Welcome to “Ask Deb from QA,” an advice column from MxD.
Deb from QA — with decades of experience on the factory floor — will answer your questions to demystify and explain the digital manufacturing industry.
Please submit your questions to debfromqa@mxdusa.org
What’s the scariest cyberattack you’ve seen?
I don’t scare easily. But hearing the word “cyberattack” is something that sends me diving under the bed. And let’s face it, that’s a word all of us are hearing more these days.
Don’t believe me? The 2021 Manufacturing Cybersecurity Threat Index from Morphisec said that one in five U.S. and U.K. manufacturing companies reported being a victim of a cyberattack in the 12 months leading up to the report’s release last June. Cybercriminals, the index found, really set their sights on manufacturing during the pandemic, hitting our industry hard.
Amid all this cyber-worrying, folks have asked if there’s one attack that stands out — a frightful cautionary tale for manufacturers. To find out, I turned to my friends at MxD where Senior Director of Cybersecurity Laura Élan didn’t have to think long before answering. The scariest, she said, was 2017’s NotPetya malware attack. Considered the most devastating cyberattack in history, NotPetya is still making headlines, five years later.
First a brief catch-up, since these cyber tales are always so twisted. NotPetya gets its name from the ransomware Petya, which got its name from weapons in the James Bond movie “GoldenEye.” Petya showed up in 2016, targeting Windows-based systems. NotPetya had some similarities but was not ransomware: There were ransom notes but they were fake. There was no one to pay even if you wanted to. There was no decryption key.
The malware was unleashed, our top U.S. cybercrime experts believe, by Russia to attack Ukraine and cause as much destruction as quickly as possible. The problem is this nasty piece of work didn’t stay in Ukraine. Thanks to all of our global connectivity, there was a lot of collateral damage ($10 billion worth, a government official told Wired).
Worming its way in initially through accounting software, NotPetya took advantage of the leaked National Security Agency hacking tool EternalBlue.
Kind of like that shark in “Jaws” (since we are talking scary here), once NotPetya got into a Windows machine with unpatched security, it would lurk, figuring out how to steal passwords so it could get administrator access over a network. Then it would set off on a rampage, launching forced auto-updates to all the machines and encrypting their hard drives. It permanently damaged 24,000 laptops at Mondelēz International; disrupted manufacturing at Merck; and forced shipping giant Maersk to reinstall 4,000 servers and 45,000 PCs. And that’s just a sliver of the story.
What made NotPetya so hair-raising was that it did not rely on someone opening a fishy email. Human involvement (unless you count not keeping security patches up to date) wasn’t required to let this intruder in.
NotPetya taught us that no one is immune from cyberattacks, Laura told me. For instance, you may be a small manufacturer, but if you are part of the defense industrial base, you are a very attractive target for cybercriminals who want to ride the tail all the way up to a big defense contractor.
It also taught us that you must patch. Microsoft had a patch for the flaw that NotPetya exploited. But, you guessed it, not everyone had applied it.
Being prepared is also crucial. Laura says MxD does tabletop exercises with its members to help them strategize on just what to do in the case, heaven forbid, they fall victim to a cyberattack. In those exercises, companies create a scenario and bring in the whole team — every single department — to figure out everyone’s roles and big-picture tactics.
It’s a lot like your family disaster plan. You shouldn’t wait until the smoke alarm is blaring to figure out who’s gonna grab Fido and who will call 911. You also shouldn’t wait until every single computer screen in the place goes dark to start thinking about cybersecurity.
NotPetya is one terrifying tale. Even more terrifying, there’s bound to be a sequel. Will you be prepared?
Want to test your factory’s cybersecurity and get feedback from a non-profit that’s not trying to sell you anything? Sign up for a free self-assessment via MxD’s Cyber Marketplace.
You’ll have the opportunity to do a free self-assessment and can take immediate action to fix your vulnerabilities with vetted cybersecurity tools. To get involved, visit mxdusa.org/marketplace.
Check out the last Ask Deb here:
Manufacturing jobs for military vets?
Deb from QA wants to hear your questions. Send ’em to debfromqa@mxdusa.org and she’ll answer as soon as she’s done with her dinner.