With cyberattacks in the manufacturing and distribution (M&D) sector on the increase, senior management must take the lead in focusing attention on the growing threat — and in developing effective countermeasures.
For many years, the most obvious (and most lucrative) targets for cyber criminals were in industries such as online and retail sales, financial services, and, more recently, healthcare. These industries have begun shoring up their defenses and improving their cybersecurity efforts, so attackers are moving on to other targets. Today the M&D sector is in the crosshairs.
In the face of these rising threats, manufacturing executives should assess their vulnerability to new types of attack. At the same time, M&D organizations also should examine the effectiveness of their cybersecurity operations — in terms of both reducing the likelihood of a successful attack and limiting the damage when a breach does occur.
Manufacturers’ Growing Vulnerability
According to the 2016 Cyber Security Intelligence Index published by IBM X-Force Research, manufacturing is now one of the most frequently hacked industry sectors, second only to healthcare and surpassing the financial services and retail sectors. Automotive and chemical manufacturers were the most frequently targeted businesses within the manufacturing sector, according to IBM.
Other sources confirm the trend. For example, in January 2016 the U.S. Department of Homeland Security reported that during fiscal year 2015 it had investigated almost twice as many cyberattacks in the critical manufacturing sector as it had the year before.
At the same time, M&D businesses’ vulnerability to cyberthreats is being heightened by technological advances and the growing use of technology itself. Among the many ways that technology has changed manufacturing, several merit special mention:
- The growth of intellectual property. In the information age, virtually all manufacturing businesses own proprietary software and other data that has inherent value and must be protected against loss, theft, or damage.
- Smart manufacturing. Multimillion-dollar computerized operating and business systems control crucial production and management systems — frequently with access via wireless devices or internet connections. Because such systems often are linked and not properly segmented, they can be vulnerable to attacks and breaches.
- Internet of things. Expensive and highly specialized production equipment often is supported by off-the-shelf internet-connected devices such as cameras, routers, and wireless access points. Such plug-and-play devices are convenient and low-cost, but every unsecured device running in its default configuration is a potential access point for hackers.
In trying to anticipate cyber crime threats, it’s important to remember that, generally speaking, cyber criminals don’t attack just because there’s a vulnerability. They attack because they see an opportunity to monetize that vulnerability. A 2016 Ponemon Institute survey of 304 individuals who admitted being involved in cybersecurity threats revealed that, while some attackers said they are motivated by other reasons, 69 percent said they are simply in it for the money.
Most respondents also agreed that automated hacking tools and specialized hacking toolkits have helped make their activities more cost-effective. Such tools have contributed to the prevalence of several of today’s most widespread schemes:
- Ransomware. This malicious software holds critical data hostage while the attacker demands the company pay a ransom to regain control. For large organizations, ransom demands in the tens of thousands of dollars are not uncommon. One particularly malicious variation begins to systematically destroy the captured data if the victim does not meet the demand quickly enough. The FBI recently reported that a single strain of ransomware was responsible for more than $18 million in losses in almost 1,000 instances over a 14-month period — and that is only one example.
- Whaling. These highly targeted, intelligent attacks often use social media research to identify relationships within organizations — particularly individuals with access to bank accounts. After researching and identifying a target, hackers send deceptive emails, faxes, or instant messages that appear to be legitimate authorization from a CEO or other high-ranking executive to make a fund transfer or execute a fraudulent transaction.
- Spear phishing. A step up from common phishing schemes that target random users, spear phishing attacks are researched and targeted, often posing as messages from law enforcement agencies or legitimate business organizations. The goal is to trick users into clicking on a link that enables the hacker to introduce ransomware or other malware that can provide access to sensitive information.
Assessing Your Preparedness
Ransomware and other targeted attacks can have a devastating impact on M&D operations. The first step in upgrading a company’s defenses is an objective and systematic assessment of its current level of preparedness. As a starting point, M&D executives should be asking their IT and security teams some basic questions about potential areas of concern such as:
- Email filtering. Are we effectively filtering potential threats?
- Social engineering. Do our employees have an appropriate level of security awareness so they are less likely to be tricked by malicious parties?
- Endpoint protection. Will our endpoint security solution correctly identify and mitigate malicious hardware, software, and behaviors attempting to gain access to our network?
- Propagation. Have we performed penetration testing to determine a malicious actor’s ability to move around within our network if it is breached?
- Data backup procedures. Are backups conducted regularly and automatically, and are procedures tested to verify that they work as intended?
- Data exfiltration. Can sensitive data be removed from the network? Can we detect when an outside actor is gaining access to our data?
- Incident response. Have effective incident response procedures been implemented and communicated throughout the organization?
As with so many issues, the tone set by senior management is crucial. Boards and executive teams must make it clear that cybersecurity is not just an IT problem. Rather, it is an enterprisewide risk that threatens essential business and production systems and has the potential to completely disrupt critical operations.
Above all, management must actively work to establish a corporate culture in which employees in all areas of the organization are acutely aware of the risk and recognize that they are the first line of defense against this serious — and still growing — threat to M&D operations.
Kiel Murray, CISSP; Mike Porter and Chris Wilkinson, CISSP, CRISC are all with Crowe Horwath.