Anyone living through today’s news cycle who does not recognize cybersecurity as an issue is simply not paying attention. But, until recently, most manufacturing companies have considered it someone else’s issue. Most reported cyber incidents have been aimed at acquiring large caches of consumer data (think breaches at Target affecting 70 million consumers, and Verizon affecting 40 million consumers.) Hackers were historically intent on identity theft, and the acquisition of consumers’ personally identifiable information (PII) is a first step toward that goal. Most manufacturers do not deal directly with consumers or collect their data, so many put cybersecurity on the back burner. However, a recent study found that the manufacturing sector is now the second most frequently hacked industry, after healthcare. (2016 Cyber Security Intelligence Index, IBM X-Force Research.)
Recent cyber breaches have gone far beyond collecting consumer PII. Cyber criminals (and some foreign countries) are after trade secret technology and IP — yours, your vendors’, and your customers’. Losses from these breaches can include direct payments in the form of “ransom” for shutting down your computerized systems and holding your data hostage (ransomware); business email compromises (BECs), where inside information about upcoming transactions or wire transfers are mistakenly directed to a cybercriminal by your own employees under the misapprehension they are acting on the instructions of a senior executive (phishing); or loss of employee PII or a whole host of other information you may not realize is accessible to a sophisticated cybercriminal.
All Modern Manufacturing Systems are Susceptible to Exploitation. Think about your company’s reliance on computerized industrial control systems (ICS) and supervisory control and data acquisition (SCDA) systems, employees’ use of multiple data storage devices (servers, laptops, smartphones, social media), your vendors’ and customers’ everyday access to your systems to streamline communications or production, cloud computing, vindictive or disgruntled employees with access to sensitive information, or innocent employees opening an email link or attachment without verifying the source. Any and all of these may provide points of entry for a determined hacker or data phisher. Target’s massive data breach in late 2015, for instance, was engineered through access unwittingly provided by a company HVAC vendor that did not have a secure system, despite Target’s own otherwise sophisticated and thorough security and breach prevention program.
Ransomware/BEC attacks have not distinguished manufacturing companies from other targets. A hacker may gain access to a company’s computerized systems by means of an insider/employee opening an official-seeming link or attachment in an innocent-seeming email, and implant a virus into the system that holds critical data hostage or shuts down critical functions. Even payment of the demanded “ransom” to unfreeze the system may not guarantee a return of data or normal functionality.
Data and System Breaches are Expensive. Costs can include business disruption, product discounts, forensic and investigative activities, loss of customers, litigation and regulatory, and reporting costs. According to the 2017 Cost of Data Breach Study recently released by the Ponemon Institute, the total organizational cost per data breach incident for the U.S. was $7.35 million last year, the highest of the 13 countries studied. The study did not address loss of competitive advantage when trade secret technology and IP are stolen, which could be substantially more costly; the U.S. Federal Bureau of Investigation (FBI) estimated that $400 billion of intellectual property leaves the U.S. every year as a result of cyberattacks targeted at manufacturing companies.
BECs increased 2,370% between January 1, 2015 and December 31, 2016, with victims reporting losses of $346 million. The FBI estimated in a May 2017 alert that such crimes have caused losses of $1.6 billion in the U.S. since 2013 and $5.3 billion globally. For instance, in 2015 paint manufacturer Sherwin-Williams reportedly sent $6.5 million to overseas bank accounts of Russian criminals due to BECs.
How Can You Fight Back? There are a number of protections available to manufacturing companies, many of which are relatively inexpensive.
- Train your employees. People are the weakest link in cybersecurity, since hackers can access your systems through a single point of contact. If employees are alert to potential email threats, confine their work to your secure network, and limit postings on social media, many potential attacks can be blocked.
- Use two-step authentication to mitigate threats from BECs. Companies that require confirmation of funds transfer requests by secure telephone or a secondary sign-off by company personnel can virtually eliminate unauthorized transfers.
- Segment your network on a “need to access” basis. This practice limits accidental transfer of critical data and prevents a hacker from using one point of entry to move a virus or malware through your entire system.
- Encrypt critical data and back up your systems regularly.
- Audit your vendors’ and contractors’ cybersecurity systems. Contractual provisions can create cybersecurity duties for your business partners and give you the right to examine their systems for weaknesses that might otherwise compromise your network.
- Use penetration testing or public domain audits regularly to ensure that your sensitive information is not accessible online.
- Apply software patches and update your systems on a timely basis. Operators of ICS/SCADA tend not to update or apply software patches because these require system downtime or gaps in service, but most of the systems hacked in recent ransomware attacks were running out-of-date software, and the attacks could have been foiled if the victims had simply applied manufacturer-supplied patches regularly.
- Check the NIST Guide to Industrial Control Systems (ICS) Security for additional cybersecurity guidance.
- Have a response plan in place in case of a breach.
- Look into cyber insurance to mitigate the cost of a cyber incident. The current insurance market is competitive and well-priced, so you should be able to negotiate for the appropriate protection.
While it is impossible to create impenetrable systems, be aware that hackers tend to go after low lying fruit. The more protections you implement, the less likely you are to experience a debilitating cyber-attack.
Written by: Frances Floriano Goins, Co-Chair of Ulmer & Berne, LLP’s Data Privacy & Information Security group, for Manufacturing Business Technology magazine.