That Time We Wound Up Interviewed by the FBI
If you’re not thinking about cyber security, you should be. We all know not to yell out our password to a crowd and strengthen our passwords beyond “password1”. But many of us tend to think of cyber security as more nuisance than necessity.
Let us tell you our story:
This fall, we were targeted in what we now know is called a “spear phishing” attack. You’ve heard of phishing of course – the Nigerian prince asks for a few hundred dollars, or that bank that you’ve never done business with needs you to click here to verify your credentials.
Spear phishing is a much more sophisticated version. These hackers put much more time and effort into this attack. Here’s how they almost got away with it.
- Targeting: The hackers researched our company. They knew we were big enough to have some money in the bank, but not big enough to have large bureaucratic systems and policies. They targeted only the two employees who work with our finances day to day. This virus did not spread throughout the network.
- Planning: The hackers did not take anything they could get their hands on. They got our banking log in and password and set up a wire transfer.
- Timing: One of the two targeted employees was on vacation. More importantly, they set up the wire transfer for pay day. They hoped that we would verify the transfer out of habit, assuming it was just the paycheck withdrawals.
- Diversion: We first knew something was up when one employee found hundreds of spam emails in her account first thing in the morning. The other employee was on vacation; when her flight landed, she found thousands of emails. In that one day, those two employees received 14,000 emails – each. They hackers hoped that the deluge of emails would distract us from the any bank emails about the transfer.
Luckily, we have a diligent finance team, and a great bank. The bank called to verify the transfer rather than simply using email verification. Our finance team asked about the exact amount and the destination and immediately realized that something was amiss. The bank stopped the transfer.
Although the transfer was stopped, our IT team immediately responded to mitigate any other risks. Here’s what we did:
- Took all sensitive information offline. This is, of course, standard protocol. We did this from the moment our eyebrows raised at the spam inundation.
- Hired a cybersecurity consulting firm, immediately. We are still working with them. They confirmed that we were doing all the right things, but now we will be adding extra layers of security to our system.
- Two-factor authentication for bank log-ins. There are three possible factors of authentication
- Something you know – password, PIN, your mother’s maiden name, etc.
- Something you have – a card, a key, etc.
- Something you are – your fingerprint, your retina, your hand geometry
The least secure systems involve only one factor- a username and password are both something you know. Your debit card, for example, is two factor – you have your card and you know your PIN. Our bank set up two factor authentication by adding a keychain with a rolling passcode. So now, our finance team uses something they know and something they have. Many banks offer this or are implementing it, so ask your bank. Be aware that username/password and a security question is still just one factor authentication. Even though it’s two steps, both only involve something you know – and something a hacker could potentially learn.
- Contacted the police, who put us in touch with the FBI. Turned over all our information to the FBI. They are analyzing the virus and our hardware to track down who the perpetrator is and exactly how they got in. (That’s how we found ourselves being interviewed by the men in suits. Yes, he was exactly as straight-laced as you imagine, but he was also incredibly knowledgeable and helpful.)
We are continuing to educate our team in cyber security on the plant floor. A few of us recently attended the Siemens forum on cybersecurity on the plant floor. Here’s what we learned:
- Intentional hacks of industrial facilities are becoming more prevalent. You might have heard of the Stuxnet worm that entered Iran’s nuclear facilities. That worm targeted Siemens S7-300 PLCs. Stuxnet changes the programmed logic, causing the equipment to malfunction. It can destroy a production line, causing financial and physical harm.
- Even if the system isn’t connected to the internet, malware can enter the system when transferring files via thumb drive. Most people are very lax about their cyber security at home, but then they use the same USB drive for pictures of their kids as they do to transfer work files. Those viruses can enter a home computer and remain undetected until they enter a facility through a PLC.
- Intel is developing cyber security hardware, software, and services in conjunction with Siemens specifically for industrial applications. We are staying up to date as it rolls out.
Cyber Security Tips
Learn from our experience. A few tips to improve your own cyber security:
For your business:
- Ask for a 2-factor authentication system from your bank.
- Hire a cyber security firm to do a full audit of your system. We have been working with CBI, and we would recommend them. You can contact them here: www.cbihome.com
- Share tips with your employees, keeping them up to date on the latest scams and encouraging them to be very cautious about what they open.
- Information you post on social networks like LinkedIn and in job postings can be used by hackers.
- Don’t be too specific about the technologies (firewalls, servers, etc.) you use when writing job postings.
- Just like it’s best practice not to post on Facebook when you’re not home, don’t post on social networks when you’re going to be on vacation from work.
- Build in strong security settings to your network.
- Require complex network passwords
- Update infrastructure and firewalls vigilantly
- Limit network admin privileges. Too many unnecessary network permissions can allow malware to spread easier throughout a network
- Use a centralized anti-virus system, which enables your IT person to review all possible threats rather than waiting for something to be reported by each individual user.
For the plant floor:
- Implement a plant policy where only screened PC’s can be brought into your facility. One of our customers has a network connection in the lobby, where a PC is screened before any visitor can take it on the floor
- Update your operating systems. We gasp at how many of our customers still have Windows 95 or even Windows NT operating systems on their manufacturing floors.
- The “fortress” security model does not work! Adopt an “assumed breach” mindset and have more than one layer of security for your manufacturing floor.
- Keep separate USB drives that are only to be used on the plant floor.
- Remember that hackers usually are not looking to shut you down. What they are looking for your proprietary manufacturing information. They will then sell this information to your competition! You may be hacked for years and never realize it.
- Get at least two audits a year for your manufacturing systems. Feel free to call us to arrange an audit.
- Install updates on your home system. Those pop-ups are annoying for a reason. Most of the updates are for security reasons, not just the new emojis.
- Try to do your banking and bill paying on a separate computer that is only used for that purpose.
- Use two-factor authentication for banking.