Why the rush to digital heightens cyber risk for manufacturers
Manufacturing companies are increasingly implementing digital systems for efficiency and productivity. But they could be opening the door to greater cyber risks
Manufacturers could be overlooking cyber security in the rush to install technologies that improve productivity. When manufacturers adopt digital technologies, says Mitchell Scherr, Chief Executive Officer at Assured Cyber Protection (ACP), “their threat surfaces increase substantively”.
The introduction of technologies for automation, robotics or the internet of things (IoT) gives cyber criminals “a bigger playing field to work from”, Scherr says. “It gives more attack vectors to be breached or compromised by cyber adversaries.”
Manufacturing bore the brunt of more cyber attacks than any other industry last year, according to an IBM X-Force Threat Intelligence Index report released in February 2022.The study showed 23 per cent of all assaults were directed at manufacturers, putting the sector ahead even of financial services and insurance, traditionally the two most frequently targeted industries.
Even the smallest of cyber invasions could potentially render a manufacturing company unable to operate for a time
Verity Davidge, Director of Policy, Make UK
“The attacks vary in seriousness and cost in monetary terms," says Verity Davidge, Director of Policy at the manufacturing industry body Make UK. “Even the smallest of cyber invasions could potentially render a manufacturing company unable to operate for a time, lose critical IP or data, or cause significant reputational damage.”
Cyber criminals most often use ransomware to attack manufacturers and hobble supply chains, taking advantage of the fact that many manufacturing companies lack the kind of cyber protection found in other industries. The IBM research found 47 per cent of these attacks were simply down to the presence of vulnerabilities that had not been patched.
Unlike technology companies or banks, which have long relied on highly connected IT systems and thus are attuned to the possibility of attack, many manufacturers have tended to focus on operational technology platforms that work independently of wider networks. However, this is changing as manufacturers move to embrace the so-called Fourth Industrial Revolution or Industry 4.0, using interconnectivity and smart automation to improve output and productivity.
Industry 4.0 requires many manufacturers to link operational technology systems to the internet and to new IoT networks containing hundreds or thousands of sensors. Any part of these complex and growing data infrastructures could be subject to attack. Samuel Hale, chief technology officer at IoT analyst firm MachNation, says another problem for manufacturers is that cyber criminals are increasingly professional.
Today’s risks come from bad actors who exploit enterprises’ security vulnerabilities to put money in hard-to-trace coffers
Samuel Hale, CTO, MachNation
“Cyber criminals have become experts at following the smell of big money,” Hale says. “While yesterday’s cyber risks came from hackers trying to prove their technical prowess, today’s risks come from bad actors who exploit enterprises’ security vulnerabilities to put money in their hard-to-trace coffers.”
Hackers targeting manufacturers could be looking to make money by exfiltrating intellectual property and selling it to third parties or by holding IT systems to ransom, says Hale. The ransomware threat to manufacturers is not new. In 2017, for example, consumer goods manufacturers Mondelez International and Reckitt Benckiser were among the companies hit by the NotPetya virus, which disabled systems and sent messages requesting a $300 ransom to be paid in bitcoin.
The attack caused a 3 per cent loss of profits for Mondelez and a 1 per cent revenue hit for Reckitt Benckiser. To avoid similar losses in today’s environment, ACP recommends having layers of security to create defence in depth around core systems. These security layers need to include workers as well as IT systems, says Andrew Clarke, Group Chief Strategy and Global Business Development Officer at ACP. “Around 97 per cent or more of breaches are down to human error, omission, negligence or malicious acting,” Clarke says.
“The defence in depth we talk about is the people, the organisation, the technology,” he says. “If you address only one of those, you are going to walk into problems. No business is impenetrable from cyber attack.”
For manufacturers, the lesson is clear: Industry 4.0 may be the path to improved productivity and competitiveness, but if it is not accompanied by painstaking attention to cyber security then it could also be a route to significantly higher business risk.