By Thomas Skoog, CISA, CISSP, Principal at Blue & Co.
The manufacturing industry has seen a larger increase in the number of cyber attacks and data breaches than any other industry in the last 18 months.
According to an IBM’s X-Force Threat Intelligence Index study, the manufacturing industry accounted for 25% of all cyber-attacks, outpacing the finance and insurance industries for the first time in five years.
Per the 2021 Verizon Data Breach Investigations Report, manufacturers reported more than 2,000 incidents and over 300 data breaches and small manufacturers represented twice as many data breaches as larger companies. These numbers from the Verizon report represent only those companies that have reported breaches. The number is most assuredly much higher.
Threats, Vulnerabilities, and Emerging Issues for Manufacturers
Of the ten most common methods that cyber criminals are using to infiltrate manufacturing systems and networks, exploiting vulnerabilities in software, firmware or hardware accounted for just under half the attacks.
Forty percent of these vulnerability attacks were delivered via email phishing.
What this means is two things:
1.Individuals responsible for maintaining these assets (PCs and servers, software, or firmware in manufacturing equipment, etc.) are not doing their job effectively.
2.Individuals are providing access to systems via the phishing emails which indicates cyber training and awareness need to increase. Other methods of accessing your systems include use of removeable media, stolen credentials, or brute force.
Why is the Manufacturing Industry Being Targeted by Cyber Attacks?
So, a natural question is “why” manufacturing is such a target of cyber criminals? There are several answers to this question including:
- Meeting production schedules and meeting customer demand is vitally important to most manufacturers. This causes an additional stress on the part of ownership or management to get their systems back online as soon as possible. Therefore, they are more likely to pay a ransom to do so.
- With the ever-increasing internet connectivity of manufacturing equipment (Internet of Things devices) on the production line, the number of targets increases dramatically. There was a 3000% increase in the amount of IoT Malware between Q3 2019 and Q4 2020.
- Manufacturing, possibly more than any other industry, has systems interconnected with their customers and their suppliers. This significantly increases the number of avenues cyber criminals can take to obtain access to their systems.
- Manufacturers have valuable intellectual property maintained on their systems, causing an increase in the type of individuals who can profit from accessing their network. While most companies are guarding against Eastern European criminal groups who look to profit from ransom payments or selling personally identifiable information, manufacturers must also guard against nation states whose proxy agents attempt to obtain intellectual property.
In relation to IP theft, an example of this type of situation is when Blue worked with a NE Ohio manufacturer who was the victim of intellectual property theft. They realized this when they had lost a bid for one of their customers to a new Chinese competitor, who offered their product at a significantly lower price.
When the sales executive physically saw the competing product, he realized it was a duplicate of his company’s product. A forensic investigation confirmed that the companies’ engineering network had been breached from an IP address in China, and the blueprints and bill of materials for the product had been downloaded.
Manufacturers are being faced with many types of adverse results from these attacks including:
- A ransomware attack which encrypts many, if not all of their systems, including manufacturing equipment (as experienced by Honda American Manufacturing in 2017 and 2020).
- Theft of customer data which the criminals will publish if a ransom is not paid.
- A combination of the locking of systems and theft of data resulting in two ransom demands.
- A distributed Denial of Service Attack if the ransom hasn’t been paid expeditiously.
- Theft of intellectual property.
How Can Small and Medium-Sized Manufacturers Protect Themselves?
Cybersecurity is not a project with a start and end date.
It is a continual effort to combat adversaries that wish to profit from your organization’s assets including cash, customer lists or your research and development efforts in the form of intellectual property.
Truly effective cybersecurity is built around the idea of zero trust, layered defenses, and awareness of your system users. Larger companies have begun implementing cybersecurity frameworks from such organizations as the International Standards Organization (ISO 27001) or from the US National Institute of Standards and Technology (NIST 800-53, NIST Cyber Security Framework).
These frameworks are a roadmap for organizations to follow to implement controls to reduce the risk of unauthorized infiltration, ransomware infections, or data breaches.
However, it should be noted that implementing these frameworks in totality is not a sprint. It’s not even a marathon. It’s more like an Iron Man triathlon.
As such, your company should be assessing your cyber risks and implementing aspects of these frameworks that address the highest risks. Then, continue to chip away at implementing the controls within the framework that reduce the most risk to your business.
For small and medium-sized businesses, there are two things that you should become very good at. The first is patching your systems as soon as operationally possible.
As stated, 47 percent of attacks last year were taking advantage of technical vulnerabilities inside operating systems, application systems, or firmware within machines on the manufacturing line.
Second is training and awareness of your employees, customers, and suppliers. Of those attacks against technical vulnerabilities, roughly half were delivered via phishing emails. Train your employees to look for red flags within emails that indicate they are probably a phishing email.
Some additional items companies can implement with small to no financial investment include:
- Enforcing strong password rules. Do not allow easily guessed passwords on your network.
- Reduce employee access to systems and remove administrative access from all employees and limit it to IT.
- Encrypt your workstations and servers and disable USB drives if possible.
- Implement and maintain a good data backup plan and test the restorability of your backups a few times a year. Backups should be stored off site.
- Utilize two-factor authentication for remote access and for your system administrators.
- Develop an incident response plan and practice it. If you are breached, know what your first phone calls will be and what actions you can take to contain and eradicate the threat.
Blue & Co has a cybersecurity practice that stands ready to help you assess your risks and recommend practical and pragmatic controls that will reduce your risk of a cyber-attack.
Contact our practice leader, Tom Skoog at firstname.lastname@example.org or 614-220-4131.