Manufacturers have been comparative latecomers to their own cybersecurity journeys, but those drivers that once justified not prioritising cybersecurity are fast disappearing. Changes in technology, insurance, supply chain expectations and the evolving nature of attacks are all adding to the pressure on manufacturers to modernise their cybersecurity stances or face a widening range of undesirable consequences.
Unlike other sectors galvanised into well-established cybersecurity approaches either by their regulated sectors, such as financial services, or the high volumes of personal information they handle, such as online retail, manufacturing has not been subject to the same imperatives.
This has led to typically lower capital investments in cybersecurity, often under the assumption they’re unlikely to be a target, perhaps because manufacturers believe they lack the data most prized by attackers. But criminals have moved on, as has manufacturing technology.
While once stealing data was a key mode of hitting businesses, attack vendors have developed, with criminals seeking to shut down production and extort ransoms from manufacturers.
Previously the production line would be separate from the IT environment – so even if there was malicious activity in IT, production could continue – criminals have been paying attention to the growing integration of IT and production and the fact manufacturing is playing catch up, with fewer firewalls to penetrate in order to launch an attack.
Increasing automation and integration between IT and production, and the use of AI and the Internet of Things in manufacturing are often happening within environments more traditionally focused on performance and safety, not security. And in some cases, this setup is being operated and managed not by cybersecurity experts, but manufacturing specialists or an IT function that doesn’t specifically own cybersecurity.
These scenarios create both a system environment with a large attack surface and a significant vulnerability. Little wonder, then, that manufacturers are identified as a potentially soft targets by cybercriminals.
We know from our experience at WTW that manufacturers are being targeted on a daily basis and recent research1 indicates manufacturing companies are the most likely targets of certain types of attack.
But the direct threat of strikes that could severely reduce or entirely halt production and the ability to meet demand isn’t the only factor making cyberattack a material concern for manufacturers. Gaps in cybersecurity could leave your business facing heightened insurance costs, or even becoming insurable.
Previously, manufacturing was perceived by underwriters as having a lower risk profile than purchasers in sectors such as finance and retail which were once more likely to face claims due to data breaches. But this has ended with the regular targeting of manufacturers and left once insurable operations potentially struggling to find cover when compared with their peers with more advanced cybersecurity.
These same competitors may also be more likely to represent a more compelling proposition to potential partners who, particularly after continued supply chain disruption in recent times, are increasingly alert to the means of building in greater resilience to their flows. Well-established and demonstrably effective cybersecurity may prove an important element of this when competing for tenders.
It may be worth thinking about the endeavour in broad steps, the first of which is identifying ‘the crown jewels’, that is, the systems and machines you need to protect above all others.
Next, assess the strength or otherwise of the security around these prized assets before prioritising what steps you might take to reduce their vulnerabilities to attack. This could lead to measures such as segregating data depositories, tighter user access controls and broader cybersecurity moves such as developing defensive depth strategies that involve a series of security mechanisms and controls layered throughout a computer network.
You should also create a strategy that constantly tests the efficacy of these controls, recognising this will need funding and supporting by people with the right expertise but also at the appropriate seniority to ensure cybersecurity is owned at a strategic level.
If you don’t have all the answers, either for an underwriter assessing your business for cover or a potential partner seeking assurances your organisation won’t prove a weak link in the supply chain, then work with internal or external experts to understand what you don’t know and to get a full picture of your vulnerabilities.
Asking the right questions and devising the road map to strengthening cybersecurity can often prove an important first step for manufacturers serious about putting their business out of cybercriminals’ reach.
To understand your manufacturing business’ potential vulnerability to cyber and work with experts to close the gaps, please get in touch.
1 https://www.zscaler.com/resources/white-papers/threatlabz-ransomware-review.pdf
