The manufacturing industry is the most targeted industry by ransomware attacks, making up for a staggering 23% of all ransomware attacks in 2021. What’s more is that, in the same year, the manufacturing industry actually saw a 300% rise in these attacks, which suggests that ransomware is not only currently a widespread issue within manufacturing, but is on course to get far worse.
Statistics alone show the depth and breadth of the issue, with more and more manufacturing companies becoming victims to ransomware attacks every single day. But that just leaves the question: why this industry?
Why Ransomware Targets The Manufacturing Industry
The goals of ransomware have changed over the years or, at the very least, expanded. While traditionally executed solely for monetary gain, ransomware attacks are also becoming a favored attack method for reasons such as activism or just to cause disruption. Many data protection regulations require businesses to disclose data breaches not only to the regulatory body, but also to anyone whose data may have been compromised, such as customers, partners, and stakeholders. Because of this, ransomware attacks often come with a high level of public exposure and, if an attacker can either disrupt or halt production, they can create public disruption on a large scale, as well as cause a lot of direct and indirect financial harm to the company.
Ransomware is utilized to cause disruption to operational systems that, typically, aren’t covered by traditional cybersecurity architecture. This can be done by finding potential attack vectors through either contractors or directly on the manufacturing floor through manufacturing systems and operational technology (OT).
Operational technology refers to hardware and software used for industrial equipment, processes, assets, and more. The same report mentioned above also revealed that manufacturing makes up for 61% of all compromised OT-connected organizations, and that 36% of the overall attacks on OT-connected organizations were ransomware attacks. If these OT devices become compromised, attackers can move laterally or perform “privilege escalation” from these systems to access the rest of the network, shutting everything down as they go–including machinery.
Resource planning systems are a common target for these attacks, as they enable that lateral movement through various levels of the company. Privilege escalation works by exploiting vulnerabilities within a compromised account. Each account that operates within a system will have a certain number of privileges (or a substantial amount of privilege, even if the user themselves are unaware). Once in the account, the attacker can exploit vulnerabilities to increase that account’s level of privilege, gaining access to other parts of the system as they go. Often, attackers will switch from one account to the other as this privilege increases.
These attacks end up being fairly costly, both in the cost of ransom itself and revenue lost while production was offline. Once an attack hits, production grinds to a halt as, with all equipment offline, employees can’t perform their work–and this downtime lasts for as long as the attack does. Companies often find themselves paying up the ransom quickly to mitigate downtime and avoid losing even more capital while servers are shut down, rather than remediating the situation by cleansing and restoring their systems–which can take days, weeks, or even months.
Why Is The Manufacturing Industry So Easy To Target?
There are a number of reasons for this, but perhaps the most prevalent reason is that the manufacturing industry tends to have a larger attack surface, which is often more porous than those found in other industries. Operational technology has not always been included in traditional cybersecurity frameworks. And a lot of this machinery tends to function on more dated or more diverse operating systems, which are more liable to vulnerabilities and easier to take advantage of. This leaves a wealth of potential attack vectors open to threat actors.
And it’s not just manufacturing hardware and software that need to be included in this framework. As an industry, manufacturing relies quite heavily on temporary workers who aren’t part of the network and may need to connect to it via unprotected endpoints and internet connections. Without strong endpoint and web security solutions in place, this can leave a company vulnerable to all manner of malicious activity, such as malware and Man-in-the-Middle attacks. It is also a common occurrence that, while office workers may receive cybersecurity awareness training, this training might not extend to manufacturing staff, leading to more instances of human error.
Rethinking Your Cybersecurity Strategy
That leaves the question, what is to be done? With rapid improvements in technology and a seismic shift to cloud devices and applications, how businesses perceive their network perimeter needs to change. Endpoints aren’t just the tools office workers use such as mobile devices and laptops. Anything connected to a network is an endpoint and, subsequently, an attack vector to be taken advantage of if not properly safeguarded against threat actors. Even a smart coffee machine is liable to be used to hack into a company network if it isn’t configured into a company’s cybersecurity framework.
The top attack vectors for ransomware have been, and continue to be, phishing, exploiting vulnerabilities and security gaps, and remote capabilities (like remote desktop protocol and so on). But there are a range of protocols and solutions that can be deployed that can remediate these vectors. Here’s a few of them in depth:
Identity And Access Management
Identity and access management (IAM) solutions have become increasingly popular cybersecurity tools in the office–and it’s no wonder. Strong authentication protocols and restricting what employees have access to–so they don’t access things they shouldn’t–have become a tried and tested part of any robust security framework.
