Cyber criminals are targeting the manufacturing sector.
That’s the conclusion of Dragos’ Cybersecurity Year in Review report, which found that the number of cyber attacks on industrial businesses increased by 50% in 2023. Additionally, IBM’s X-Force Threat Intelligence Report ranked manufacturing as the most attacked industry by cybercriminals for the third year in a row.
From aerospace, automotive and electronics to consumer packaged goods (CPG), food and beverage, and pharmaceuticals, the manufacturing sector is one of the largest, most diverse, and rapidly changing segments of the global economy.
Yet as manufacturers adopt more advanced technologies such as Artificial Intelligence (AI) and Machine Learning, they are becoming more vulnerable to cyber threats due to its rapid proliferation and ability to tailor its attacks, making it a real force to be reckoned with. These threats include ransomware, phishing attacks, industrial espionage, and attacks on industrial control systems (ICS) and operational technology (OT).
The results can be devastating, impacting productivity, stability as well as company reputation. But what is driving these attacks? And how can manufacturers protect themselves?
Cybersecurity challenges in manufacturing
According to a World Economic Forum report published in April, cyber attacks on the manufacturing sector accounted for more than one quarter (26%) of all attacks worldwide, with ransomware comprising 71% of these. In 2023 alone, the number of ransomware attacks on industrial infrastructure doubled, posing a significant threat to supply chain and manufacturing operations.
Manufacturing is a tempting and lucrative target for cyber criminals as many manufacturers rely on legacy technology and protocols. These outdated systems struggle to keep pace with and identify new and highly sophisticated methods deployed by cyber criminals to access systems, resulting in higher impact breaches. The majority of these attacks are financially motivated, with threat actors deploying remote code execution, trojans via phishing email, and asset access via an untrusted network to locally encrypt and extract data for ransom.
The cyber artillery available for launching attacks on the manufacturing industry is significant. Services like Ransomware as a Service (RaaS) are now big business and being adopted by cyber criminals. It can cause huge disruption, incurring high costs for businesses due to the downtime, ransom payments for recovering systems, as well as the halting of production lines, resulting in substantial financial losses.
With the adoption of more sophisticated technology like AI being used to fully automate stages of a cyber attack, the volume and scale of cyber attacks has only increased, presenting a pressing and sophisticated threat to the cyber landscape. This is also paired with a rise in the reliance on supply chains, where third-party components, libraries, and software are broadening and thinning the security of many industries, including manufacturing.
As a result, pressure is growing on software and hardware manufacturers to ensure the products are made secure-by-design. The passage of legislation through the US government such as the National Cyber Security Strategy published in March 2023, followed by a series of papers from the QUAD nations (Australia, India, Japan and the United States), the US Cybersecurity and Infrastructure Security Agency, and the UK’s National Cyber Security Centre, emphasises the importance of embedding secure-by-design principles into the software and hardware development lifecycle.
Hence businesses must learn to implement a secure-by-design approach to protect against cyber threats.
Building resilience in the industry
The concept of manufacturers being liable for a product’s safety is not new. In fact, it applies to just about every other sector. In the case of cars, planes, electrical appliances and buildings, the organisation that designs and makes them is responsible for ensuring that they are safe to use. However, this doesn’t yet apply to software creators despite the damaging consequences misuse or malfunction has on businesses and on lives.
Whilst no software manufacturer sets out to build software that is insecure, they have a responsibility to ensure data is secure from the very beginning of its development. This includes data in transit, stored data or data being processed by an application. Designing software with security embedded from the start allows manufacturers to get the best picture of the security of a device and enables them to make informed choices about what security measures to take.
To do this we need to deploy a process called threat modeling, which involves analysing software for potential risks and determining the most effective ways to mitigate them. In its simplest form, this is about looking at your software design and asking Adam Shostack’s four questions:
- What are we working on?
- What can go wrong?
- What are we going to do about it?
- Did we do a good enough job?
AI can also help with this. It has been used in detecting and preventing cyber attacks for a while now, but turning AI against itself might be the best long-term bet to defend against other AI applications.
By understanding the security flaws in their designs, developers can reduce the time spent on security testing before, during, and after development, preventing vulnerabilities from being found by hackers down the line.
Overcoming the barriers to combating cyber threats
Cost and budget limitations often restrict the security measures manufacturers can implement – meaning that spending needs to be prioritised in the right places.
This is why it is more important than ever to tackle security issues from the very beginning – before a single line of code has been written. This is the most cost-effective way to embed security. If a flaw is left until a later stage, it is invariably more costly and time consuming to fix. But like most cyber security areas, there is no silver bullet.
It is not as simple as just telling developers to put more focus on security, because developers graduate without having learned the technical knowledge needed to build secure software or how to threat model. The place that this all-important knowledge does sit is within the security team. However, in most organisations that are developing software at scale, the number of developers and the applications that they are working on outnumber the security team many times over.
Therefore, what is needed is a culture change. Security and development teams must work more closely together from the very start of the development process, embedding threat modelling as a community practice with shared responsibility. Understanding the designated environment, identifying clear scopes, responsibilities and software capabilities of the devices will provide a preliminary security design basis to define applicable threats and their corresponding countermeasures.
Looking ahead, manufacturing businesses must ensure they prioritise cybersecurity from the get-go or risk being left behind. Security-by-design must be built into cyber resilience approaches so that products are secure and resilient to the latest threats. Threat modeling is the best method to achieve this without hindering productivity, stability or company reputation.
Policymakers and governing bodies must also make secure development processes mandatory and take security into consideration – both for software and hardware. Only then can manufacturers better protect themselves from cyber threats.
About the author:
