A chemical manufacturing company grinds to a halt when a cyberattack locks up their assembly line — and exposes a century-old trade secret to the highest bidder.
A chemical manufacturing company grinds to a halt when a cyberattack locks up their entire assembly line. Kurtis Minder, a renowned ransomware negotiator, answers their call for help and explains why manufacturing companies are uniquely vulnerable to these kinds of disruptive attacks. Then David Adrian from Chrome chats with Kate about how a web-focused strategy can help manufacturers transform what are commonly thought of as massive vulnerabilities into secured points of access and visibility.
Kurtis Minder: The bad guys like to attack over holidays, so it's really not fun for me...
Kate Fazzini: That’s Kurtis Minder, a renowned ransomware negotiator.
Telling me about a time when he picked up an emergency call on a major holiday.
Kurtis Minder: The initial call is always very emotional as you can imagine. Even in the large companies, you know, you may have a board room of people, but… it's very emotional.
Kate Fazzini: On the other end of the call was a chemical manufacturing company who’d been locked out of their own assembly line.
Kurtis Minder: They had a complete operational interruption so they couldn't manufacture their product.
Kate Fazzini: Costs can add up quickly when a cyberattack delays a game studio’s next release or leads to a data breach at a bank.
But when attackers shut down a manufacturing line, that’s part of a global supply chain, you can almost see the money circling the drain.
Kurtis Minder: They were losing millions of dollars a day in revenue.
Kate Fazzini: And for this chemical manufacturer — like with any business shut down by ransomware — the losses went way beyond a few days of missing shipments.
Kurtis Minder: I call it the ransomware blast radius; it's like, we know the basic impact, it's operational interruption, but what about these other things?
And so that's cost of goods going bad, supplier confidence; that's, "Hey, wait, you didn't make payroll for two weeks?"
The attrition that just occurred, what did that cost you? Those are all part of the fairly complex equation on, on total cost of impact.
That formula, if you will, kind of helps us decide on whether to pay a bad guy or not, or to engage a bad guy or not.
Kate Fazzini: In this case, after finishing this exhausting analysis with Kurtis, the company decided to pay the ransom.
Kurtis Minder: And my job as a negotiator is to make sure we don't pay the price on the window (chuckles), on the sticker.
Kate Fazzini: Before long, the systems were back online. Products were going out the door again and Kurtis was helping the company recover.
But when he sat down with the company’s CISO, he heard something that changed how he thought about the industry.
Kurtis Minder: He said, "Kurtis, here's my biggest concern. We have been the manufacturer of this particular product for almost a hundred years. And the way that we manufacture this product and the materials we use to manufacture this product are our trade secret.
I am concerned that that information has left the building and I won't know about that risk for some time until a competitor of mine makes the exact same product in five years from now and puts me out of business."
Kate Fazzini: From Bloomberg Media Studios and Chrome Enterprise, this is “Security, Bookmarked.”
I’m your host, Kate Fazzini. I’ve been a cybersecurity professional and journalist for over 20 years. And on this podcast I’m talking with leaders in gaming, finance and manufacturing about what security looks like in a workplace that’s moved to the cloud.
In 2023, ransomware attacks against manufacturers and other industrial companies increased by 50%. And since 2019, cybersecurity incidents targeting operational technology have risen exponentially.
So today I’m speaking with Kurtis about why manufacturers are facing more ransomware attacks than ever, and how AI is amplifying threats and offering new defenses for cybersecurity leaders.
Kurtis Minder: I'm the founder of GroupSense, which is a digital risk protection company. I'm also lead ransomware negotiator at GroupSense, and I have about 30 years in what's now just called “cyber.”
Then I’ll chat with David Adrian, Security Product Manager for Chrome, about how a web-focused strategy can help manufacturers secure the connection between their IT and their OT.
Kate Fazzini: The job title of “ransomware negotiator” is still fairly new. But Kurtis has been dealing with cyberattackers since the early ‘90s, when he worked on systems for an internet service provider.
He’s seen pretty much every kind of ransomware scenario you can imagine.
Kurtis Minder: Incidents where the victim has started the negotiation before we showed up and has made some very, very novice mistakes…
We've also had incidents where we're in the middle of the negotiation and the threat actors get back in and do more damage.
Where there was some confidence from the victim that, "Hey, we've got the doors locked. They can't get back in," and they were wrong about that. And that causes issues.
