On August 3, Taiwan Semiconductor Manufacturing Co. Ltd. (TSMC), the largest chip fabricator globally introduced a WannaCry Ransomware cryptoworm variant onto its information technology/operational technology (IT/OT) networks. A TSMC supplier installed infected software on a new fabrication tool and connected it to the network, facilitating the malware infestation.
The infection spread quickly, taking out 10,000+ unpatched Windows 7 machines that run the chip fab company’s tool automation interface. The cryptoworm crashed and rebooted systems endlessly, forcing several plants in Taichung, Hsinchu and Tainan to shut down through much of the weekend.
The infection crippled materials handling systems and production equipment as well as Windows 7 computers. Some of the plants were producing SoC chips for the Apple iPhone 8 and X models. The incident’s connection to Apple and the iPhone heightened its visibility in the news media.
According to TSMC CEO C.C. Wei, patching for the Windows 7 machines requires computer downtime and collaboration with equipment suppliers. The absence of current patches created an environment where WannaCry could easily propagate.
Smart manufacturer cybersecurity risks on the rise
According to the TSMC website, the company had “introduced new applications such as IoT, intelligent mobile devices and mobile robots to consolidate data collection, yield traceability, workflow efficiency, and material transportation to continuously enhance fab operation efficiency.” Further, TSMC had “integrated automatic manufacturing systems,” according to the company’s website.
These innovations are typical in the evolution of Industry 4.0, which has increased the risk of cyberattacks against manufacturers.
But as manufacturers moved from air-gapped industrial systems to cloud-connected systems as part of the IT/OT convergence – using unpartitioned networks and insufficient access controls for proliferating IIoT devices – they created a massive, vulnerable attack surface, according to the Vectra report.
While air-gapped systems such as industrial controls have no connections by design to guard against malicious tampering, IT/OT convergence has connected these systems to information technology networks with little accounting for security vulnerabilities.
Many factories connect IIoT devices to flat, unpartitioned networks that rely on communication with general computing devices and enterprise applications. Since IIoT devices support few if any native cybersecurity measures, connecting them to easily infected applications, computers and unsegregated IP networks only invites trouble.
In the past, manufacturers relied on more customized, proprietary protocols, which made mounting an attack more difficult for cybercriminals. The conversion from proprietary protocols to standard protocols makes it easier to infiltrate networks to spy, spread and steal.
Few if any cyberattackers know and understand the proprietary protocols those closed legacy systems used. But it’s easy for most criminal hackers and their exploits to access standard IP network protocols just as WannaCry abuses the SMB protocol where there is no patch.
Real-time network visibility is crucial
Industry 4.0 brings with it a new operational risk for connected, smart manufacturers and digital supply networks. The interconnected nature of Industry 4.0-driven operations and the pace of digital transformation mean that cyberattacks can have far more damaging effects than ever before, and manufacturers and their supply networks may not be prepared for the risks.
Wherever cyberattacks interfere business continuity for business and information processes, they can also disrupt operational technologies that render products and get them out the door.
For cyber-risk to be adequately addressed in the age of Industry 4.0, manufacturing organizations need to ensure that proper visibility and response capabilities are in place to detect and respond to events as they occur. As in the case of the TSMC ransomware debacle, anything less than real-time detection and response is too little, too late to avoid production downtime.
There is no visibility into these systems to enable real-time detection before cyberattacks spread. Visibility into these internal connected systems is necessary to curtail the extent of damage from a cyberattack.
Manufacturing security operations now require automated, real-time analysis of entire networks to proactively detect and respond to in-progress threats before they do damage.