How Manufacturers Can Address Cybercrime in the Ongoing Pandemic
These three small steps can help manufacturers -- in fact, enterprises in any industry -- make their environments significantly more secure.
- By Scott King
- June 22, 2020
Across the globe, demands for essential goods such as hand sanitizer, face masks, and ventilators are skyrocketing. Factories that once churned out items such as perfume have shifted production to help combat the ongoing pandemic. The world is relying on the manufacturing industry more than ever before. However, this industry has traditionally been an easy target for cyberattackers, and despite everything that is happening, hackers are showing no signs of slowing down.
According to a recent survey by Deloitte, 39 percent of manufacturing executives said they've experienced a breach within the last year. Five months into 2020, and we're already seeing a similar pattern. In the first week of March alone, Visser, a parts manufacturer for Tesla and SpaceX, was hit by ransomware, as was major electronics manufacturer CPI.
Although attackers continue to target this industry, there are steps manufacturing companies can take to improve their cybersecurity posture and defense tactics. In this article we'll explore why this industry has traditionally been such an easy target for cybercriminals and what it can do to avoid becoming the next victim of an attack.
Manufacturing Has So Much to Lose
Manufacturing plants are well-oiled machines. They have strict schedules along with daily, weekly, and monthly quotas to meet. Imagine what would happen if that schedule was disrupted and taken offline, even for 30 minutes. Operational downtime delay to production schedules can cost manufacturers thousands -- even millions -- of dollars.
That's what makes this industry so appealing to hackers. Because a cyberattack will ultimately result in operational downtime, there is a strong chance that attackers, and their demands, will not be ignored as companies are eager to keep production moving. Knowing this, attackers plan attacks that disrupt an organization's profit center and put money into the pockets of the attackers. These organizations are under immense pressure to remain operational, so many will end up paying if they are targeted by a ransomware attack.
The Norsk Hydro attack brought the global manufacturing powerhouse to its knees. Although the company never paid the extortion demand, the attack was debilitating. Operations had to be shifted to manual mode, costing the company millions of dollars in damages.
Manufacturers Use Outdated Technology
According to a recent report, the manufacturing industry stops only 39 percent of attacks at the point of initial access. This means that more than half of attacks are bypassing and evading current detection and protection solutions that manufacturing companies use. Although this might seem surprising considering how security solutions have matured over the years, this industry has traditionally used outdated technology, which means they have an outdated approach to security, creating more opportunities for attackers. For example, the embedded technology in factory equipment has always been designed with "safety" in mind as opposed to security, leaving these systems open to attacks.
One of the most prominent areas where we see attackers exploiting this industry's use of outdated technologies is the convergence of information technology (IT) and operational technology (OT). Separately, these two systems operate at two very different levels. What's more, it was never considered that OT equipment would be connected to so many other technologies (such as control systems, sensors, and cameras). Because of this, security and real-time monitoring features were not built in. These factors, combined with outdated technologies, make it difficult to secure these two spaces. To correct this, manufacturing businesses must find new ways to incorporate security safeguards. This requires investment -- in both time and money -- that some manufacturers do not have.
Security is a Low Priority
Security has never been a top priority for manufacturers. Security features and best practices are often not taken into account when new products are purchased.
With COVID-19 requiring companies across all industries to explore remote workforce options, manufacturing companies prioritized, and invested in, automation systems that make it easier for their employees to do their jobs from the safety of their homes. Although it is encouraging to see companies making investments to support their employees, many automation tools are being purchased without considering their security features. Standard security best practices such as checking for previous reported vulnerabilities, changing factory settings and passwords, and training employees in the secure ways to use the new solutions are not happening. With fewer guards and controls in place, it's easy for industrial control systems to be hacked simply through accident or user error.
Despite the challenges plaguing the industry -- outdated technology, a disconnect between safety and security, and vulnerabilities associated with remote work operations -- there are small steps that manufacturers can take to significantly improve their security posture.
The most crucial step is for businesses to determine their operational risk. This will dictate everything else. Assessing how much operational risk an organization is willing to tolerate will help identify what it can actually take on in times of crisis (and beyond).
From there, organizations should focus on creating a strong IT/OT cybersecurity strategy by taking these three steps:
- Compartmentalize everything. To do this effectively, do not hook any ICS or production gear to public or business networks. Instead, implement cyber controls at key network connection points. In addition, limit which machines can talk to each other and create checkpoints through network segmentation and boundaries.
- Establish stricter access controls. By minimizing accessibility to an environment, only people who need to access a system will be able to. Setting restrictions can make an impact for many manufacturing companies, especially if the entire plant floor is accessible to the entire company.
- Consider hiring a third-party contractor. With furloughs and layoffs driven by the COVID-19 pandemic, more contractors will be available in the next three to six months. A third party can improve your network environment to provide a more secure facility that will protect you now, during these uncertain times, and in the future.
A Final Word
As we continue to envision the future of manufacturing post-pandemic, it is time to make security a priority. The next six months are going to be especially challenging for the manufacturing industry, but there are things that can be done to minimize security risk and ensure a more secure business in the future. Once manufacturing leaders understand how security threats impact operational reliability, evaluate financial impacts versus costs, and consider their reputation, acceptable risk tolerances will be defined.
Though this will be challenging during a pandemic, it is a great start and will further establish the path for security investment and ongoing risk management.
Scott King is the senior director, security advisory services for Rapid7. King has over 20 years of professional work experience in the IT and cybersecurity fields. He started his career as a network and systems engineer in the midst of the Silicon Valley dot com boom of the late 90s. In 2001, he moved into an information assurance role supporting the Department of Defense, kick starting his career as a cybersecurity professional. King has worked extensively in the energy industry, DoD, state government, high tech, and manufacturing. He offers a unique mixture of extensive hands-on operational experience and executive leadership. You can contact the author via LinkedIn.