The Real Reason Behind the TSMC Cyber Attack
The computer virus attack at Taiwan Semiconductor Manufacturing Company (TSMC) in early August was the largest information security breach in Taiwanese history. It fully exposed the information security weaknesses at production plants as the manufacturing industry embraces the fourth industrial revolution, or industry 4.0, with increasing automation and data exchange.
The Real Reason Behind the TSMC Cyber AttackBy Sydney Peng
According to leading global cyber security company Trend Micro, long before the TSMC incident, two large manufacturers in Japan and the United States had their production disrupted because of computer virus attacks in 2017 and 2018, respectively. How can individuals and companies respond to these latent threats just as the Internet of Things and smart cities have become all the craze?
“This incident gave us an opportunity to reexamine the situation,” says Laura Ho, TSMC chief financial officer and spokesperson. After the attack, which shocked the world, TSMC unrelentingly checked its firewall and all other cyber security software and management systems. “We had to make sure that the problems were found,” says Ho.
Since the computer virus infected machines on the TSMC production lines, production had to be halted in three plant locations for up to three days, causing a 2 percent revenue shortfall for the currency quarter. Losses were estimated to have totaled up to NT$5.2 billion, making the attack the largest information security incident in Taiwanese history.
The details gradually came to light a few weeks after the attack.
How Could a Lapse Happen Despite an SOP?
As it turned out, a TSMC onsite operator did not follow the standard operating procedure (SOP) that requires new equipment to be scanned for viruses before being hooked up to the company’s intranet. “We have an SOP, but the operator at the site made a mistake, and that was it,” recalls Arthur Chuang, senior director of TSMC’s 300mm Fabs Facility Division.
Once the computer in the new production equipment booted, the WannaCry ransomware cryptoworm hidden inside immediately scanned the mainframe computers on the same production intranet. It launched an attack using an exploit called EternalBlue in the Windows 7 operating system to spread to and infect other TSMC plant locations in Taiwan.
While the storm over the incident quickly quieted down, the TSMC cyber attack is assured a place in the history books because it was the first large-scale cyber attack involving a manufacturing plant in the history of Taiwan’s high-tech industry. (Read: TSMC during and after Morris Chang's Leadership)
At a time when Taiwan’s manufacturing industry is touting Industry 4.0 with great fanfare and scrambling to connect manufacturing equipment to the internet, the TSMC attack has fully exposed the vulnerability of factory information security.
“Now every factory is really scared, knowing that their own computers are outmoded and unable to fend off an attack,” says Bob Hung, Taiwan and Hong Kong general manager for Trend Micro.
As the whole world hypes the Internet of Things (IoT) and Industry 4.0, are Taiwan’s factories prepared to battle the new cyber security risks arising with these trends?
The WannaCry ransomware. Source: Shutterstock
Increased Cyber Security Risks in Smart Cities
Another hot topic in the high tech industry is smart cities. But the IoT devices required to connect, collect and exchange data in a smart city such as surveillance cameras and sensors also greatly increase cyber security risks.
In his book Click Here to Kill Everybody: Security and Survival in a Hyper-connected World published in September, U.S. security guru Bruce Schneier, a fellow at the Berkman Klein Center for Internet and Society at Harvard University, diagnoses the risk and security implications stemming from the spread of IoT devices.
In an article in the New York Times, Schneier points out that traditionally, computer users respond to the never-ending stream of security vulnerabilities by regularly patching their systems, applying updates that fix the insecurities: “This fails in low-cost devices, whose manufacturers don’t have security teams to write the patches.”
We talked to Trend Micro’s Bob Hung about how private users and companies could prepare themselves against the latent risks in the increasingly interconnected world of Industry 4.0 world and smart cities. The following are excerpts from the interview:
Q: What is the difference between security threats in the IoT era and during the previous computer era?
A: In the past, we had personal computers and notebooks; now we have smartphones, all kinds of cloud computing, and apps, so we need to redefine how users can be protected. The common belief is that it is sufficient if the user installs anti-virus software, but we need to actually ensure protection at every level.
Source: Chieh-Ying Chiu
The TSMC incident is a case in point. No one expected a virus to spread from inside an internal machine, launching an attack from inside.
The TSMC attack was caused by ransomware. WannaCry, which emerged last May, immediately spread to more than 100 countries, affecting some 300,000 computers. It existed in 29 language versions right from its release because ransomware must display a text message telling you how to make [ransom] payments.
Therefore, its creators prepared for the virus’ global proliferation from the start and made sure that everyone understood how to pay the ransom. It was the very first self-propagating virus.
TSMC Not the Only Victim, Boeing and Honda Hit Too
Q: Ransomware infiltrating a chip factory...was this a targeted attack?
