Manufacturing Security Woes: Why Your Widget-Making Workplace is Worrying Me
Manufacturing is about efficiency, getting the most widgets and as many buyers as possible, while having as little leftover and downtime as possible. However, flexibility matters too; adapting to the market faster than competitors and being able to change production on a dime to satisfy ever-changing customer demands. You may have noticed that a trend in all of this is doing things fast, and fast is often the enemy of secure.
Now, let’s walk through some stats based on the 2023 IBM Security X-Force Threat Intelligence Index related to the manufacturing industry:
- The industry accounted for 30% of all extortion cases, which was the leading attack type.
- It made up 58% of all operational technology (OT) attacks.
- In this sector, spear phishing attachments and exploitation of public-facing applications tied for the top two infection vectors.
For the second year in a row, manufacturing was the top-attacked industry, according to X-Force incident response data.”
IBM Security X-Force Threat Intelligence Index 2023
To summarize, either users are getting phished and downloading an attachment with a malicious payload, which leads to initial access by the threat actor, or a web application has a flaw that allows access to the internal network. From there, extortion actions take place given that the tolerance for production downtime is nearly non-existent.
The convergence of the OT and IT networks for such organizations is one of the main reasons these attacks are effective. A lack of proper segmentation between these two network types is what allows the initial intrusion that happens on the IT side to spread to the OT side. This is where the real damage can take place, such as a ransomware attack that can bring operations to a halt.
In our own testing, we have found a lack of awareness in how these networks are secured. Therefore, many manufacturers’ beliefs on segmentation practices at their companies are not the reality. Although it is critical that a layered approach to security is implemented across all organization types, manufacturing’s specific vulnerabilities and threat actor knowledge on how to exploit them, make for a mitigation strategy that is somewhat unique.
In other words, segment, segment, segment, then test, test, test!
More holistically, a plan to implement a security standard that includes segmentation, as well as the more generally understood security controls is also a necessity. We often find the following security issues with manufacturing companies far more often than any other industry:
- Weak password policies that allow for eight characters, sometimes even less
- Legacy operating systems that are not properly segmented (there’s that word again) from the rest of the network
- Large gaps in asset management and knowledge of what is actually on the network (and belongs there)
- Ancient Active Directory tech debt that often allows for rapid privilege escalation by threat actors
- Lack of strong controls to prevent a social engineering attack from being successful
- Poor physical access controls
We understand that the nature of this industry has baked in vulnerabilities, but the cost of not properly balancing them with a robust security program is dire. In fact, the cost of a breach in manufacturing is higher than the overall average across all industries. Just ask Honda, Norsk Hydro, and many others that have suffered both in public and private due to a devastating breach.
If you are an organization in this space seeking assistance in implementing your security program, please reach out to a member of our team today!
