Attackers prefer the path of least resistance—and targeting humans is easier than defeating or evading security systems.
by Tyler Zito, Senior Solutions Architect, Expel
While the image of the hoodie-wearing, black-hat hacker systematically breaking down cybersecurity defenses remains popular, the truth is that a significant portion of attacks targeting the manufacturing industry don’t involve traditional “hacking” at all. According to the 2023 Verizon Data Breach Investigations Report (DBIR), almost a quarter (23%) of all breaches in the manufacturing sector involved social engineering attacks. Instead of spending their time, energy, and resources defeating or circumventing security solutions, today’s attackers are increasingly targeting the weakest point in any system: its people. Manufacturers that want to avoid becoming the next major victim need to understand the scope of the problem—as well as how to address it.
Attackers prefer the path of least resistance—which usually means targeting humans. Social engineering tactics like phishing have been on the rise for years, and adversaries have evolved their tactics to evade standard protections. Pretexting attacks are regularly used to convince the user to reveal confidential information, and attackers have become good at timing their attempts to capitalize on distractions and busy workflows, causing victims to overlook red flags that might seem obvious in retrospect. Attackers are also engaging in tactics like SMS phishing (“Smishing”) and QR code phishing to trick those already wise to email-based scams. Focusing on the user to compromise credentials allows the adversary to potentially access a variety of critical applications: for example, if a single sign-on (SSO) application is compromised, that could effectively give the attacker the keys to the castle.
Manufacturing might not be as obvious a target for attackers as financial services or healthcare, but attackers regularly turn their efforts on the industry. They often leverage social engineering to target those with administrative access to sensitive information in the hopes of gaining access to trade secrets, intellectual property (IP), and other potentially lucrative data. An attacker who gains unauthorized access to core systems from a social engineering attack can cause severe problems for a manufacturing operation—including production delays, quality issues, and even the compromise of private customer data. Given the financial fallout, regulatory penalties, and reputational damage that a severe cyber-attack can cause, manufacturers cannot afford to leave themselves vulnerable to these attacks.
Training employees to recognize the signs of phishing and other tactics is important, but the unfortunate truth is that people make mistakes. Social engineering is a numbers game: the odds of a phishing attack working on any one individual is low, but if an adversary sends enough emails or text messages, eventually someone will slip up. That means it’s critical to have additional solutions in place that make it harder for cybercriminals to engage in social engineering.
It’s encouraging that a growing number of organizations are using MFA solutions to add an additional layer of security, but it’s important to understand that MFA alone cannot solve the social engineering problem. “Adversary-in-the-Middle” (AitM) attacks are on the rise, and adversaries are using them to trick employees into responding to what they believe are legitimate MFA requests, inadvertently giving away their credentials. Unfortunately, AitM attacks are relatively simple to conduct, and some attackers are even leveraging pre-built, customizable AitM tools. MFA still plays an important role in security (anything that makes the attacker’s life harder is a good thing), but it is not a one-size-fits-all solution to social engineering.
While AI and other advanced tools are making it possible for attackers to engage in more convincing attacks, they are also putting new tools in the hands of defenders. Today, there are solutions available that can identify and flag fraudulent messages before they even reach their targets. Other solutions can verify whether the sender of an email is who they claim to be, alerting users to spoofed addresses, unrecognized accounts, and other potential red flags. These solutions add a much-needed layer of security between employees and potential scammers, dramatically decreasing the effectiveness of social engineering schemes.
It’s also important to note that when an employee does inevitably fall for a social engineering attack, organizations should encourage them to come forward without fear of reprisal. The sooner the security team knows about a potential security threat, the sooner they can address it—but employees who fear punishment are less likely to admit their mistakes. Considering the damage attackers can do to manufacturers, encouraging immediate self-reporting of possible security threats is critical. Remember, your user base can be an extension of your security detection strategy within your environment.
The manufacturing industry may not be the most obvious target for attackers, but manufacturers often lack the robust cybersecurity controls and programs that businesses in finance or healthcare employ. Manufacturers that want to protect their trade secrets, IP, and customer data need to be sure they can defend against common attack techniques like social engineering by training their employees well, deploying effective technological protections, and creating a culture of understanding rather than fear. As a growing number of attackers target manufacturers, those that fail to implement the appropriate solutions and policies risk making headlines for all the wrong reasons.
Tyler Zito is a senior solutions architect at security operations provider Expel.
Patti Jo Rosenthal chats about her role as Manager of K-12 STEM Education Programs at ASME where she drives nationally scaled STEM education initiatives, building pathways that foster equitable access to engineering education assets and fosters curiosity vital to “thinking like an engineer.”