A: They were not intending to hit factories. The ransomware creators’ goal was money. But after the virus entered, the factories would not pay ransom because once it had infected the system, the virus encrypted and locked the database (to blackmail business owners). Without access to the data, the production lines automatically came to a halt. Therefore, the damage had already been done when the virus entered.
People discovered after WannaCry that they had up to that point mistakenly believed that factories weren’t a problem, realizing only then that factories are a major problem.
In the past, factories were not automated and not connected to the internet. But after [the advent of] Industry 4.0, Industrial IoT and edge computing have become musts. Things that were non-issues in the past now hold the potential for disaster.
TSMC is not the first such case. In 2017, the Japanese carmaker Honda was attacked to such a degree that more than 1,000 vehicles could not be produced. This March, Boeing was also hit by WannaCry, causing the suspension of a production plant.
Q: Why are the cyber security defenses of factories so vulnerable?
A: Simply speaking, it is first because a lot manufacturing information equipment is based on Wintel architecture (just like office computers) that has been in use for almost 40 years. Yet factories care about output, yields and efficiency. While there are also information technologists on the factory floor, their main job is to guarantee a smooth, uninterrupted production process.
You are prompted to update the operating system after taking great pains to adjust [the production line] to optimal production parameters. What if this ultimately affects your yield?
Then there are unclear responsibilities. We all know that companies have factories and offices. The office area is in charge of IT, but can the IT people also take charge of the factory? Normally it’s the factory manager who is in charge there, but who is in charge of IT security differs from company to company.
Computers Can be Replaced Every Three Years but Not Manufacturing Facilities
Second is outdated [equipment]. Computers can be replaced every three to five years, but factory production facilities are very expensive and have long depreciation periods; they can be used for five to ten years or even longer.
At the time [of their replacement], their computer operating system is still the non-updated version from ten years ago because the equipment supplier tells you: ‘That’s what I’ve given you; if you make any alterations, I can’t provide a warranty.’
We can establish how many machines a plant has, but it is very difficult to know exactly how many computers there are because nowadays multiple computers are embedded in machines. There could be eight computers in one machine. So which computer is causing trouble? It is very difficult to solve such problems.
Very often the original manufacturer does not exist anymore (having ceased operations), but we are still using their equipment, so how are we going to update the system?
These two issues are inseparable, and that’s a big problem.
Q: Factory Internet devices belong to the Industrial IoT. Are the security risks for other IoT devices such as those in the field of smart cities as high?
A: As long as it is an Internet device, there are loopholes that can be hacked. The problem is that IoT devices cannot even be patched. In the past, IT people were aware that software development followed a certain procedure, that loopholes had to be avoided, and that they needed to know how to install updates. But people involved in the IoT are not necessarily IT savvy.
Can you imagine how people who manufacture cars, air conditioners and refrigerators go about dealing with the IoT? They use a few reference design microchips, add open source software or firmware, and then install apps for remote control; then [whatever it is] becomes an intelligent device.
Is Your Webcam at Home Really Safe?
On October 21, 2016, the U.S. East Coast saw the largest DDoS (distributed denial-of-service) attack in history, with an attack strength of 1.2 Tbps. In the past such attacks peaked at Gigabit rates, but his time it was more than 1 terabit [per second], directly taking down telecom operators, which in return interrupted 75 internet service providers.
This time, the hackers attacked a loophole in surveillance camera (IP camera) systems with an enormous amount of traffic, at one time gaining control over tens of thousands of cameras. Then they used theses IP cameras to attack the telecommunications companies.
Before, we all felt that the worst that could happen to IoT devices was at most a disruption in case of an extraordinary attack. But this case made us reconsider, given that the hackers’ target was not the device, but actually using the device to attack others.
This is a real headache because it is not possible to patch security vulnerabilities in most of the IP cameras where loopholes were exploited. This is also the biggest problem of the IoT, which not only affects private individuals but exposes infrastructure, cities and nations to danger. (Read: We're All Potential Victims)
I am afraid that web cameras, which are becoming more common in private homes, also constitute a cyber security vulnerability.
Why are Hackers So Fond of the IoT?
Hackers love IoT devices because they are connected to the Internet round the clock, they use open source or reference design, and most of them lack defense mechanisms. Such attacks are also cheaper than attacks on computers, and, most importantly, no one keeps an eye on them (the devices). (Read: A NT$36 Billion Hacker Brought Down in Taiwan)
Assuming hackers use the cheap IP camera in your home to attack someone else, then it is as if they were acting in a no-man’s land.
Given that there are so many things in a smart city, the question of whether the government should be in control poses a major problem. I’ll give you an example: A device maker told me that a surveillance camera now costs NT$1,000. If a camera that is installed on top of a billboard needs to be repaired, the cost for using a crane to get up to the camera alone is NT$20,000.
This is a very real problem. If no one thinks about the future, there will be no people and no money to deal with these ubiquitous devices.
Translated by Susanne Ganz
Edited by Tomas Lin