Shutting Down the Factory: Why the Manufacturing Sector Must Pay More Attention to Cyber Attackers
On any given day, the manufacturing business is fraught with challenges, from supply chain issues to personnel matters, pricing strategies, competition, and customer acquisition. The last thing a company needs or wants is to be a target in the crosshairs of overseas criminals who treat the company’s operating capital as a piggy bank to be cracked open.
Unfortunately, a just released study by a major cyber security firm shows that targeted ransomware attacks on American businesses have increased approximately 2,500% since January 2017.
While company management may be reluctant to spend money on cyber protection, without attention and funding, a company’s computer system can become its biggest vulnerability. In order to protect American manufacturing, companies should assign adequate personnel, and allocate an appropriate budget, to protect their operations from cyber attack.
Common attack vectors
Many companies assume they can address cybersecurity by simply buying anti-virus software and calling it a day, but evolving ransomware attacks have shown that this kind of software may offer nothing more than illusory protection.
(NB: This article only addresses ransomware. There are other threats to the manufacturing sector which are outside the scope of this article, in particular business e-mail compromises, which can cost millions in diverted funds, and intellectual property theft.)
Phishing e-mails - communications sent to personnel that appear to be legitimate messages directed to specific individuals from known sources - now routinely deploy malware that anti-virus protections will not prevent. Brute force attacks on remote access ports can also open pathways into a company’s cyber environment.
Once inside a network, the attackers can move around to locate back-up servers and important operating data. Those business-critical resources are encrypted and rendered unusable first before the operating systems are attacked – after all, what’s the point of attacking a company’s necessary data if they can just restore from back-up? If the correct data has been effectively encrypted by the attackers, the company will face a tough choice: pay a ransom or somehow rebuild from scratch.
The ransomware business has been successful enough that there are now several widely used encryption programs. Ryuk, GoGalocker, MegaCortex and SamSam are some of their handles. Regardless of the name, once these programs are deployed within a computer system, getting the company back to full functionality may take days or weeks even after a ransom is paid and the decryption key arrives. Whereas these attacks might once have been the effort of one person, they have now become the tools of organized groups that treat ransomware as a business model.
The most obvious cost in a ransomware attack is the ransom itself, but the loss does not end there. During a successful attack, of course, a manufacturing company cannot manufacture, and is therefore losing all of the revenue that comes from production. Customers may turn to competitors to fill product needs and may make business interruption claims against the victim company if provided for in the parties’ contract. The company’s reputation for reliability will be damaged. Meanwhile, the company’s employees still need to be paid.
If employee personnel data was taken during the event, then the company will be faced with responding to legal obligations relating to notifying consumers and regulatory authorities of the incident, and potentially, responding to regulatory investigations into the incident.
So what to do?
Manufacturing companies have to harden their cybersecurity walls while training employees to help keep the gates closed to malware. These fixes are not necessarily expensive.
Beyond these improvements, companies should also test their systems and plan for a possible crisis. During an active crisis is not the time to vet experienced cyber crisis counsel and other incident response experts.
It is also crucial to have an external examiner conduct a review of security and preparations, otherwise protection of the entire company rests on the training and experience of one person – the IT/Security Manager. If that person is not up to the job, a company may not find out that it has not adequately managed system security until it is out of business.
Technical measures to implement
- Employing multi-factor authentication for system access.
- Installing properly-configured firewalls.
- Immediate, required system updating (including operating systems, browsers and plug-ins).
- Sensitive data encryption and external storage.
- Use of event logging software.
- Immediate/regular updating of anti-virus programs.
- Limiting permissions to necessary access.
- Having a staff member whose sole job is fulfilling these functions, not as an add-on to other more important functions
Training and policy measures to implement
- Regular training and testing of staff on identifying phishing e-mails.
- Limiting the accessibility of data and regularly destroying unneeded data.
- Regular assessment and testing of security by an outside agency.
- Ensuring robust monitoring of systems to ensure swift detection of, and response to, cyber incidents.
- Ensuring through contract that adequate cyber safeguards are taken by suppliers and other business partners.
- Obtaining adequate comprehensive cyber insurance.
Crisis preparation measures to implement
- Develop incident response plans and revise them regularly.
- Develop crisis communication systems and revise them regularly.
- Vet emergency service providers.
- Conduct table top and other exercises.
American manufacturing companies have to remember that ransomware events are no longer the occasional acts of unsophisticated lone wolves. Data encryption is merely the execution of a business plan for organized attackers. Companies must be as diligent and determined in constructing defenses as these criminals are in their attacks.