Yet when it comes to extra methods of authentication for workers on the factory floor, it gets a bit trickier. Push notifications are the authentication method of choice for companies–everyone in an office has a smartphone that they can use as their authentication tool, but this isn’t always the case for non-office-based roles. For workers, mobile devices aren’t always accessible as a lot of factories ban their use on the factory floor for safety reasons.
Companies need to adapt their security measures to accommodate for this, either through the introduction of authentication dongles that can be used on the shop floor in lieu of mobile devices, or other forms of authentication— such as biometrics —that don’t require users to present a physical authentication device.
Alongside the logistical problem of how to deploy authentication solutions within this environment, there is also an issue if these workers aren’t part of an active directory within the enterprise. Temporary workers in particular are often managed in a local user database or managed directly outside of the company. Traditional MFA, 2FA, and access management solutions hinge on having a synchronized user database from an active directory. So now, not only does the actual method of authentication need to be rethought, but the planning and database does as well.
So, identity and access management need to be reassessed to make it accessible and comprehensive, including both operation and information technology in the same breadth.
To help you find the best solution to meet these requirements, we’ve put together a guide to The Top 10 Identity And Access Management Solutions.
Consolidating Operational Technology With Information Technology Systems
After gaps in security have been identified, your entire network perimeter needs to be reconfigured or expanded to provide protection for devices operating outside your current network. Any operational technology needs to be adopted into the cybersecurity framework–either through deploying its own system, or integrating it into the current one. Traditional OT systems, in addition to presenting threat actors with a wider attack surface, can also be difficult to patch due to stability issues, and often lack basic cybersecurity features such as encryption and authentication. Having an integrated IT and OT allows for greater visibility over all equipment and its software, streamlining operations, security and management.
While taking advantage of security oversights for software used on the factory floor, ransomware attacks can and will still take advantage of more “traditional” attack vectors. A primary example of this is email phishing–a type of social engineering attack that tricks end-users into clicking harmful links or downloading malicious files that install ransomware onto the server.
Ransomware has been–and continues to be–one of the most pervasive and prevalent forms of malware. Research from Sophos revealed that 29% of ransomware attacks are born from email phishing tactics–either through malicious links or file downloads. Then it’s 21% for remote attacks against servers and emails with malicious attachments which account for 16% of ransomware methods.
Email phishing attacks are when a bad actor manipulates a user into clicking a malicious link or file within an email in order to spread ransomware through a network. A range of preventative tactics can be deployed–both human and technological–to combat phishing attempts. These include awareness training for staff and a series of protocols which can detect when emails have been spoofed to trick users into thinking the email has come from a legitimate source.
For more about phishing, how it works, and steps you can take to safeguard your business, you can check out our blog here on How To Stop Phishing Attacks.
Backup And Recovery
Ransomware works by encrypting or locking every file it can access on a server, before presenting users with a pop-up requesting a ransom be paid in exchange for the key to those encrypted files (or for user access to be re-granted). But paying the ransom doesn’t always lead to the safe restoration of your data and doesn’t ensure that your systems will be completely cleansed from the ransomware—you are dealing with a cybercriminal, after all.
Because of this it’s critical that you have comprehensive, secure backups of your data to help you recover in the event of a ransomware attack. Companies need to employ a data back and recovery plan for all critical files and information, and regularly test that their backups work. We recommend following the rule of “3-2-1″ when it comes to creating backups: store at least three copies of your data in two different locations, and at least one copy should be stored in a different medium or format to the others.
We’ve put together guides to the best backup solutions for SMBs, and the best enterprise-grade backup solutions (which are also compatible with Microsoft 365), which you can view below:
The sheer prevalence of attacks on the manufacturing industry, coupled with their devastating financial impact, make vulnerability management and threat prevention a high priority for companies within the industry. The manufacturing industry’s porous and wide attack surface, as well as its tendency when victimized to cause widespread disruption and result in the quick paying of ransoms, make it an attractive target for attackers. Companies in the manufacturing business can stand to benefit from re-assessing the security of the devices connected to their networks to find where there is considerable oversight and remediate this.
However, rethinking your cybersecurity strategy doesn’t mean throwing the whole thing away and starting from scratch. That would be time-consuming, expensive, and almost impossible on a practical level. Instead, companies should look at what they already have and focus on improving and upgrading their existing systems. Companies need to think about the security oversights first, then take pragmatic, small steps in filling in these oversights.