TSMC WannaCry infection forces shutdowns, financial losses

By Christopher Morales, Head of Security Analytics, Vectra

On August 3, Taiwan Semiconductor Manufacturing Co. Ltd. (TSMC), the largest chip fabricator globally introduced a WannaCry Ransomware cryptowormvariant onto its information technology/operational technology (IT/OT) networks. A TSMC supplier installed infected software on a new fabrication tool and connected it to the network, facilitating the malware infestation.

The infection spread quickly, taking out 10,000+ unpatched Windows 7 machines that run the chip fab company’s tool automation interface. The crypto worm crashed and rebooted systems endlessly, forcing several plants in Taichung, Hsinchu andTainan to shut down through much of the weekend.

The infection crippled materials handling systems and production equipment as well as Windows 7 computers. Some of the plants were producing SoC chips for the AppleiPhone 8 and X models. The incident’s connection to Apple and the iPhone heightened its visibility in the news media.

According to TSMC CEO C.C. Wei, patching for the Windows 7 machines requires computer downtime and collaboration with equipment suppliers. The absence of currentpatches created an environment where WannaCry could easily propagate.

The 2018 Spotlight Report on Manufacturing published by Vectra a few weeks before the incident foretold TSMC’s infection, which could cost the company as much as $255 million.

Smart manufacturer cybersecurity risks are increasing

According to the TSMC website, the company had “introduced new applications such as IoT, intelligent mobile devices and mobile robots to consolidate data collection, yield traceability, workflow efficiency, and material transportation to continuously enhance fab operation efficiency.” Further, TSMC had “integrated automatic manufacturing systems,” according to its website.

These innovations are typical in the evolution of Industry 4.0, which has increased the risk of cyber attacks against manufacturers.

But as manufacturers moved from air-gapped industrial systems to cloud-connectedsystems as part of the IT/OT convergence – using unpartitioned networks and insufficient access controls for proliferating IIoT devices – they created a massive, vulnerable attack surface, according to the Vectra report.

While air-gapped systems such as industrial controls have no connections by design to guard against malicious tampering, IT/OT convergence has connected these systems to information technologynetworks with little accounting for security vulnerabilities.

Many factories connect IIoT devices to flat, unpartitioned networks that rely on communication with general computing devices and enterprise applications. Since IIoT devices support few if any native cybersecurity measures, connecting them to easily infected applications, computers and unsegregated IP networks only invites trouble.

In the past, manufacturers relied on more customized, proprietary protocols, which made mounting an attack more difficult for cybercriminals. The conversion from proprietary protocols to standard protocols makes it easier to infiltrate networks to spy, spread and steal.

Few if any cyberattackers know and understand the proprietary protocols those closed legacy systems used. But it’s easy for most criminal hackers and their exploits to access standard IP network protocols just as WannaCry abuses the SMB protocol where there is no patch.

Real-time network visibility is crucial 

Industry 4.0 brings with it a new operational risk for connected, smart manufacturers and digital supply networks. The interconnected nature of Industry 4.0-driven operations and the pace of digital transformation mean that cyber attacks can have far more damaging effects than ever before, and manufacturers and their supply networks may not be preparedfor the risks.

Wherever cyber attacks interfere business continuity for business and information processes, they can also disrupt operational technologies that render products and get them out the door.

For cyber-risk to be adequately addressedin the age of Industry 4.0, manufacturing organizations need to ensure that proper visibility and response capabilities are in place to detect and respond to events as they occur. As in the case of the TSMC ransomware debacle, anything less than real-time detection and response is too little, too late to avoid production downtime.

There is no visibility into these systems to enable real-time detection before cyber attacks spread. Visibility into these internal connected systems is necessary to curtail the extent of damage from a cyberattack.

Manufacturing security operations now require automated, real-time analysis of entire networks to proactively detect and respond to in-progress threats before they do damage.

The Vectra 2018 Spotlight Report on Manufacturing

The 2018 Spotlight Report on Manufacturing delineates the many attack types and behaviors that the Cognito platform captured. The Cognito threat-detection and hunting platform monitored traffic and collected rich metadata from more than 4million devices and workloads from customer cloud, data center, and enterprise environmentsto reveal the cyberattacker behaviors.

Cyber attacks on manufacturers increased in severity from January to June 2018 based on data that the Vectra Cognito platform collected. The Vectra report confirms that all manufacturing industries are at equal risk of cyberattacks.

To learn about other findings pertinent to your Industry 4.0 cybersecurity risk, download the 2018 Spotlight Report on Manufacturing.

Christopher Morales is the head of security analytics at Vectra, a San Jose, Calif. cybersecurity firm that detects hidden cyberattacks and helps threat hunters improve the efficiency of incident investigations.

POST A COMMENT

Easily post a comment below using your Linkedin, Twitter, Google or Facebook account. Comments won't automatically be posted to your social media accounts unless you select to share.

2 thoughts on “TSMC WannaCry infection forces shutdowns, financial losses

  1. George Storm

    First, an aside: I remember the time when companies trumpeted “synergy” and convergence” as reasons to do things. To me, such blasts were indicators to sell any shares I might hold. Then my employer, who was responsible for twenty+ years of transferred-in pensions jumped on that bandwagon, ‘acquiring’ a larger company in a vaguely related field. Ouch – and yes they rapidly became the beneficiaries of an opportunistic cut-price takeover; and no, that part of my pension has not recovered.

    Maybe I should already have added “IT integration” to the list of warning signs. TSMC probably had very good reason to integrate; however, such integration brings with it requirements for powerful gate-keepers, for internal as well as external transactions.
    And: yes, our network does have an online malware transfer monitor (actually more like an internal security guard, but what’s in a name); this is in addition to the usual hardware firewalls and to running various industry standard checks on many local hosts. My view: when it comes to IT, fortune favours the paranoid.

Comments are closed.