Manufacturers are one of the least technologically advanced industries, with companies in media, finance, and healthcare consistently outpacing them. Only 24% of global manufacturers have implemented a smart manufacturing initiative, with another 22% currently in the pilot stage. More than half of the world’s manufacturers are still using systems and processes that aren’t up to date with modern security measures.

Manufacturers have become rising targets for cybercriminals due to a lack of security expertise and a low tolerance for disruption. Given that cybercrime losses are expected to exceed $1.8 billion by 2020, manufacturers must be aware of the risks and how to manage them. Manufacturers must recognize the new threat to their security and take immediate steps to protect themselves.

Understanding Today’s Elevated Risk

So, how did we end up in this situation? Manufacturers are in such a precarious position due to two internal and external factors. The first is the relatively slow adoption of Industry 4.0-related technologies and processes by manufacturers. Manufacturers are pragmatic by nature and often operate on razor-thin profit margins, making the kind of culture and business evolution required to succeed as a smart manufacturer a lengthy process.

The COVID-19 pandemic’s multiplying points of risk is the second most important factor. Businesses without the necessary systems and technology are unable to see what is happening on their plant floors and in their supply chains. Without it, business decisions are based on guesswork rather than data, putting manufacturers at a disadvantage when it comes to being precise, forecasting future needs, and mitigating customer and supply chain risk. Add in new health department and government guidelines for reporting and collecting worker health information, forcing manufacturers to quickly adopt and integrate new technology, and supply chains collapsing, forcing companies to quickly choose new business partners and exchange financial information, and cybercriminals who are always looking for openings to exploit suddenly have a lot to work with.

The Criminal Playbook: Phishing, Ransomware and Internal Breaches

Phishing attacks, ransomware attacks, and internal breaches are the top three threats that manufacturers are facing. Phishing is most common among manufacturers as a result of supply chain changes and management. After gathering enough information on a target, criminals can use the victim’s corporate email address to contact other factory employees. A common example of this scheme is a supervisor phoning a subordinate to change payment information during the setup of a new account with a new supplier. Hackers can learn stylistic points like tone and company shorthand with enough preparation, all with the goal of making the request appear as normal as possible. Any payment is then irreversibly diverted to a different recipient. When the exchange is finished, the hacker can delete any evidence that the email was ever sent from the original account, leaving the victim in the dark until it’s too late.

Another common attack method is ransomware. Because manufacturers have such a low tolerance for downtime, paying the ransom and regaining control may actually be less expensive. Governments are enacting new, vaguely worded regulations to prevent the spread of corporate espionage, which does not help. Manufacturers are frequently left to navigate sometimes contradictory security laws, and they are ill-equipped to do so. This ambiguity provides hackers with yet another entry point.

Internal breaches are the most difficult to prevent, both culturally and practically, and for many companies, this has been exacerbated by social distancing. Hackers can gain a foothold by connecting to business networks from a variety of – even potentially personal – devices rather than company-issued and vetted machines. Employees, on the other hand, have the most direct access to a system and, as a result, can cause the most havoc if they become disgruntled and malicious. Controlling permissions across hundreds or thousands of employees – and keeping them up to date with role changes – is an important but often overlooked safeguard.

 

Protecting Your Manufacturing Business

Manufacturers, in the end, require a 360-degree security plan that protects employees, vendors, and any machine or system connected to the internet. Returning to security fundamentals is the best place to start.

Manufacturers can control a number of things internally to manage risk:

  • Restriction of employee access to systems and appropriate siloing by role This reduces the risk of multiple devices colliding, as well as the possibility of a single employee gaining enough access to bring the entire system down.
  • Ironically, dividing responsibilities for highly sensitive systems among multiple employees is the best way to limit risk exposure.
  • Ensure that all employees who interact with a system have received thorough training; activity logs can help with this and can help to identify potential risks early on.
  • Keeping secure backups up to date reduces downtime in the event of a breach.
  • To minimize losses, have a solid disaster recovery plan in place and test it frequently.

External risk is more difficult to protect against in some ways, but it can be reduced if manufacturers incorporate strong security practices into every external relationship from the start. Establishing a good data processing agreement and security scorecard can help with this. Manufacturers should also collaborate with vendors who offer controls that support this, and communicate frequently to identify inconsistencies and vulnerabilities.

Finally, digital transformation to become a smart manufacturer has become a business imperative. However, manufacturers must ensure that they are moving quickly enough without exposing themselves to unnecessary risk, and that their partners, suppliers, and customers are following suit. Despite pressures to increase manufacturing system agility quickly and cheaply, particularly in the face of pandemic disruption, businesses should proceed with caution.

Too many businesses undervalue the cost of security breaches. Don’t let yourself become a statistic.