The manufacturing industry is often seen as an ideal target for cyberattacks, so businesses must learn how to stop them.
By Scott King, Senior Director, Security Advisory Services, Rapid7
As demonstrated during the COVID-19 pandemic, the manufacturing industry is an essential business in the United States and across the world. With more and more dependency on this sector, it is being increasingly targeted by cyberattackers. According to one survey, 40 percent of manufacturing executives said their companies experienced a breach within the last year. To better illustrate this growing statistic, Visser, a parts manufacturer for Tesla, and SpaceX, and major electronics manufacturer CPI, were hit by ransomware just a few months ago.
So, why is manufacturing a top target?
Malicious actors see manufacturers as a top target because not only are they profitable, providing financial motivation for a ransomware attack, but the world is also dependent on their outputs (e.g. as demonstrated during the COVID-19 pandemic). Operating on strict schedules to meet their daily quotas, they simply cannot afford to be shut down.
Despite this, the industry is still lagging when it comes to improving its cybersecurity practices and hygiene. In fact, manufacturing is the second slowest industry to mediate the earliest phases of a cyberattack, meaning these businesses are typically unable to stop, and in many cases even detect, an attack in the beginning before it can cause significant damage.
One reason for this is that cybersecurity competes with other technology spend and becomes a lower priority for business leaders. Because output is the primary goal, protecting the systems used to produce products are typically of lesser importance. With cybersecurity low on the totem pole, manufacturers frequently overlook the changing landscape and fail to identify, acknowledge and address common attack tactics. For example, as information technology (IT) and operational technology (OT) become much more connected in the age of Industrial IoT, they present a new outlet for attackers to exploit control systems, sensors and telemetry systems.
Additionally, basic security best practices such as checking for vulnerabilities, changing factory settings and passwords and training employees in security are not happening either.
How can businesses better protect the industry?
Because cyberattacks against the manufacturing industry won’t slow down, here are four ways companies can start securing their businesses today.
Determine operational risk.
The most crucial step is determining operational risk. Assessing how much risk a business can tolerate will help identify what it can actually take on in times of crisis and beyond. This is a critical step to understand where to apply investment and which business risk categories a lack of security could impact the company.
Implement network segmentation.
From there, it’s important to focus on creating a strong cybersecurity strategy that addresses both IT and OT. Firstly, manufacturers should not connect any OT to public or business networks. Instead, isolate network connection points and limit or eliminate remote access to production where possible.
Develop strict access controls.
Manufacturing businesses should also set up strict physical and logical access controls — especially if the plant floor is accessible to the whole company. Minimizing accessibility to the environment means only people that need to access it are allowed. Linear barcode and swipe cards, proximity cards, biometrics, mobile credentials, QR Codes, smart cards, multi-technology readers, locks and device authentication and authorization are all options that can help secure a manufacturing facility and monitor who is coming and going in certain areas.
Look to third-parties for help.
Because of the talent shortage in cybersecurity, manufacturers should consider investing in a third-party contractor. Outsourcing portions of a cybersecurity program also allows for a wider access of talent, not limited to geographic location.
Like many industries, as businesses reopen following the pandemic, the next few months are going to be challenging for the manufacturing sector. However, there are things that can be done today to minimize its security risk. In a post-COVID-19 world, decision makers should begin developing long-term security plans and establish the path for security investment and ongoing risk management with the above steps to thwart a potentially detrimental incident.
Scott King is the Senior Director, Security Advisory Services for Rapid7. Scott has over 20 years professional work experience in the IT and cybersecurity fields. He started his career as a network and systems engineer in the midst of the Silicon Valley dot com boom of the late 90’s. In 2001, Scott moved into an information assurance role supporting the Department of Defense kick starting his career as a cybersecurity professional. Scott has worked extensively in the energy industry, DoD, state government, high tech, and manufacturing. He offers a unique mixture of extensive hands-on operational experience and executive leadership.