It’s Time Manufacturers Assemble a Sound Cybersecurity Effort

Recently the ISACA (Information Systems Audit and Control Association) and the Digital Manufacturing and Design Innovation Institute (DMDII) together conducted a survey that aimed to pinpoint the current cybersecurity challenges faced by the manufacturing industry. According to the ISACA and the DMDII, the survey highlighted how manufacturers face real security concerns when it comes to finding adequate cybersecurity workers, funding the right level of cybersecurity budget, and securing the internet of things (IoT)-integrated devices.

The survey found both good news, and not-so-good-news when it came to their security posture. Starting with the good news:

• 78 percent of manufacturing organizations have a formal process for dealing with cybersecurity incidents, and 68 percent have one for ransomware attacks.
• 77 percent expressed confidence in their security team’s abilities to detect and respond to advanced persistent threats (APTs).
• 34 percent noted they were experiencing more cybersecurity attacks today than a year ago, compared to 62 percent across all industries from ISACA’s 2018 State of Cybersecurity survey.
• 74 percent indicated they believed their organization’s cybersecurity training budgets would either increase or at least be maintained at current levels; only 4 percent anticipated a decrease in the coming year.
• 75 percent of manufacturing organizations have a program in place to promote cybersecurity awareness among their employees, but only 37 percent believe that their programs are very to completely effective.
• 47 percent of manufacturing organizations are spending less than US $1,000 on average each year on continuing education opportunities for their staff—versus 25 percent in other industries—and nearly 1 in 10 reported that their enterprises spent nothing on average each year on these educational opportunities.
• 81 percent of manufacturing organizations are somewhat to very concerned about the potential cybersecurity risks with personal, internet-connected devices. 58 percent don’t allow those devices to connect to the corporate network and 72 percent don’t allow those devices to connect to the corporate network on the manufacturing floor.
• Finding skilled cyber-staff remains challenging; a 1.8 million worker shortage is anticipated by 2022. Respondents indicated it takes an average of five months to fill open positions and 61 percent of hiring managers said less than half of applicants are qualified.

While 75 percent of manufacturers based in the U.S. have fewer than 20 employees and 98 percent fewer than 500, according to Kevin McDunn, Chief Product Officer at DMDII, the past year has witnessed a number of high profile manufacturers hit by cyber attacks.

Cybersecurity for manufacturers is not only critical for their business health, but they also face serious adversaries. According to the 2017 Verizon Data Breach Investigations Report (LINK), only governments face more espionage attacks. While it’s not state secrets attackers necessarily seek, they do seek research and development findings, product plans, pricing, and other such secrets.

The DBIR authors put it well. “When you make stuff, there is always someone else who wants to make it better, or at least cheaper. A great way to make something cheaper is to let someone else pay for all of the R&D and then simply steal their intellectual property. With that in mind, it will probably be of no surprise that Cyber-Espionage is by far the most predominant pattern associated with breaches in Manufacturing.”

“For a manufacturer, the intellectual property it possesses is of the utmost importance—whether it is a secret recipe, a creative new concept or a less expensive way to make a widget, it makes a tempting target for thieves,” they wrote.

There are significant differences between how nation-states and other well-heeled adversaries target manufactures when compared to more traditional financial and data thefts. “The criminals want to infiltrate the network, find out where the secrets are kept, and then sit and slowly siphon off the nectar for as long as they can. In many cases these attacks begin with a move against the carbon layer. An employee of the organization receives a phishing email, and clicks on the malicious link or attachment it contains,” the authors wrote.

Malware attacks are then installed as a backdoor, or C2, and they return as they want to study the network and take what they want. “In fact, the social and malware combination occurred in 73% of these breaches,” the wrote.

In The New York Times story from last November, Manufacturers Remain Slow to Recognize Cybersecurity Risks Ellen Rosen covered how manufacturers have taken a number of substantial security hits, most notably she citied two SEC filings by two major manufacturers, Mondelez International and Merck. “Both Mondelez International and Merck suffered much more significant losses after the 2017 Notpetya attack, although they described them differently in filings,” the New York Times reported. According to the NY Times:

“In its annual report for 2017 filed with the Securities and Exchange Commission, Mondelez stated that the “malware affected a significant portion of our global sales, distribution and financial networks.” The net revenue loss, the company said, was less than 1 percent of the company’s global net revenues of $25.9 billion. That still amounts to $103.6 million. In addition, the company incurred “incremental expenses of $84 million predominantly during the second half of 2017 as part of the recovery effort.”

Merck, in its S.E.C. filings, stated that the attack “led to a disruption of its worldwide operations, including manufacturing, research and sales operations.” The fallout was significant: a $260 million loss in sales for 2017 with an expected additional loss for 2018 of $200 million. The total costs for expenses and remediation are $285 million, a net amount after insurance.”

This survey was conducted in August 2018 and is based on responses from 167 participants from across ISACA, DMDII and Manufacturing Extension Partnership stakeholders.