In Las Vegas on September 10, workers at MGM Resorts scrambled to figure out what was happening with the computer systems as guests increasingly lined up at the front desk. They soon realized they were at the start of what was to become a massive cybersecurity breach.
Meanwhile, down the road and off the Las Vegas strip, exhibitors had been setting up at the Las Vegas Convention Center for PACK EXPO Las Vegas, one of the largest gatherings of packaging companies from around the world. From September 11 to 13, several presentations that had been previously planned for the expo were to focus on how companies can protect themselves from cybersecurity threats.
“The MGM breach was a popular topic among everyone at PACK EXPO Las Vegas,” says Andy Lomasky, senior director of information technology (IT) at PMMI, The Association for Packaging and Processing Technologies, which is the primary sponsor of the expo. “For most, I think their initial reaction was shock at how widespread the breach had become and how quickly the damage had progressed.”
Large Losses at MGM
The attack forced MGM to shut down IT systems in response, disrupting slot machines, interrupting hotel bookings, and requiring hotel workers to check in guests with pen and paper, while also affecting MGM operations companywide, according to an October 5 article in The Wall Street Journal (WSJ). After MGM worked through the initial chaos, it told WSJ that it expected the breach to have a more than $100 million negative impact on its quarterly earnings. While systems eventually returned to normal, MGM took a hit with hotel occupancy throughout September and into October. And it had to pay about $10 million in legal and other fees because of the breach.
The hotel chain refused to pay the ransomware the hackers demanded, WSJ reported. That decision is consistent with recommendations from the Federal Bureau of Investigation (FBI), which is investigating the MGM attack. “The FBI does not support paying a ransom in response to a ransomware attack,” according to a statement on the FBI’s website. “Paying a ransom does not guarantee you or your organization will get any data back. It also encourages perpetrators to target more victims and offers an incentive for others to get involved in this type of illegal activity.”
As a cybersecurity expert, Lomasky says he and others watched with interest as the catastrophe spread in real time over the course of PACK EXPO. “What initially presented as long check-in lines grew to include multiple system outages as the week went on such as the inability to charge credit cards, slot machines presenting error messages, and even the in-room TVs going offline,” he says. “As the week progressed, conversations shifted from the immediate impacts on guests to how long it would take MGM to restore its systems or whether or not they would pay the ransom to get back online.”
Manufacturers at the show soon found themselves asking those same questions, he adds. “How long would it take for them to recover if they were attacked?” Lomasky says. “Would they pay the ransom if they were unable to recover on their own?”
The answers to such questions might be rooted in how well a company prepares in advance of a severe breach, an issue Lomasky presented to attendees during seminars at the PACK EXPO. In one presentation, Lomasky urged companies to conduct simulations called tabletop exercises, where they pretend a breach has happened and observe how all of the key managers and rank-and-file workers react. Those scenarios can then allow company leaders to fine-tune their plans. But the training should start long before a breach, he adds.
“In MGM’s case, the initial breach was perpetrated using a fairly simple technique. The attackers called an MGM employee pretending to be the MGM IT help desk,” Lomasky says. “The employee provided their account password to the fraudsters and that allowed the attackers to gain access to MGM’s systems. Once they were in, they were able to deploy the ransomware payload to start encrypting systems.”
Lessons for All
As he learns more about what happened at MGM, Lomasky says, he will tell the story in future presentations about how the attack was conducted and what fundamental security controls and mechanisms could have possibly prevented the breach. “There are lessons to be learned from this and every breach, regardless of the industry,” he says. “This particular breach will become part of future presentations given how high profile this incident has become in the mainstream media.”
Some of the tips he currently discusses in his presentations include:
- Provide security awareness training to employees, which helps to educate staff on how to spot cyberattacks and is the primary defense against the initial attacker’s point of entry.
- Enable multifactor authentication on all accounts, which can prevent attackers from gaining access, even if they obtained the employee’s password, because the employee is prompted to verify the access request.
- Employ threat detection and network intrusion software, which enables technology teams to respond quickly and isolate threats before they become widespread and begin shutting down systems and networks.
- Use a zero-trust architecture, which can ensure access to key parts of a network is not allowed without verification or administrative credentials.
- Review and update your incident response plans.
“And, if you haven’t documented a formal response plan, then get started,” he stresses.
Lomasky cites several breaches that involve companies from different business sectors to illustrate his points.
Manufacturing companies are more susceptible to cyberattacks because of the nature of their operations with interconnected systems that span across IT and operational technology (OT), Lomasky says.
“Unfortunately, there is no shortage of examples of packaging-specific companies that have fallen victim to cyberattacks,” he says. “In 2021, WestRock announced that it was targeted in a ransomware attack that impacted both its IT and OT systems.”
In that same year, a major glass and metal packaging manufacturer, Ardagh Group, was the victim of a cyberattack, he adds.
“Manufacturers, unfortunately, have a big target on their back simply because of how our industry works, and it’s something the entire industry needs to be aware of and pay attention to,” Lomasky says. “Especially with the rise of the Internet of Things and the increasing volume of devices connected and data flowing across networks. This simply means that manufacturers have a larger potential attack surface and a greater footprint that requires protection, making it that much more difficult to protect absolutely everything.”
The case involving retailer Target Corp. was a high-profile breach caused by a contractor working on a heating, ventilating, and air conditioning (HVAC) control system having their credentials stolen, he says. Target had not properly segmented its network to fully isolate financial systems with critical data from noncritical systems like the HVAC one that was breached, he says. The lesson is that proper network segmentation and protection of the most critical assets are crucial.
With Equifax, the breach compromised the personal data of 150 million Americans. “The cause was Equifax’s failure to patch an outdated piece of software on one of its websites, which allowed attackers to gain access to Equifax’s internal servers and further access other systems on Equifax’s corporate network,” Lomasky says. The lesson, he adds, is keeping up with software and security patches on a timely basis.
If companies do not make smart investments in protecting themselves and preventing cyberattacks early on, they could face major business and supply chain disruptions in the future or could risk shutting down entirely as MGM and the other cases illustrate, he says.
“In truth, every example of a cyberattack at companies of all industries and sizes contains lessons that the packaging industry can learn from,” Lomasky says. “I would like to highlight how important the issue of cybersecurity is to the packaging and processing industry. It is a real threat to businesses large and small, every day.”
He adds that companies should seek assistance if they need it. “Manufacturers should not be afraid to ask for help with cybersecurity if they are not sure what the best tool or investment is or where they should get started,” Lomasky says. “There are lots of experts out there, and we all share a common interest to protect the manufacturing industry, so don’t hesitate to reach out and get help before an incident happens.”
Thomas A. Barstow is senior editor at FlexPack VOICE®.