Kate Fazzini: Going back to his ransomware story, Kurtis couldn’t reveal exactly how the attacker got in, but he told me they didn’t have to be very creative.
Kurtis Minder: One of the things that, that is frustrating for us is that at the end of this, we're taking stock on how the threat actors gained access.
And it can be distilled down into, like, seven to eight sort of preventable things.
Kate Fazzini: Strong passwords. Multi-factor authentication. Staying on top of your updates and patches. Securing remote access. These are just a few of the things Kurtis considers low-hanging fruit for any company.
Kurtis Minder: They're trying to gain access to your systems as cheaply and as efficiently as possible, and so they're not buying zero days on the dark web to break into your… (chuckles) to break into your network, because they don't have to.
They can use some very simple mistakes in cyber hygiene or processes to gain access and often that is the case. It is something fairly simple to gain the initial access, and then once they're in they're very good at expanding their access and pivoting.
Kate Fazzini: Later in the episode I’ll chat with David Adrian at Chrome, about how a web-focused strategy can secure that point of access — but first, I’ll hear more from Kurtis, about his experiences helping manufacturers recover from ransomware attacks and what he sees in the near future for enterprise cybersecurity.
Kurtis Minder: You know, when you talk about partners or constituents who lose confidence, in the manufacturing and supply chain space a lot of these companies have a fairly robust supply chain resiliency strategy, right?
And if one of your manufacturers in your supply chain stops producing, you've got a backup or two or three, and you might not never, ever go back to that manufacturer.
When I'm talking to companies about how to prepare and respond to this in advance of an attack, I tell them that when the dust settles on an attack, you're going to need a tremendous amount of goodwill from your community.
And the quickest way to make that go away is to lie to them or make them think you're lying to them or withholding information.
And so their ability to address this quickly and also communicate transparently is so important.
Kate Fazzini: Yes, I’m, I’m so glad you’re saying that. I’ve seen the communication piece go so wrong, both as a practitioner and then as a reporter — even though that doesn’t have to be the case. So thank you for emphasizing that.
Now, going back to the start of your ransomware story, I want to ask something more simple: Why are manufacturers — and in particular operating technology itself — a target to begin with?
Kurtis Minder: Yeah, I think it, increasingly, like everywhere else in the world, the devices in manufacturing are connected and the reason why we're connecting them is data. We want to manage them. We want to optimize them. We want to look for errors and mistakes and things like that. And so as we’ve implemented technology to manage those manufacturing devices and connected those systems to the network, we've introduced a new attack vector for the bad guys.
Kate Fazzini: And it’s not just one attack vector, right? There’s this whole internet of things now, lots of new devices attached to the network. They’re all targets.
Kurtis Minder: Yeah, so in a manufacturing environment that is dealing with something that is sensitive to temperature control, the HVAC system is very important. (chuckles)
So the threat actors obviously have gotten better at this, they know that impacting those devices and those systems makes a bigger impact operationally.
And so HVAC systems and IP phone systems and product lifecycle devices? You lock one of those up and manufacturing stops. Things stop getting built.
Kate Fazzini: Yeah, it’s just devastating, and when you think about the kind of leverage that an attacker can get when they deploy ransomware on these operational devices, uh, it’s astonishing.
Kurtis Minder: Yeah, I mean, the threat actors have gotten better at learning how to disrupt our businesses, and… OT or ICS devices, industrial control devices, they are computers, they are running an operating system. It is typically not a normal operating system.
And so one of the challenges for organizations is, how do you secure those? And on top of that, those devices are often not managed by the IT staff or even the organization itself.
Sometimes, whoever is making these devices have a maintenance contract to manage those devices inside the network.
So you've got a third party who's responsible for keeping that device up to date and secure etc. And then you've got an IT staff who's responsible for the overall organization and it makes for an interesting dynamic.
That creates a sort of a paradox for the IT security folks in those organizations, as far as protecting those devices, and they are connected.
So that connectivity needs to be closely monitored and managed and also be minimalistic. So it, only the things that need to talk need to talk and that is it, right?
And keep it very, very tight.
Kate Fazzini: That’s great advice, thank you so much, Kurtis.
Now, you’re constantly reminding business leaders that they don’t want to have low-hanging fruit, that attackers have plenty of old tricks that still work. So, and I know you also do reconnaissance on threat actors, so looking to the future, do you see a change happening in the way cyberattacks are approaching their attacks?
