As manufacturers continue to modernize their operations, deciding what processes can be automated and introducing new technology onto the shop floor, they’re also opening themselves up to increased cybersecurity threats.
A recent survey by Chicago-based Sikich LLP found that more than half of nearly 100 manufacturing and distribution executives who responded admitted to experiencing an information security event in the past year. The top three types of attacks involved email phishing scams (74%), unemployment fraud (34%) and ransomware (8%).
Kevin Bong, a director on the cybersecurity team at Sikich, said attackers are targeting small manufacturers now more than ever. Almost all of these attacks are ransomware and similar cyber-extortion.
“Most manufacturers don’t store a lot of credit card data or other sensitive personal data that an attacker can use for financial fraud, however, attackers have figured out that shutting down a manufacturer’s systems and holding the company’s digital intellectual property and ERP applications hostage can force the manufacturer to make large payouts to get back up and running again,” Bong said.
Several factors have led to more cybersecurity threats against manufacturers. Bong pointed to a new batch of vulnerabilities that appeared in 2021, including within Microsoft Exchange and Apache Log4j, allowing attackers to gain footholds in networks. This, combined with an expansion of remote access services for employees working from home, a prevalence of cryptocurrencies and a long history of companies practicing poor password protection have created a perfect storm for cybersecurity threats.
While cybersecurity threats are always a looming possibility for companies both large and small, smaller businesses tend to be less prepared for such threats, said Scott Owens, owner and managing director of New Berlin-based BluTinuity LLC. This is due to smaller staff numbers and lack of resources to handle threats.
“I think the reason that you’re seeing an increase in cyber threats for small manufacturers is the fact that there’s high dollar value in the data that is stolen, whether it be intellectual property, trade secrets, or patent information, which is becoming more and more valuable across the board,” Owens said.
Common threats to manufacturers
Owens said ransomware is one of the scariest threats to manufacturers. Ransomware often enters a cyber environment through an email that appears legitimate and gets a reader to click on it, allowing malicious software to be downloaded onto a machine. Depending on a company’s security measures, that malware can then move around the network and lock up a company’s data and systems. It can take less than an hour for this entire process to happen.
“If you don’t have great controls in place, and you’re not quick to respond, it can be devastating,” Owens said.
Hackers will seek payment before unlocking any system, which is a tricky decision for a manufacturer to make. While the FBI recommends that business owners never pay a ransom, Owens said it could be the only option for some. Hackers running off with their payment is always a possibility, but some do keep their word.
“If (taking the money and running) was the process all these hackers took, then people wouldn’t bother to pay,” Owens said. “My take is: Try not to pay, but in some cases it might be the only way to save your business.”
There are several other common tactics being used against manufacturers, including taking advantage of servers or workstations that don’t have an antivirus system, deleting backups and resetting storage systems to destroy any ability to recover during a ransomware attack, and using stolen or guessed passwords to gain access to internal environments.
Bong said it is less important to look at who is accessing a manufacturer’s information and more important to look at how they are accessing it.
“Manufacturers should evaluate every method that employees, vendors, suppliers and other partners use to remotely access the company’s systems and data – such as VPN, cloud applications, remote help-desk control, remote desktops, virtual desktops and even email – and make certain each of these systems uses multifactor authentication and retains at least a six-month audit trail of remote access connections,” Bong said.[caption id="attachment_548971" align="alignnone" width="1280"] Conrad[/caption]
Getting ahead of cyberattacks
Rachael Conrad, vice president and general manager of global services at Milwaukee-based Rockwell Automation, is constantly and proactively considering how the company can help manufacturers think about operational technology security and cybersecurity.
“Factories today have far more connectivity than they ever did before,” Conrad said. “Manufacturers see the importance of data and contextualizing information. But to do that, you have to have a network.”
She sees the need for a culture change within companies to keep employees aware of ongoing cyberthreats and include them as part of the plan to prevent attacks. Everyone within a company should have a role and remain diligent.
“(Rockwell has) annual training, we have refresher training, … then certain roles have role-based, specific training on what they need to be cognizant of. But then we test it. We’ll do (fake) phishing emails and then try to use those as learning moments for people,” Conrad said.[caption id="attachment_548969" align="alignnone" width="1280"] Karmali[/caption]
Another important place for manufacturers to start is by conducting a comprehensive, install-based evaluation to understand what risks are out there and find out what vulnerabilities are matched to any legacy systems and devices, said Kamil Karmali, global manager of cybersecurity consulting services at Rockwell.
Once vulnerabilities are assessed, the next step is to build a risk profile. Vulnerability assessments and penetration testing are healthy strategies that can be deployed at the front end for a manufacturer thinking about cybersecurity, Karmali said.
“Once there’s a base level of (cyber) hygiene established, then we look at other things like standards and if there are compliance frameworks,” he said.
For example, businesses that are in the critical infrastructure category, including primary metals, machinery and transportation equipment manufacturing, have U.S. Department of Defense mandates they must follow related to cybersecurity.
When it comes to handling parties outside a specific company, such as vendors, Karmali recommends having a secure remote access technology that can provide an authentication trail of who’s coming into the environment. This allows business owners to conduct audits.
When a manufacturer is considering where to invest its cybersecurity budget, there are a few factors to keep in mind.
“There’s no one-size-fits-all solution here in manufacturing, or I would say in any industry,” Karmali said. “I think you have to think proactively and reactively. You have to look at the basic amount of investment you need to have skilled expertise on-site, especially if you’re a large enterprise.”
Owens agrees that a manufacturer’s cybersecurity planning should be preventative. A big component of that is making sure employees are provided with high-level training about security and phishing scams. Putting firewalls in place and requiring multi-factor authentication are other methods to combat cyberattacks on the front end. Having good information security policies and procedures is also key. Companies should follow the “minimum necessary” principle and only provide employees with the information and access that is absolutely required to do their jobs. Manufacturers should also consider having a data privacy agreement in place and doing security-related analyses on vendors to see how they handle data.
“Probably as important as any of those is having a good security instant response plan in place,” Owens said.
This includes recovery plans to regain control of data, so if a cyberattack does happen, no time is wasted trying to figure out what to do.
“Frankly, if you wait until you’ve had a data breach or cyber event, it’s too late,” Owens said. “If you have a major event, the likelihood of still being in business a year from now is probably less than 50%.”