Manufacturing has several unique problems when it comes to cybersecurity and the threat landscape, namely a distinct lack of funding and personnel that contributes to an excess of vulnerable, outdated legacy systems.
The Manufacturing Industry’s Biggest Security Problems
As an industry, manufacturing is acutely vulnerable to downtime. While some industries can somewhat work around network downtime, those in manufacturing cannot because they rely on these networks to operate their machines. No working machines cause a hard, immediate stop to operations. This halt in operations then creates a heightened sense of urgency to resolve the issue. Unfortunately, this degree of urgency results in a greater likelihood of the victims paying the ransom. Threat actors seeking monetary gain know this, making manufacturers an extra appealing target.
Another factor that makes manufacturing a strong target for cyber attacks is the abundance of legacy systems across the industry. Much of manufacturing’s core systems (ERP, etc.) are often older systems designed to run specific types of machines on their network. While this machinery is designed to last a long time, the embedded operating systems (OS) are not, which turns these out-of-date systems into easy targets. Once the OS goes out of date, so does the support for that OS, which leaves the entire system vulnerable to attack. This creates a complicated internal environment, which means more vulnerabilities to exploit.
Lack of Staff and Funding
IT departments and security teams in manufacturing companies are both underfunded and understaffed. Due to this, companies are often not equipped to properly secure their network systems, regardless of a system’s age. Furthermore, because of these budgetary constraints, many organizations in the industry feel that they cannot get away from their legacy systems and subsequently do not migrate to the newer, improved versions of those platforms. Simultaneously, there is the issue of finding the right IT and security teams for this industry.
Unfortunately, security has never been a main focus for the industry, which contributes to legacy systems lingering. Without trained security professionals on staff, many companies in the manufacturing industry believe that as long as their machines are running properly, everything is fine. This results in more time mitigating security risks because projects tend to get pushed back due to lack of personnel and awareness.
While there are things that can be done to help mitigate these risks, they require having both the budget and expertise to identify those risks and then deal with them effectively. Additionally, most in the manufacturing industry aren’t aware of their vulnerabilities until they are attacked.
Attacks on Manufacturing are Rising
Cyble Research Labs reports that manufacturing faced 35.05% of ransomware attacks across all industries in Q1 of 2022, which is significantly higher than the second highest industry (construction, at 19.63%).
Manufacturing ranked as the number one most attacked industry in 2021 in IBM’s 2022 X-Force Threat Intelligence report. This is the first time manufacturing has ranked since 2016 and it faced 23.2% of attacks.
Top three attack types:
- Ransomware (23% of attacks)
- Server access attacks (12%)
- BEC and data theft (10%) (tied for third)
How to Reverse the Trend
Education is key—but it’s not simply just about educating one person. It’s about educating an entire industry; everyone from the C-suite down to the interns need to know—and understand—that they are a target.
One way to do this is by cultivating a security mindset across the company. This takes more than the individual, and it can be helpful to bring in a consultant or develop an internal group to get the process started. Awareness of what proper security organizations look like and how they operate needs to be spread across the organization and integrated within strategic plans. Security has not been a standard in manufacturing strategic planning; instead, executives focus more on supply chain strategy and logistics.
Industry best practices need to be incorporated, too. This means:
- No shared accounts or passwords.
- Security awareness training needs to be required for everyone from the top down and implemented in an effective way. Meaning, training should be consistent and engaging. If employees are only a part of training once a year, they’ll be on higher alert after the training, but will most likely go back to old habits soon after.
- Firewalls need to be implemented for older systems.
- Teams need to regularly discuss what technology can be put into place to help mitigate the risks of legacy systems.
Security is a large gap in this industry, and until it becomes a mainstream part of operational strategy, the industry will remain at risk.
Can a vCISO Service Help?
A vCISO—virtual Chief Information Security Officer—is an experienced cybersecurity professional who can be a crucial player in cultivating a culture of security within a manufacturing company. These individuals bring security planning to an organization and can help shape both policy and organizational thinking surrounding cybersecurity.
vCISOs are an affordable option for companies that cannot afford to have CISO on staff internally. This service makes it feasible for even a mid-size organization to have someone in this consulting role. Blue Team Alpha offers vCISO services that can help your organization protect and defend against cyber attacks.