Cyber Risks In The Manufacturing Industry
The manufacturing industry is a foundational element in the global economy. It was innovating with new technology long before Silicon Valley ever existed.
Today, manufacturing is leading what the World Economic Forum is calling the fourth industrial revolution as manufacturers begin to adopt analytics, artificial intelligence, machine learning, and robotics. All of these are merging the biological, digital, and physical worlds in a way that creates both huge promise and huge cybersecurity risks at the same time.
Manufacturing and Cybersecurity: A Matter of Global Importance
The manufacturing industry is now considered to be a national critical infrastructure in many countries. As the industry integrates automation and other advanced technologies into its processes, cyber risks are becoming much more serious and consequential than ever before.
Against the backdrop of state-sponsored cyberattacks like WannaCry and NotPetya, which demonstrated how such attacks can cripple the manufacturing industry, the world is beginning to wake up to the threats posed by ‘smart manufacturing’ and its adoption of the internet of things (IoT) and new technologies.
Manufacturing sits at the nexus of a range of other strategically important sectors. These include the defense industry, health care, energy generation, vehicles, communications, the chemical industry, and the agricultural industry. Each of these industries is critical to the national and economic security of our country. Threats against manufacturing can have a huge impact on all of them, damaging safety, security, and health.
Despite this, no mandated cybersecurity compliance regulations exist for the manufacturing sector. Because the manufacturing industry is global in nature, this creates a global systemic risk to the industry. It’s essential that these cybersecurity risks are addressed over the short and mid-term.
Biggest Cybersecurity Risks to Manufacturing
The manufacturing industry faces many serious challenges when it comes to dealing with the inherent cybersecurity risks they face. These risks do pose real dangers, but knowing and understanding the risks enables a manufacturer to develop a real plan for addressing them.
If companies adopt a risk-conscious and analytic approach to developing actionable strategies for addressing cyber risks, they can equip themselves with the tools to secure present and future success in the market.
1. Cybersecurity Breaches
Traditionally, manufacturing businesses have not stored much personal or sensitive information. However, that doesn’t mean that they are not a target of interest for cybercriminals. The adoption of IoT has made it easier for attackers to target them.
IoT devices widen the attack surface and give attackers more chances to breach networks and establish beachheads in IT infrastructure. Typically, manufacturing attackers focus on disrupting operations or stealing intellectual property. Both of these can lead to significant downtime, extensive material damage, and remediation costs.
2. Industrial Espionage
Intellectual property can include anything from trade secrets, customer or partner databases, manufacturing processes, and even product proposals. Attackers want this information because they can sell it to more unscrupulous competitors who can save money on research and development. They use illegally-obtained trade secrets to improve their own internal processes and launch similar products at lower price points.
Industrial espionage threats can also come from within the company, with either current or former employees stealing intellectual property.
Like most other industries, manufacturing is vulnerable to phishing attacks. A phishing attack is when a malicious actor tricks recipients into opening an authentic-looking email and giving them some sort of sensitive information, such as a password.
Phishing emails typically have letterheads and signatures bearing the same branding as the organization. However, they are usually easy to spot because they often contain generic greeting messages like “Dear Supplier/Partner/Customer. That way, they can be sent to many people.
4. Spear Phishing
Spear phishing is a more advanced form of phishing that targets a particular individual. Targeted emails are relevant and specific to the individual. For example, a Chief Financial Officer could receive a spear-phishing email about a specific invoice or payment that appears to come from the CEO. It instructs them to pay the funds to a specific company or bank account, tricking the CFO into making payment to an unauthorized third party.
In manufacturing, spear-phishing emails often attempt to trick the recipient into divulging details about your organization’s industrial control/management systems and login credentials in an attempt to gain access.
In some cases, attackers actively try to sabotage an organization's manufacturing capability by embedding malware into systems or supply chains to damage the integrity of manufacturing processes.
For advanced manufacturers who produce electronics, this can be serious. Imagine a router manufacturer that has been compromised by attackers who install malware into all of their routers. This can cause the loss of reliability, confidence, and integrity in the products, as well as the large costs associated with remediating such an attack.
Ransomware, when attackers maliciously encrypt your files and data before demanding a ransom to decrypt (unlock it), is a threat to any industry, but can be deadly serious for a manufacturing business reliant on their to manufacture their goods. If denied access to their operational data for a prolonged period of time because that data has been maliciously encrypted, it could potentially spell disaster for a manufacturer which is why they are more inclined to pay the ransom and regain control of their data. According to a recent report, manufacturers paid 62% of the total ransomware payments made to cybercriminals in 2019 and there have been some high profile attacks in the news. In October 2019 a major manufacturer called Pilz was attacked with ransomware and their IT systems globally were brought down for more than seven days and even when they regained control over their data, it took more than a month for them to fully recover and get its IT back into operation.
Questions Manufacturers Should Be Asking Themselves
1. Are you investing enough money into cybersecurity?
While national government and regulatory authorities have developed and outlined cybersecurity standards, there is not enough focus on manufacturers. The existing frameworks are not always a good fit or relevant to the manufacturing industry.
Much research still needs to be done to establish a fitting framework for manufacturers. In the meantime, manufacturers should focus on maturing their cybersecurity capabilities and investing in cybersecurity solutions to cover employee training, software, and hardware. All of this can help the industry mature its cybersecurity posture while standards catch up.
2. Do you have processes and plans in place to deal with a cyberattack?
In a recent Education Endowment Foundation (EEF) research report, 34% of manufacturers stated that the managerial and technical measures needed to assess and mitigate a cyberattack did not exist in their organization. The problem with this is that without a defined response strategy, it takes much longer for a business to recover from an attack. This also increases the costs involved in dealing with an attack.
Manufacturers need to mature their processes to the point where they have a clear audit trail for cyber insurance and compliance in place should the worst-case scenario occur. They also need to put in place managerial plans to mitigate the effects of an attack on their organization.
3. Can manufacturers ignore the risk?
A cyberattack can cause major damage to manufacturing machinery as well as disrupt production. When Merck was attacked it cost approximately $1.3 billion to rectify and crippled production for almost a month.
This level of disruption and losses would have mortally wounded a smaller company and illustrates how not investing in cybersecurity can be a lot more costly than making smart investments. Against this backdrop, manufacturing companies simply cannot ignore the risks.
Contact Digital Hands
Digital Hands employs a deeply experienced team of cybersecurity professionals with the necessary experience working alongside manufacturers, improving the robustness of their cybersecurity posture. Let us work with you to find the gaps in your security processes and policies before the bad guys do.
If your manufacturing business has questions or needs to reevaluate the way it handles cybersecurity, call Digital Hands at (855) 511-5114 today.