Despite being the top target for attack, manufacturing has not been included by government as part of the discussion around securing vital infrastructure. Brian Grant discusses the current risks, and how to increase protection levels within increasingly digitalised companies.
Manufacturing is now the number one target for ransomware attacks worldwide, according to the 2022 IBM X-Force Threat Intelligence Index report, dethroning financial services and insurance after a very long reign. Ransomware groups are increasingly attacking manufacturers to “fracture” the backbone of global supply chains and cause widespread disruption, for profit or political goals.
Across critical industries, four in ten (44 per cent) organisations reported an increase in the volume, severity, or scope of cyberattacks last year. The government responded with new laws covering vital providers such as telcos, utilities and transport companies that imposed tougher requirements on them to protect themselves against cyber-attacks. Just last month, Home Affairs and Minister for Cyber Security Clare O’Neil, also announced the Risk Management Program (RMP) obligation – a set of rules designed to strengthen the resilience of critical infrastructure and essential services vital to the security, prosperity and sovereignty of Australia.
Yet despite being the top target for attack, manufacturing has not been included as part of the discussion around securing vital infrastructure.
Manufacturing moves from ‘just in time’ to ‘just in case’
While government does not officially classify manufacturing as a ‘critical industry’, the role it plays in society should not be underestimated. From medicines to food, from defence to transportation, manufacturing is a critical part of our social fabric. As the world moves from ‘just in time’ to ‘just in case’ supply chains, our reliance on sovereign manufacturers will only increase.
Yet despite rapid digitisation and hybrid workforce creating more vulnerabilities than ever before, there is no standardised or coherent approach to cybersecurity within the manufacturing industry. This has caught the attention of cyber criminals who see it as a business opportunity.
Increased risk of financial and physical harm
What makes an attack on critical infrastructure and essential services unique is that it is not always financially motivated. Malicious actors often want to significantly damage things or cause physical harm to people. An attack on certain elements of the manufacturing industry has the potential to disrupt essential functions across other critical sectors, affecting our national economy and security. This is the new reality, which manufacturers must factor in when designing cybersecurity strategies.
Even more alarming is that many attacks would have already occurred on manufacturing companies without them knowing. Malicious actors often stay under the radar once they have compromised their target, waiting for an economic, geopolitical, or financial event before they strike.
Attacks are moving from IT to OT
Manufacturing organisations’ fast adoption of technologies such as the cloud, big data, AI and IoT means they are transforming the capabilities of both their Information Technology (IT) and Operational Technology (OT) platforms. This has led to many manufacturers needing to support a hybrid corporate computing environment, where multiple user identities co-exist. However, the convergence of these two domains has opened once-siloed OT systems to a new world of threats and risks – which is what happened in last year’s infamous Colonial Pipeline attack.
Weak access controls to authenticate employees into cloud-based and on-premises systems now present a much bigger risk as more than 50 per cent of manufacturing attacks begin with compromised user credentials. Following their unauthorised access, attackers will follow a well-trodden path moving laterally through the network, elevating privileges, delivering malicious payloads and compromising critical digital or data platforms, which is the ultimate goal of most cyber-attacks today.
Security fit for a critical industry
Digitisation of the manufacturing sector is well under way, but organisations need to do six things to increase protection levels in line with today’s ever expanding threat landscape:
- Assess what’s truly important to the sustained functionality of the business
- Map that onto physical and digital assets within the organisation to discover the critical elements that must be protected
- Treat the assessment of these critical elements as an embedded and continuous process, as one-off audits will quickly become outdated
- Apply security as soon as critical data or infrastructure is identified
- Protect sensitive data and infrastructure throughout their lifecycle
- Control access with multifactor authentication and centralised key management across on premises and hybrid cloud environments
Protecting the industry from cyber-attack can only come from strengthening access controls for users and better securing vital digital and data assets. These increased protection levels will not only mitigate costly breaches, but also future proof the manufacturing industry against the inevitable introduction of stronger cybersecurity regulatory obligations.
Brian Grant is ANZ Director, Thales CPL