Kurtis Minder: You know, I think having done quite a bit of analysis on this and my core company does a lot of work around intelligence, I think right now our biggest concern is synthetic content, so…
The phishing campaigns are more effective. The landing pages that they send you to harvest your credentials are more real; I'll just give you a quick example of one of those.
The threat actors will go to your management page of your company, and they'll pick out all the names of your board members. And then they will have AI generate a fake email thread between those people on a particular topic.
And it looks very, very real.
Kate Fazzini: Ok, that’s a new one. That’s new. I haven’t heard that before.
Kurtis Minder: Yeah, you're a mid level finance person.
And then suddenly you're looped in on this email thread by a board member.
And they say, “Hey, we need you to do this.” And you scroll back and you look at, “Oh my gosh, it's the board. They're, you know, I feel important! I'm going to do this thing right away. I'm not going to ask any questions....”
We've seen evidence of that. And the AI makes that very easy for the bad guys to do, to create this sort of synthetic content that looks very, very real to the average person, and create sort of a social pressure in the email chains and things like that.
Uh, and I say that in lieu of, “Are the bad guys using AI to write custom malware?” Not yet. We haven't seen any in the wild yet but it is plausible that AI can write, you know, polymorphic malware for bad guys, but primarily they're not doing that because they don't have to.
Kate Fazzini: Exactly, it’s just totally unnecessary.
Kurtis Minder: Yeah. They're running a business and this is, it's just easier to trick you into giving your credentials or wiring money. That's easier and cheaper for them.
Where I do think AI will play a risk if it hasn't already is the volumes and volumes and volumes of data that have been collected.
You know, prior to generative AI, finding the needle in the proverbial haystack in that data was difficult and time consuming.
So, in some ways, we were, we were sort of protected by the fact that they have too much data. Right?
But now AI, they can, they can train a model in AI and say, “this is the kind of information that I'm looking for in this haystack.” And it will go find it for them in seconds. And that is dangerous.
Now, on the flip side, you could say the same on the defense. One of the biggest challenges that security teams have is log data. It's just huge.
They, they're finding a needle in a haystack too. AI can also help with that, right? AI can help them find the bad guys quicker.
Kate Fazzini: So I’m just thinking that, that what we know about technology and how it’s always part of this race between attackers and their targets… What do you say to CISOs who maybe feel like they’re losing this race, especially when it comes to AI?
Or maybe to put this another way… We often know the first steps an attacker will take to compromise your business. What’s the first step a cyber security leader needs to take so their operation can stand up to that risk?
Kurtis Minder: Yeah, so cyber risk and mitigating cyber risk is a top down thing for organizations. I think that it does start with culture and education for the greater staff. That is step one. Is, is understanding that, you know, cybersecurity is not an overhead. It is a fundamental, operational part of the business.
When we start talking about how to mitigate these risks, there's a very well known set of cyber best practices that all companies should use. That said, you should also assume that that's not always going to work. What organizations can do and manufacturers specifically can do is put in place a response and mitigation strategy that contains these things quickly.
Kate Fazzini: The AI-assisted phishing emails that Kurtis told me about, the warning that attackers will eventually breach your perimeter, these reminded me that the first step of so many cyberattacks is using your own accounts against you.
David Adrian: Step one is like, if an employee doesn't have access to something, they can't leak it, right? Whether intentionally or because their account was taken over by an attacker or otherwise. So, you know, strong access control sort of limits the problem down.
Kate Fazzini: That’s David Adrian, Security Product Manager for Chrome.
When I brought up the equipment that attackers can target after they gain account access, David took a step back and looked at the overall posture.
He explained how the network connections that make them vulnerable could be transformed into points of defense.
David Adrian: I saw some research recently about, we'll call it industrial control systems or ICS systems, these sort of factory floor management systems...
And it was saying that the core sort of ICS protocols, you weren't really seeing them online as much anymore, which is good because these protocols don't really have any security in them.
Kate Fazzini: Right, right.
David Adrian: But they do expose a web interface. HTTP configuration pages for this equipment for managing factories or other industrial control systems or other manufacturing processes.
It's bad if these administration pages are accessible, but it's good because it kind of shapes the problem from, how do I secure this old protocol that wasn't built for security, that's confusing, that's used for somewhat niche applications for like managing centrifuges or whatever it is that you're using in your manufacturing process...
