws to all foreign companies processing data from EU residents. Under the regulation, companies are required to disclose any loss of personal data owing to hacks and face fines of up to 4% of worldwide turnover. The regulation could encourage manufacturers to update cyber-security arrangements to avoid public shaming and fines. “If you are seen to be particularly vulnerable then there is of course a risk that will reflect on the business,” says Welch. “So prevention and proactivity are important as well as being able to clean it up afterwards. It’s a real wake-up call, the last couple of weeks, and people are now taking this more seriously.”
In the US, a more radical response to hacks is being suggested by a cross-party group of politicians. Hacked companies and individuals should be able to ‘reverse-hack’ the hackers, says Georgia congressman Tom Graves, disrupting the hack and collecting information for authorities.
However, commentators including security expert Graham Cluley suggest this could lead to wider damage, as hacked companies target the source of attacks – which could themselves be hacked computers, spreading the malware without their owners’ knowledge.
Perhaps it is best for manufacturers to start preparing for the next WannaCry – or something worse – before it strikes.
CYBER-ATTACK TIMELINE
March 2010:
Stuxnet worm starts spreading. The worm targets nuclear facilities in Iran, causing serious damage and disruption. Believed to have been developed by the US and Israel, the worm ‘escapes’ and infects computers around the world.
August 2012:
Shamoon computer virus infects Saudi oil company Aramco. The attack hits 35,000 computers, destroying many of them. Group named Cutting Sword of Justice claims responsibility for the attack, which forces Aramco to use fax machines and typewriters for a week.
April 2013:
Anti-spam group Spamhaus is targeted by a massive distributed denial of service attack. The huge scale of the attack slows web traffic speed worldwide.
April 2014:
The Heartbleed bug is discovered. An estimated 17% of secure web servers in the world are vulnerable to attack when Heartbleed is identified, leading many commentators to call the bug one of the worst security threats that has ever been encountered.
May 2017:
The WannaCry ransomware infects more than 230,000 computers in many countries around the world.
The attack hits major organisations such as the National Health Service, and forces Nissan and Renault factories to halt production.
THE GOVERNMENT'S CYBER ESSENTIALS
- Use boundary firewalls to prevent unauthorised access to your organisation.
- Use secure configurations when setting up systems.
- Restrict access to controls to those who need it.
- Use malware protection such as anti-virus software.
- Update software frequently and ensure that security patches are used.