Last year, criminals launched a devastating cyber attack against a British retailer with the equivalent of a bank shot. Rather than directly target Marks & Spencer, the perpetrators focused on the retailer’s IT vendor, tricking an employee into revealing login credentials. “Once access was gained, they used highly sophisticated techniques as part of the attack,” Marks & Spencer acknowledged.
In the age of digital manufacturing, companies face a range of cybersecurity risks, from training employees to recognize phishing schemes to protecting networks against brute-force attacks.
But there is another critical vulnerability to consider: attacks that come in through the side door, via a lapse by an otherwise trusted third-party service provider.
These hidden risks from service access are uniquely diabolical because they exploit legitimate connections from outside vendors for nefarious means. Everything looks normal — until it doesn’t.
“Any sufficiently automated or computerized machine typically requires monitoring, both by the company operating it, and the manufacturer, for maintenance purposes,” said Michael Tanji, director of cybersecurity for MxD, the National Center for Cybersecurity in Manufacturing as designated by the U.S. Department of Defense. “They will have a service access door or remote connection that enables them to do their job. The risk is hidden because when a hacker discovers and uses that door, they are indistinguishable from an authorized user. Their actions don’t trigger any alarms because the system thinks the activity is normal maintenance.”
Tanji offered a hypothetical example of how a manufacturing firm could fall prey to a service-related cyberattack: A third-party vendor that maintains a plant’s HVAC system gets hacked at its own office. The hacker finds the vendor’s username and password for the manufacturing plant and logs in late at night for what looks like routine maintenance.
But once inside, because the plant’s networks are not segmented, the hacker is able to take control of operational technology (OT), potentially causing significant disruption or damage. “No malware or other ‘detectable’ mechanism was ever used,” Tanji said. “The hacker just used legitimate credentials to issue bad instructions.”
In this interview, edited for space, Tanji discusses the risks of machine connectivity and how organizations can strengthen their cybersecurity posture.
Q.: What service-related connection points are vulnerable to hacking?
Michael Tanji: When we talk about “services” in a plant, we are usually looking at the tools that allow people to remotely access and interact with machines. These include:
- Virtual Private Networks (VPNs): A secure (encrypted) tunnel from a vendor’s office directly into the plant’s network.
- Remote Desktop Protocol (RDP): Allows a remote technician to see and control a machine’s screen from their own computer.
- Maintenance portals: Newer machines in particular have built-in web interfaces where a technician can change settings or manage updates.
- File Transfer Protocol (FTP): Used to send new recipes or instructions to a robot or a production line.
- Shadow IT: Software that engineers or technicians might install to help them with their work, but without the IT department’s knowledge.
Q.: Is there a universal vulnerability?
M.T.: If there is, it is likely shared credentials. It is not uncommon in manufacturing environments for a given machine to have a single username and password that is shared among multiple employees. Giving each employee their own unique username and password is seen as burdensome, and more passwords means more service calls to reset passwords because people forget them. More importantly, it creates more opportunities to conduct a credential-stuffing attack (re-using commonly used passwords in an attempt to exploit the fact that humans are kind of lazy and will use “password” as a password if they can get away with it).
A close second is an “always-on” connection. Many vendors require 24/7 access to machines to monitor them as a part of their service-level agreement. This means a digital door is always open, even when no work is being done.
Q.: How can companies protect against service-related attacks?
M.T.: There are a number of fundamental cybersecurity practices that apply to connected machines as well as commodity IT:
- Multi-Factor Authentication (MFA): The vendor shouldn’t just need a password; they should need a second factor to gain access. Ideally this is through an authentication app, but even if only a phone-based code, it’s still better than single-factor authentication.
- Just-in-Time Access: The “digital tunnel” stays closed and locked until the vendor calls and says, “I need to perform maintenance for the next two hours.” Only then is the connection turned on — and ideally strictly limited to the stated duration.
- Session logging: There should be a record of everything the vendor does while they are connected. Organizations should be able to access and review these records to detect anomalies or actions outside the normal scope of work.
Q.: You mentioned that manufacturer networks may not be segmented. That’s another big vulnerability, isn’t it?
M.T.: Yes. One of the best ways to maintain operational capability and reduce risk is to segment your networks. If your IT and OT networks are separate, a compromise in one will not automatically lead to a compromise in the other. Likewise, segmented OT networks can protect different types of machines or parts of your manufacturing process. You’re throwing up roadblocks so attackers can’t run roughshod through your enterprise.
In particularly large and complex environments, the use of one-way data diodes is something else to consider. A data diode is a hardware device that often uses fiber-optic cables; one side has a light-emitting laser, and the other side has a photo-receiver. Devices (emitters) can send diagnostic or other data to a control system (receiver) but data cannot flow in the reverse direction, protecting devices from malicious commands.
Data diodes are more common in high-risk environments like nuclear power plants, chemical plants, and refineries, where certain inefficiencies — such as limited bidirectional communication — are acceptable because the risk of compromise is so high.
