Cyber attacks against manufacturers rising, according to report

Cyber attacks against manufacturers are occurring more frequently, according to a report by NTT Security, and the level of sophistication is also increasing.

By Gregory Hale, ISSSource September 20, 2017

Manufacturers are a key target for cyber attacks—and they are continuing to rise, according to research by NTT Security. In addition, the sophistication of cyber attacks continues to rise across all corners of the world, according to NTT Security’s Q2 Threat Intelligence Report.

The following is the attack profile of the manufacturing industry: 

  • The manufacturing industry was the most heavily targeted industry during Q2 2017, accounting for 34% of attack activity.
  • The manufacturing industry was also heavily targeted throughout 2016, appearing in the "top three" in five of the six geographic regions. No other industry appeared in the top three more than twice
  • Fifty-eight percent of malware distribution in manufacturing environments was via web-based downloads.
  • Eighty-six percent of malware in the manufacturing industry were variants of Trojans and droppers.
  • Reconnaissance accounted for 33% of all activity aimed at manufacturing clients in Q2 2017.

Manufacturing recon

Analysis suggests cyber criminals used several different scanning tools such as ZmEu, Metasploit and Muieblackcat to scan public-facing systems. These tools come equipped with several plugins, allowing for even beginner cyber criminals to scan and find vulnerabilities in systems and applications.

PHP-based applications accounted for 75% of all reconnaissance efforts against the manufacturing industry, according to the report.

A majority of this traffic was via the use of ZmEu and Muieblackcat scanning tools, which scan for vulnerabilities in common PHP files and plugins behind web applications and content management systems (CMS) such as WordPress.

In 2016, WordFence1 conducted a survey which indicated roughly 56% of all hacked WordPress sites were compromised via exploited plugins. The phpMyAdmin plugin was developed to simplify database administration, is the front-end to MySQL databases, and a popular target to gain full access over a database. Although these scans are common, they can be effective if web applications, websites, etc. are not configured following best security practices. This becomes a larger issue if the website or web server being used in a manufacturing organization sets up the web server in a "security unaware" manner, or does not apply automatic updates potentially leaving the company or organization blind to its vulnerabilities, the report said.

Brute-forcing traffic accounted for 22% of all attacks against the manufacturing industry, the report said. NTT Security focused on the server/application targets of this traffic, discovering FTP servers were of highest interest at 64%, followed by HTTP (18%) and SSH (11%).

Download technique

In addition, NTT Security discovered 86% of malware in the manufacturing industry were Trojan/dropper variants, which his software or applications that drop additional malicious binaries whether they appear to be legitimate or not. NTT Security analyzed the distribution efforts for delivering malware to systems in the manufacturing industry. The most common technique used to distribute malware was drive by downloads

"Most manufacturing systems today were made to be productive—they were not made to be secure. Every manufacturer is at risk—it isn’t a matter of if they will be targeted, it’s a matter of when," Rebecca Taylor, senior vice president for NCMS, said in the report.

Intellectual property is at a premium, and in a market where fractions of market shares can mean millions—or billions—of dollars, competition is fierce. Industrial control systems (ICS) are often left unguarded, and worse yet, they are often built with little to no thought for security, sometimes making protection of the device itself impractical. There is a lack of investment in cybersecurity, as funds are being spent upgrading systems to be more productive or more efficient. In fact, almost half of top executives in manufacturing firms neither feel confident in their technology to protect their networks, nor do they feel they have adequate funding.

Perhaps the most influential of all trends results in one of the greatest emerging cyber threats to the manufacturing industry: Smart factories, the report said. Hoping to add efficiency, productivity, quality of products and flexibility to the process, connected—or "smart"—factories are expected to add $500 billion to the global economy in the next five years, adding yet another avenue for threat actors to target the manufacturing industry.

This connectivity is expected to drive a 27% increase in efficiency during that timeframe, and by the end of 2022, manufacturers expect that 21% of all factories will be fully connected. But all these additional tools, devices, and robots are redefining the attack surface in the manufacturing industry, the report found.

Vast attack surface

Despite the benefits of connected devices, this creates an environment with a continually broadening attack landscape due to endpoint expansion, the report said. As these devices multiply, they can become crucial access points for an attacker to infiltrate a network, or become pawns in a botnet or even be victims of ransomware themselves. Simply put, the more systems you have, the more likely it is that an attacker is going to find something in your environment.

NTT Security recommends manufacturing organizations consider the following preventive and mitigation strategies:

  • Educate users on identifying and avoiding phishing emails—particularly since employees are the most often targeted, and may be the first, or only, line of defense.
  • Ensure computers, network and other Internet-connected devices, particularly industrial control systems, are running the most current versions of operating systems and software. Please note that the most current software versions are typically the most secure, but this is not always the case.
  • In addition to outside actors, don’t forget to secure against the rogue insider—someone trusted within your organization, who perhaps has "the keys to the kingdom."
  • Enforce "least privilege"—vary the level of individual access, granted based on specific user needs and scenarios.
  • To every practical extent, isolate sensitive systems and network functions. Group associated sensitive functions onto protected networks whenever possible, to include segmenting ICS from other network functions.
  • Industrial networks are often not well segmented between IT/OT, so an infection in the former can easily spread to the latter.
  • Let malware such as WannaCry serve as a recent lesson: Although the manufacturing industry seemed almost immune to WannaCry, many Microsoft Windows machines inside ICS environments are not fully patched, and are often running outdated, unsupported versions.

Gregory Hale is the editor and founder of Industrial Safety and Security Source (, a news and information Website covering safety and security issues in the manufacturing automation sector. This content originally appeared on ISSSource is a CFE Media content partner. Edited by Chris Vavra, production editor, CFE Media,

ONLINE extra

See related stories from ISSSource linked below.

Original content can be found at