Attacks on other industries may make more headlines (take finance, retail, healthcare, or local government, for example), but the truth is manufacturing ranks among the verticals hardest hit by hackers. With incidents becoming more frequent and more damaging, there is increasing pressure to understand what makes manufacturing companies particularly vulnerable to cyber attacks, and what can be done to reduce their risk.
Source: EEF's Cyber Security for Manufacturing report
According to EEF's 2018 Cybersecurity for Manufacturing report, 48% of manufacturers have suffered cyber attacks, with half of those victims sustaining financial or other business losses. NTTSecurity's 2018 Global Threat Intelligence Center report identified manufacturing as the fourth-most targeted industry, behind only finance, technology, and business and professional services.
As successful attacks have grown more prevalent, so too have the costs. The U.S, National Center for Manufacturing Sciences (NCMS) has pegged the cost of breaches in manufacturing between $1M and $10M. According to a report from MForesight, the Alliance for Manufacturing Foresight, some 400 manufacturers were attacked every single day in 2016, racking up over $3B in losses. In comparison, last year's NotPetya outbreak alone cost pharmaceutical manufacturer Merck more than $240M due to a shutdown in production, and $310M in total.
The primary goal in over 90% of malware aimed at manufacturers is espionage — cybercriminals attempting to steal intellectual property and trade secrets. In fact, according to NCMS, 21% of manufacturers have lost intellectual property as a result of a cyberattack, and more than 90% of data stolen by cybercriminals is considered “secret” or “proprietary.”
Cybercriminals are using a variety of methods to gather data, ranging from trojan/dropper variants (86%) to reconnaissance malware (33%) such as Formbook, which not only steals data but can also log keystrokes, swipe clipboard contents and sniff HTTP sessions, as well as execute instructions from a command and control (C2) server. In fact, in many cases, the initial malware infection merely opens a backdoor that connects to a (C2) server, giving cybercriminals undetected access to slowly siphon data for as long as possible.
In most cases, it seems the hackers’ end-goal is ultimately extortion: threatening to sell trade secrets or expose the victim organization for alleged wrongdoings unless they pay up. For example:
More recently, the WannaCry outbreak highlighted the extremely high toll malware infections can take when they disrupt manufacturing operations. The ransomware was responsible for forcing a Honda plant in Sayama, Japan to halt production for an entire day, likely costing the company millions.
Over a year later, Taiwanese chip-making giant TSMC suffered a similar fate, when a WannaCry infection tore through unpatched Windows 7 machines, knocking out production for days and costing the company an estimated three percent of its third quarter revenue, or roughly $250 million.
The biggest risk factor for most manufacturers is a lack of investment in cybersecurity. Industrial control systems are often left unprotected, which is especially troubling as the move toward connected, Internet of Things (IoT) technology becomes more prevalent in the industry.
At the same time, the hyperconnected modern supply chain that links vendors, contractors, and customers not only introduces more entry points, but also the risk of exporting malware to vital business partners. Factor in the reality of most manufacturers running 24/7 with a complex combination of platforms and systems of varying ages — some of which are highly specialized — and it can be incredibly difficult to provide reliable, across-the-board security. Phasing out outdated systems and staying on top of patching isn't always feasible, and often has to be weighed against the risk of slowing down production or breaking something. As a result, criminals know many manufacturing companies are operating with systems and software that have any number of known and readily exploitable vulnerabilities.
More connections also means if malware gets in there is a distinct risk of it quickly propagating across networked devices. Worse yet, nearly 40% of manufacturers don’t have an incident response plan in place, so if they are attacked, the likelihood of a quick response time to minimize damage is very slim. Cybercriminals could go weeks or months with free reign access to the network before they’re even detected.
Because so many organizations lack complete security protocols, cybercriminals are able to use a variety of tactics to gain access to vital systems. Some have used scanning tools like Shodan to probe public-facing systems, find vulnerabilities, and exploit them. Others gain brute-force access by cracking user passwords, while the most common infection vector relies on good-old fashioned social engineering via phishing emails.
Like any other organization, manufacturers also face the “people factor.” The risk of insider threats, either through an accidental or intentional action, is a real concern. Malware can be introduced unknowingly from an employee who opens the wrong email attachment, or via privilege misuse by a disgruntled employee who intentionally infects the system or steals data or files.
With the threat level rising, clearly manufacturers need to take swift action to protect themselves against the disruption, espionage, extortion, and risk to competitive position that comes from cyberthreats. Here are several steps that can help give any organization a better defense profile:
Providing the latest security alerts and updates with context that makes them useful.
Stop paying for AV, get the strongest protection instead. See how Barkly blocks attacks that are getting past AV.
