Cyber attacks on manufacturing companies on the rise as attackers attempt to steal valuable intellectual property and information.
The manufacturing sector is now one of the most frequently hacked industries, second only to healthcare, a new report says.
Healthcare, which has a wealth of exploitable information within electronic records, moved into the top spot in the rankings, replacing financial services, which dropped to third place in IBM X-Force Research’s new 2016 Cyber Security Intelligence Index. Manufacturing rose from third place in last year’s report, which offers a high-level overview of the major threats to IBM’s clients’ businesses worldwide over the past year.
Manufacturing includes automotive, electronics, textile, and pharmaceutical companies. Automotive manufacturers were the top targeted manufacturing sub-industry, accounting for almost 30% of the total attacks against the manufacturing industry in 2015. Chemical manufacturers were the second-most targeted sub-industry in 2015, according to IBM.
Many manufacturing companies are behind the curve in security because they have not been held to compliance standards like financial services has, with the Payment Card Industry Data Security Standards and The Gramm-Leach-Bliley Act, or in the case of the healthcare industry, with the Health Insurance Portability and Accountability Act, Lutgen says. “Because of that, they [manufacturers] tend to be a little laxer with security in terms of some other industry verticals.”
As a result, there is a lack of adoption of key information security practices that have become standardized procedures across most industry verticals, Lutgen says. For example, only 33% of survey respondents indicated that their organizations were performing annual penetration testing within their IT groups.
Manufacturers have unique security issues to deal with as they move toward increased automation.
“[the topic of network security] is becoming increasingly relevant in industrial plants. Factor in emerging trends in the business [such as bring-your-own-device (BYOD) and the Internet of Things (IoT)] and the touch points for potential security threats are increasing at exponential rates.”
Aberdeen, “Ensuring the Security of Industrial Networks in an Insecure World”
One of the better-known attacks to affect the industrial manufacturing sector in recent years was the Stuxnet computer worm, which was discovered in 2010. Stuxnet was designed to attack industrial programmable logic controllers, which allow the automation of electromechanical processes such as those used to control machinery on factory assembly lines. By exploiting zero-day vulnerabilities, the program aims at machines using the Microsoft Windows operating system and networks.
The emerging IoT is drawing lots of attention these days, and it certainly presents potential security risks for manufacturers. With the IoT, an enormous number of corporate assets and end products will be linked via networks to provide a steady flow of data about where the objects are located and how they are being used, among other things.
Many manufacturers are already creating IoT strategies or implementing related technologies, for applications such as remote asset tracking, fleet management, energy data management and heavy equipment performance monitoring.
With IoT, manufacturers will not only be making and selling products, they will be offering lots of new services to provide customers with information about those products and how they’re being used.
Companies will need to address challenges such as ensuring data privacy and security, to safeguard customer information as well as meet regulatory compliance requirements. That includes security networks as well as sensors and other technologies used to track and monitor products and machines.
“So there is a lot of work to do in the manufacturing industry to shore up their defenses for industrial control systems and corporate networks. – Brian Kuhn”
Defensive Strategies
There is no better strategy than paying attention to information security. This might be seen as expenses rather than investment but we should understand there is a requirement to keep the data secure for a smooth and worry-free production. If we understand that we can correlate investing in information Security as a profitable deal.
Sikich’s report clubbed with personal thoughts offers manufacturers some advice about how to mitigate threats:
- Have a dedicated information Security Team lead by an information security leader.
- Give space to information security team rather than more alignment towards production driven decisions.
- Conduct an annual IT risk assessment to properly understand where threats are originating from.
- Perform annual penetration tests to simulate the threat of someone trying to break into your organization’s network.
- Conduct ongoing vulnerability scanning throughout the year to help the organization stay up-to-date with new threats.
References: IBM, DarkReading.
