Manufacturers suffered the brunt of cyber attacks last year, overtaking financial services and insurance as the most targeted sector. As the Covid-19 pandemic exposed the vulnerability of the long, complex supply chains favoured by global manufacturers, hackers bet on the ripple effects that disruption would cause for them.
More than 45 per cent of the attacks were on vulnerabilities that victim organisations did not, or could not, fix using software updates, according to IBM’s latest Security X-Force Threat Intelligence Index.
These findings underline the increased threat to industrial companies as they grapple with the challenge of securing decades-old legacy systems.
Increasingly interconnected supply chains have only raised the stakes — with several global manufacturers reporting incidents. Earlier this year, Toyota shut down all of its plants across Japan after a suspected cyber attack on one of its suppliers.
Attacks are also increasing at a time when companies are integrating greater computing power, and more connectivity, into their production facilities.
So-called smart factories promise to improve quality and efficiency in manufacturing, as well as cutting response times. But they create new points of cyber vulnerability, especially if poorly implemented.
Manufacturers are “not as mature as the financial services sector, which has had these attacks for a number of years and is therefore ahead of the curve in terms of its protections”, points out Del Heppenstall, cyber security partner at KPMG in the UK.
They are vulnerable to attacks on several fronts, too.
“From a ransomware perspective, manufacturers are quite exposed to time-driven critical processes, Heppenstall notes. “So, if you can cause a disruption, manufacturers are perceived to be more prone and therefore more likely to pay a ransom. Companies don’t run dual manufacturing processes.”
A further challenge for industrial companies is their reliance on what is often older technology to run the machinery in their manufacturing operations — whether that is making parts for a customer or building an entire product. Challenges arise when this operational technology is then connected to the company’s corporate IT infrastructure.
All of these issues need to be addressed as manufacturers look to transform the way they operate to take advantage of interconnected systems and the “internet of things”.
While a lot of research is going on into smart factories and what they should look like, the reality on the shop floor is still very different, warns Gareth Williams, vice-president of Secure Communications and Information Systems at French group Thales.
He says setting up a fully connected factory is not that simple, “unless you are building a brand-new greenfield factory from scratch”.
A lot of clients, adds Williams, are in “that middle stage” — where they want to make the factory smart, to connect all their IT systems and make better use of the data but they have an “existing factory infrastructure that they spent many years and many millions of pounds building”.
“Some of it is very old, some of it doesn’t even recognise the internet,” he explains.
While the question for larger companies is how they can protect themselves as they move along the path towards greater digitisation, the
challenge for small and medium-sized companies is more often about getting the right level of support and expertise.
In its latest cyber readiness report, the UK-listed insurer Hiscox found that small- and medium-sized enterprises have borne the brunt of recent attacks. Companies with revenues of $100,000 to $500,000 now get as many attacks as those in the $1mn to $9mn bracket.
At the same time, however, IT spending by SMEs has fallen, leaving many exposed, the report reveals.
Ted Plummer, principal product manager at industrial 3D printing company Markforged, which counts companies from a wide range of industries among its customers, says SMEs and the “small machine shops are starting to realise how important maintaining around this digital thread is”.
They need tools to “make it easy to be secure”, he argues, because “people will do what is most convenient”.
Leanne Connor, business manager at the National Digital Exploitation Centre in Wales, warns companies: “You are only as good as your weakest link.”
The centre — a joint venture investment launched by Thales, the Welsh government and the University of South Wales — is situated on the site of a former steelworks in Ebbw Vale and provides training and support to companies to test and develop their digital concepts.
Connor says the key is to “get SMEs up to the right standard . . . the standards we expect from our supply chain are going up all the time”.
KPMG’s Heppenstall sees a “significant amount of third party supplier assurance taking place” as executives test the resilience of their organisations. “Continuity of service is just as important as data,” he adds.
And, while digital transformation may be the ultimate goal for many, Heppenstall cautions that executives should not lose sight of what they
are trying to achieve by going down this path. “We found a lot of companies start with the technology and work backwards to apply it,” he says. “You should reverse the sequence and build the technology to meet the outcome you are looking to achieve by doing this digital transformation.”