And instead it just boils down to limiting access to websites on the front end, and then sort of strong network segmentation on the backside.
And you can build access controls on top of a system that was never built for this in the first place, right? By just routing all of the traffic and all of the access through an enterprise browser.
Kate Fazzini: I think if you were talking 10 years ago, you might say you wanted the OT and IT systems to be not connected at all, or that you would want an OT system never to connect to the Internet.
Talk to me a little bit about why with the way that we work today, that's not as, as realistic.
David Adrian: Yeah. Air gapping sounds nice in practice. But in reality, systems end up needing to be connected directly to the Internet or to some other network that is then connected to the Internet. And so it makes way more sense to adopt these sort of zero trust approaches where each device is behind its own sort of authentication proxy. And then you access the configuration pages through the web browser, through the enterprise browser and you leverage everything that's built into the enterprise browser…
And then you can do that without any of these devices actually needing to be updated to understand all of these, sort of, modern authentication and device authentication protocols.
Kate Fazzini: That's the point that I think is really important because so many conversations about OT devolve into, “Well, you can't keep updating all of these different operating systems all of the time and, you know, it's just never going to get better,” but then another layer of security on top is what's helpful.
David Adrian: Absolutely. Or alternatively, if you somehow made a mistake and there is a way to access sort of the configuration or the management of some OT device, that doesn't go through the browser, then hopefully that's a lot more obvious and a sign of, like, immediate concern because commands are getting sent or configuration is being pushed to some device on the manufacturing floor and isn't corresponding with some sort of known employee login, like this is a red flag.
Kate Fazzini: And it's an instantaneous red flag, too.
David Adrian: Absolutely. So one thing you get from Chrome Enterprise is sort of real time reporting and analytics of what all of your users are doing. And if you have strong authentication of all of your users, you know they're your employees, then if you have, you know, corresponding visibility on the, say, factory floor, manufacturing floor, that isn't aligned with what you're seeing out of the Chrome browser, then you know, well, something is wrong.
Something is accessing, something on the manufacturing floor, and it's not going through one of my managed browsers. And that's an immediate red flag.
Kate Fazzini: So David, just looking forward, as technology improves, we’ve seen a lot of new approaches by attackers using that technology and making it more sophisticated, so particularly attackers using AI to their advantage.
One example, which I had never heard before, was an attacker using Generative AI to create a very realistic email chain that included, basically, spoofs of the target’s bosses and even board members, and then, after that, they looped the target into the email.
David Adrian: In this type of situation with this sort of AI phishing email, it sounds more like they're trying to trick the user to go to a legitimate site and do the wrong thing.
And I think the best way to defend against that is to make sure that your organization has processes in place for doing things that are sensitive. And then once you have those sort of processes in place, these sort of steps in your workflow that get pushed to some sort of application in the browser, is then another opportunity to have someone else verify that, yes, this is actually the business process we expected.
And so as you start to route these business processes through web apps, through the browser, then every single step in the process where you do that is a step where you can secure it, in the sense that you can make sure that the people participating in it are actually your employees and give more people an opportunity to identify when something is going wrong.
Kate Fazzini: This is a really cool way of looking at it too, I think from a security person's point of view where, you know, you have this visibility now that we didn't have before. You can see each step of a compromise or each step of an attempt to breach.
Now you can also see each step of the pre-breach, the pre-boom scenario, in a way that's really systematic, that’s actually really exciting.
David Adrian: Yeah in the modern web-based workplace that we’ve all become accustomed to, we do have a lot of great opportunities to solve enterprise security problems that have plagued companies for years.
Using a managed browser like Chrome Enterprise can be a critical component of these solutions. But I think we’re really understanding that there’s a leadership aspect to cyber security that’s absolutely critical, as well, so —
I hope that we’ve been able to help leaders understand the direction that cyber security is headed in, and demonstrate how much companies can benefit from setting up their teams with protections that take into account the way that we all work on the web.
Kate Fazzini: To learn more about how the most trusted enterprise browser can help protect your organization, visit chrome enterprise dot google.
Security, Bookmarked is a podcast from Bloomberg Media Studios and Chrome Enterprise.
Check out our other episodes about cybersecurity in finance and gaming in your podcast app.
I’m Kate Fazzini. Thanks for listening.