With digital technology as ubiquitous as ever, cyber incidents have proliferated, both inside and outside the United States. Virtually any kind of Internet access puts users at risk of a data breach; the numbers seem to corroborate what’s become a new normal in a connected world. Just this past year, reported data breaches rose 17%, totaling 1,475 in the U.S. alone, with more than 164 million records either exposed or stolen, according to the Identity Theft Resource Center.
The threat landscape has been particularly treacherous for business owners. Historically, certain industries tended to be the focus of cyber attackers, more than others. These have included finance, healthcare, entertainment, education, and information industries.
The manufacturing industry is under regular assault, with increasing frequency. A combination of factors contributes to this new reality, which include the sector’s reliance and development of operational technology. Manufacturers’ failure to implement the appropriate risk management policies and controls to support and defend its supply chains and proprietary intellectual property, continue to lead to breaches and loss events.
Why is cybersecurity important for modern manufacturing?
In many ways, manufacturing is the lifeblood of the U.S. economy. The sector is an enormous jobs creator, providing ongoing employment opportunities for over 12.8 million people, according to the most recent statistics available from the National Association of Manufacturers (NAM). Manufacturing contributes an estimated $2.37 trillion to the country’s economy per year. Many of the products that people use on a daily basis are derived from the factory floors and production lines of manufacturers.
The manufacturing sector’s unparalleled success, paired with its reliance on the industrial Internet to manage workflows, hasn’t gone unnoticed by cyber attackers, who over the years have sought to stymie business owners’ growth. The number of breach incidents affecting the industry is on the rise, both in recent years and currently. In 2016, for example, nearly 40% of companies in advanced manufacturing said they’d experienced at least one breach within the previous 12 months, according to analysis conducted by the Manufacturers Alliance for Productivity and Innovation (MAPI). Hackers at the time also had more opportunities to gain access or entry to sensitive data, as between 35% and 45% of respondents said they used mobile apps, sensors, and smart products throughout the course of production.
Three years later, manufacturers’ supply chains continue to be under attack. In 2019 alone, large and small manufacturers experienced the effects of 352 reported cyber incidents and 87 reported breaches, according to Verizon Wireless’ Data Breach Investigations Report. That outnumbered other hard hit industries, including retail, transportation, and administrative.
Yet despite the growth in cyber incidents, manufacturing cybersecurity best practices aren’t being executed to their proper degree. In a separate study MAPI spearheaded in partnership with Deloitte, almost half of executives in advanced manufacturing said they didn’t feel like they had sufficient layers of protection to thwart attempted breaches. Additionally, nearly the same share (48%) indicated they lacked the necessary funding to pay for these defenses.
What is the business impact of cyber incidents and breaches?
The adverse impact manufacturers experience in the aftermath of even one cyber-attack can be detrimental. From lost jobs and damaged credibility, to diminished productivity and unplanned downtime, virtually every aspect of the production pipeline feels the fallout. According to research from Accenture, cybercrime is expected to cost businesses worldwide, both in the manufacturing space and elsewhere, as much as $5.2 trillion between 2019 and 2024.
Jon Boyens, head of the federal government’s National Institute of Standards and Technology (NIST), told Supply Chain Dive that there’s an interdependence between tech and manufacturers. Manufacturers produce these goods and devices for their customers, but they also use them within their workflows to streamline production and delivery.
These critical operational technologies can be used against manufacturers, often because they lack the safeguards and embedded security to defend against attacks. This has led to an uptick in cyber incidents, impacting supply chains and on time deliveries.
The IP Commission 2019 Review states, The United States Trade Representative (USTR) examined China’s industrial policies that call for the “absorption, digestion, and re-innovation of foreign intellectual property” to meet the Made in China 2025 goal of 40% self-sufficiency by 2020 and 70% by 2025. Many of China’s means of acquiring IP are not officially written into law but are done in indirect and informal ways that make it difficult to prosecute.
Through means such as investments and cyber intrusion, the Chinese government directs and unfairly facilitates the systematic acquisition of cutting-edge technologies in industries deemed important by state industrial plans. The report concludes that China’s acts, policies, and practices are unreasonable because they unfairly target critical U.S. technology with the goal of achieving dominance in strategic sectors. These practices harm U.S. innovation and economic competitiveness.
