Many would consider breweries as “essential” over the last year, particularly in times of lock down. That’s why when North America’s largest beer producer suddenly ceased production last month due to a cyberattack, it sent shockwaves through the industry and around the globe. What could make this multi-billion dollar empire grind to a halt? How do other organisations ensure they don’t suffer the same outcome?
Food and beverage companies often run nonstop, with potentially catastrophic effects when the production chain is disrupted. In this particular case, a suspected ransomware attack left the company behind iconic brands like Pilsner, Miller and Grolsch unable to access systems involved in the production and shipments of these popular drinks. Unfortunately, this type of industrial sabotage is becoming more and more common, as selling remote access into organisations is a documented ecosystem approach for ransom groups. Furthermore, this type of attack in manufacturing tripled in 2020.
The revenue impact of the sabotage is still being calculated but – as described in the regulatory document – the company also expects incremental one-time costs related to consultants, experts and data recovery efforts in both their first and second quarters of 2021.
Molson Coors joins an ever-growing list of high-profile companies hit with a major disruption to its business due to ransomware. The combination of the critical nature of the manufacturing process and potential security vulnerabilities with Operational Technology (OT) or Industrial Control System (ICS) assets, has created the perfect playground for cyber criminals. And while the precise nature of the cyberattack is yet to be disclosed, it’s a lesson to organisations the world over that they need to be strongly positioned to prevent, detect and respond to similar incidents. Some key takeaways from this incident should be:
IT and OT’s inevitable convergence
Manufacturing processes around the globe have increasingly been relying on IT and OT technology. But the real game changer is that previously isolated manufacturing networks slowly integrated with IT networks, exposing OT assets and Industrial Control Systems (ICS) to a wider range of threats. Cybercriminals now have an IT and OT backdoor onto the company network.
Security that’s purpose-built for manufacturing
Hackers look at IT, OT and IoT devices as a single continuous system, and so should organisations. Detecting cyber-attacks cannot be based on traditional security agents only – or worse – network-based scans that could take down your OT devices. These types of attacks call for a much different approach – on that discovers, classifies, and identifies threats for every type of IT, OT and IoT device in the environment; and is non-disruptive with no agents required. Manufactures should also be able to:
– Identify vulnerable devices in their environments
– Monitor device behaviour to detect compromises or policy violations
– Take actions to quarantine suspicious or malicious devices
– Stop attacks from moving laterally from device to device
Traditional threat response solutions are blind to unmanaged devices
Molson Coors engaged Forensic IT firms to investigate the exact nature of the incident, in order to properly assess the attack. This is a process where many companies will also turn to traditional Endpoint Detection and Response (EDR) systems, relying on agents. But agents can’t be installed on the vast majority of OT devices in manufacturing environments. Here again, a different approach is needed to continuously monitor the state of each device in the environment and the connections made by each device.
Then, importantly, this information should be recorded and stored in (ideally) a cloud-based system so that, when a security event occurs, security teams can easily scroll back in time to see the scope of the breach, what devices were communicated with, over what protocols, and how much data was transmitted to determine the damage and risk to the business.
Armed with the right information, organisations can learn from the experiences of their peers and make themselves better equipped to identify the root cause of the incident, restore operations and, crucially, take precautionary actions.