As an industry that contributes about 6% of Australia’s GDP, the manufacturing industry is still not safe from the ambitions of an increasingly smart, organised and industrialised hacking groups. By Joel Camissar.
Globally, the volume of cyber attacks targeting the manufacturing sector increased 300% last year, and in Australia, 13% of all known cyber attacks are targeting manufacturers. What kind of threats is the industry facing? Why have manufacturers become key targets for cyber criminals? And most importantly, what can they do about this growing threat?
The era of ransomware
Ransomware is a type of threat that has grown dramatically in the past couple of years. The concept is to hold a company to ransom by threatening them to take down their systems or publish information, data or intellectual property (IP) they have managed to steal if the victims don’t pay.
The prospect of a downtime, and the associated financial cost and reputational damage are usually enough to convince many organisations to pay up. Some sources report US$350m in revenue was made from ransomwares in 2020. But with many attacks never reported, other estimates mention figures above US$1bn.
Malicious actors usually manage to implant their ransomware or malware leveraging company vulnerabilities, or taking it a step further by carrying out a Distributed Denial of Service (DDoS) attack against victims. There are also human-based attacks including spear-phishing, stealing credentials, or paying disgruntled employees to implant the malware. And as manufacturers increasingly digitalise and modernise their operations, it also increases the opportunity for criminals.
Increased attack surface
Many industries are reliant on new technologies and digital solutions to generate efficiencies, and the pandemic has only accelerated this trend, due to a stronger need for agility.
Manufacturing is no exception. Supply chains have often been dramatically disrupted to adjust to new and evolving industry and consumer needs. Other factors include the democratisation of connected devices and edge computing in recent years to monitor factory environments, security or machineries, which have led to a multiplication of new systems, and an acceleration of data exchange between them.
With new systems come new attack surfaces and vectors. There are more systems and devices, and more people who may not have received proper training on cybersecurity practices. Especially if these systems were implemented in recent months to ensure business continuity or to quickly adjust to lockdowns and outbreaks. That is not to say that manufacturers should pause their digital transformation efforts, but they should do it including new risk management and cybersecurity considerations, because manufacturing will only become a larger target for malicious actors in the future.
Breaking the first link in the chain
It would be a mistake to think cybercriminals are randomly and blindly targeting organisations. Hacking groups are becoming much smarter, strategic, and industrialised.
Their increased focus on manufacturers is the result of strategic thinking. Manufacturers are usually one of the first links in a supply chain, and disrupting their operations usually means disrupting the whole ecosystem. The potential damages are more significant than when attacking an organisation at the end of the chain, and is usually an additional incentive for victims to pay the ransoms.
In recent months, criminal organisations have publicly voiced their intentions to strike businesses that operate at the source. Unfortunately, that means manufacturing will also be a key focus. In this context, is it essential that industry players look at improving their resilience to cyber threats.
Designing for security
When designing new operational systems and infrastructure, manufacturers have to make sure they design with security in mind.
This starts with using a cyber risk framework to guide the security architecture development for production systems and measure maturity improvement over time. The Australian Cyber Security Centre has published its Essential Eight, acting as baseline cybersecurity recommendations to mitigate the risk of cyberattacks. Other major economies have published cybersecurity standards, and it is worth looking at the NIST in the US, or the Cyber Essentials in the UK as well.
Adopting a Zero Trust approach is also part of designing with security. The idea with Zero Trust is to implement access rules across the organisation that grant company users, data applications and external partners or stakeholders, access to only the resources they need to operate, for only the time they need access to it. If any of them is compromised, hackers have very limited freedom to navigate an organisation’s network and systems. Zero Trust is particularly relevant in a flexible and remote workforce set-up, allowing organisations to properly protect remote employees and their devices.
Thirdly, take a ‘one enterprise’ approach to security and risk management. Many organisations still operate in silo. For instance, a chief information security officer (CISO) may be responsible for information technology (IT) only, yet not charged with securing operational technology (OT) environments. This needs to change.
Finally, manufacturers should explore the shared responsibility model. The idea behind this model is that the responsibility for security doesn’t fall solely on one party. All stakeholders across the supply chain, from cloud service providers to end-users, have a role to play.
The multiplication of headlines on major data breaches and cyberattacks, even on the largest organisations on the planet is a sign that malicious actors are undeniably making headways. As an essential industry for our society, manufacturers have a responsibility to make cybersecurity a priority in the years to come, and reduce the risk of potential major disruptions and associated losses.
Joel Camissar is Senior Director, Channels, Alliances and Cloud, APAC at McAfee Enterprise.