In February, NAM Director of International Business Policy, Ryan Ong, told the Subcommittee of the Trade Policy Staff Committee, that intellectual property theft has become an industry unto itself. Citing a 2017 report from the Commission on the Theft of Intellectual Property, stolen brands, ideas, and inventions sap an estimated $600 billion from the U.S. economy annually. That’s up from approximately $300 billion from a similar study done four years ago.
The constantly evolving nature of technology, combined with insufficient funds and hackers regularly refining their breach strategies, has made it exceedingly challenging to get out in front of cyber incidents, Ong warned.
“The United States has long made vigorous protection of IP rights at home and abroad a cornerstone of our manufacturing competitiveness, but we must do more in the face of these and other challenges,” Ong explained. “It is more critical now than ever before that the United States strongly defend intellectual property and innovation around the world in all available forums.”
Ong went on to state, “Every day, manufacturers across the country are transforming their operations to achieve greater efficiency, productivity and competitiveness while working to create a better tomorrow.”
What cybersecurity risks do manufacturers face?
In addition to the variety of entry points that render manufacturers vulnerable to attacks, there are a multitude of threats. After cybercriminals breach your defenses and exfiltrate (copy) your data, they commonly make use of software to impact vulnerable systems. The most common software being used is ransomware. This technique uses malicious software to block off access to computer systems through data encryption. The only way to regain access is by paying the ransom requested or restoring systems from backup. This assumes that the backup was functional prior to the incident and that the ransomware also did not encrypt the backups, which is common.
Small and large businesses, as well as major metropolitan areas, have been on the receiving end of ransomware attacks in recent years. This includes manufacturers as well. As noted by IndustryWeek, automotive giants Nissan and Renault, pharmaceutical firm Merck, and food manufacturer Mondelez were all affected by ransomware in 2017. And in 2018, the attacks didn’t let up, this time impacting TSMC, a chip manufacturer for Apple’s iPhone. While the company was able to recover, financial losses stemming from the incident resulted in an estimated $250 million in overall damages.
In 2019, two American chemical companies, namely Hexion and Momentive, became victims of the LockerGoga ransomware attack. ASCO, one of the largest airplane parts manufacturers, suffered a ransomware attack crippling production in factories across four countries including Belgium, Germany, Canada, and the United States.
A new variant of BitPayer ransomware infected a US manufacturing firm in 2019, via PsExec in a command-line tool that allows the execution of processes on remote computers. Also in 2019, Titan Manufacturing and Distribution suffered a cyber-attack compromising customer data after its computer systems were infected with malware. Ransomware also hit Norweigan aluminum giant Norsk Hydro. A week after the ransomware attack, Norsk Hydro estimated that total losses from the incident had reached over $40 million.
Keep in mind that breach event data is widely underreported by manufacturers who fear increased secondary losses and the long-term impact to their reputation.
Analysis of incident response data from X-Force IRIS paints a picture of the devastating effects of these attacks on companies. A few of the key findings include:
- Massive destruction, massive costs: Destructive attacks are costing multinational companies $239 million on average. As a point of comparison, this is 61 times more costly than the average cost of a data breach ($3.92 million).
- The long road to recovery: The debilitating nature of these attacks requires a lot of resources and time to respond and remediate, with companies on average requiring 512 hours from their incident response team. It’s also common for organizations to use multiple companies to handle the response and remediation, which would increase hours even further.
- Manufacturing entities: 50% of organizations affected by cyber-attacks in 2019 are in the manufacturing sector.
- Constant target: According to the report, 60% of manufacturing firms were hit with at least one WannaCry-related attack in the first six months of 2019.
What can manufacturers do to protect themselves?
The best defense is with a robust offense, implementing the strategies that provide comprehensive end-to-end manufacturing cybersecurity measures that strategically guard against infiltration of probable threats. You’ll find it with Certitude Security®. Our cyber assessment services are comprehensive and can provide you with increased confidence that you are exercising the duty of care to protect your data and systems from loss events, such as ransomware attacks. Consider contacting us today for a no obligation consultation. When you need certainty, turn to Certitude Security™.