Author: Chase Snyder, Sr. PMM, Xage Security
Manufacturing surpassed finance and insurance to take the lead as the most-targeted industry for cyberattackers according to IBM X-Force Threat Intelligence Index 2022. The report said that 23% of cyberattacks they responded to in 2021 targeted manufacturing. Attacks on manufacturing showed no signs of slowing in 2022. In addition to actual attacks, 2022 saw a large influx of common vulnerabilities and exposures (CVEs) impacting critical manufacturing assets. In the first half of the year, 109 common vulnerabilities and exposures (CVEs) were reported that impacted critical manufacturing assets.
What is it about manufacturing enterprises that is making them attractive targets to cyber adversaries?
We can’t exactly ask the hackers why they’re going after manufacturers, but here are some factors that are likely driving the trend:
- Manufacturing is driven by older, vulnerable software, but is transforming rapidly: It is costly and difficult to replace the Operational Technology (OT) systems that drive manufacturing equipment, so it doesn’t happen very often. This is by design! Why shut down the whole assembly line every five years if you could do it every thirty years instead? But this means that many of the OT systems that drive manufacturing equipment are running older, vulnerable operating systems. In today’s environment of rapidly developing software and increasingly profitable cyberattacks, this is a recipe for risk. Patching is important, but not always viable, and often requires costly downtime. Defenders need tools that can secure this aging technology in place without having to update or rip and replace it.
- Manufacturers have many incentives to pay ransoms or otherwise hasten the resolution of an attack: Any manufacturer’s worst nightmare is having to shut down production. They can lose millions of dollars per hour when a manufacturing plant is not producing. This gives attackers leverage to demand high ransoms with short turnarounds. The LockBit and Conti ransomware gangs targeted many manufacturing enterprises in 2022, and added time pressure to the attacks by starting a “countdown” after which sensitive files would be published if no ransom was paid.
- Attacking a manufacturer isn’t perceived as negatively as other targets: In recent history, some cyberattackers have actively avoided, and even apologized for targeting hospitals and other organizations that would make them seem morally repugnant or draw a major reaction from a nation state. Manufacturers are more obscure and less of a social hot button than, say, a children’s hospital. This makes manufacturers somewhat of a “soft target” for attackers. Financially motivated hackers want the fastest possible payment, with the least likelihood of a major response by law enforcement or a nation state. This influences who they target. Manufacturers are considered somewhat of a “soft” target, for now. But the Cybersecurity & Infrastructure Security Agency (CISA) has identified critical manufacturing sectors, and it is likely that cyberattacks on these would result in a strong government response.
- Manufacturers have large, complex, deeply interconnected supply chains: Toyota has over 400 parts suppliers with direct connections into production systems. This is part of how they achieve incredible efficiency in manufacturing vehicles, but it also exposes them to risk. If an upstream supplier with access to production systems is compromised, Toyota must respond. In February 2022, the car maker shut down all of its manufacturing plants in its home country of Japan in response to a cyberattack against a supplier of plastic parts for the vehicles.
Zero Trust Security is the Path Forward for Manufacturers
It is clear that manufacturers have a unique set of traits that is making them a target for increasing numbers of cyberattackers. Some of these can’t be addressed with technology, such as the cost of downtime that cyberattackers leverage to incentivize them to pay ransoms. However, every manufacturer has the opportunity to reduce their attack surface and more effectively secure their OT systems that can’t be patched or replaced.
The solution is to adopt similar zero trust principles already being pursued, and even required by regulators, in other critical infrastructure industries including energy, transportation, and defense. These industries are striving for the ability to control every user, asset, and interaction with their OT environments as well as cyber hardening OT-IT-Cloud interconnectivity. Forward thinking enterprises are using zero trust-based access management and asset protection to cyber harden from risk introduced by supply chain partners, under-managed and over-privileged identities, and more.
Xage supports manufacturers in achieving practical zero trust and modernizing their access control to block attacks against operational assets. To learn how a large steel manufacturer uses Xage to secure assets and get lowered cybersecurity insurance premiums, read our case study.