Manufacturing companies are one of the most popular targets for cybercriminals, based on the sheer amount of classified information they hold. In fact, a recent report from IBM X-Force Research’s 2016 Cyber Security Intelligence Index found that the sector is the second most-attacked industry behind healthcare, with automotive manufacturers and chemical companies scoring as the top targets for attackers.
Hackers’ intentions can vary when targeting the industry, but they are typically financially-motivated, state-sponsored attacks, which occur when government-funded organizations break into a network to steal intellectual property (IP) and trade secrets. These groups are some of the most sophisticated hackers, using a high level of expertise when targeting companies. They seek extremely valuable IP to further the betterment of the people in their country, or perhaps more commonly, for financial gain.
Prevention Methods for Every Manufacturer
With the continuous increase in cyber threats, and large organizations in nearly every sector making headlines as a result of data breaches, it can seem overwhelming to evaluate just where to start to protect a manufacturing company’s data. Let’s break it down:
First and foremost, manufacturers should have a vulnerability management plan in place, and conduct ongoing vulnerability scans. These regular scans can help find unpatched systems and holes, which is often where hackers find their way in. In fact, most of these attackers are not leveraging zero-day vulnerabilities all the time; instead, they are taking advantage of vulnerabilities that have been out for years.
Next, it’s highly critical to prioritize security awareness, and promote this notion to all employees, from the C-suite to temporary hires and third party contractors. From my past experience at a chemical manufacturing plant, I found that 40 to 50 percent of attacks by state-sponsored groups were conducted via spearphishing. These attacks are spread through malicious emails that appear to be from an individual or business that you know, though it isn’t. Employees think the email is from a trusted source, click links within the email, and just like that, a hacker has entry into the company’s network.
A strong example of proactive security awareness is to conduct regular white hat phishing campaigns, where an organization sends out phishing emails to employees that are not malicious, but simply used for education and to gain an understanding of threat levels. This white hat phishing technique captures important data on who is likely to fall victim to an attack, and why. It provides users with education on how to recognize and identify a malicious email, and what to do about it. However, while this is important, manufacturers must also understand that they can’t rely entirely on employees doing the right thing — mistakes will happen and links will inadvertently be clicked.
As employees get up to speed on cybersecurity, an incident response plan should also be in place. This plan should be ongoing and continuously tested, for maximum effectiveness when an incident does occur and organizations have to respond. The incident response plan should feature a few “must-haves,” including:
- Involvement from all levels within an organization, including the CEO, CFO and more. This is not just a project for the IT team. Involve the right people, and ensure there’s a point person who can lead during an incident and make proper, fast decisions when needed.
- A methodical approach on how to respond to an incident. Each incident is different in nature, but should fall under a certain classification, such as high, medium or low risk, so individuals know how to proceed.
- The framework of each type of incident (for example, is it state-sponsored or hacktivism) should also help determine the prescribed approach to take.
Lastly, organizations should harden the security configurations of systems and servers, including revoking privileged access to endpoints. Malware, for instance, requires administrative level privileges to execute on machines. If an organization took these administrative privileges away, nearly 90 percent of infections on machines would stop — all via one fairly simple fix.
Don’t forget that security controls do hinder on culture. How hard is it to implement certain protocols in your organization? IT can make a recommendation for application whitelisting, which is when organizations prevent the usage of unapproved applications that can be launched on end-user/server computers, but it can be extremely difficult to implement since applications within a manufacturing environment can be so diverse and users may be averse to these restrictions. Evaluate your internal culture to determine which procedures are best to secure the business.
Conclusion: Metrics Matter
With all of the aforementioned prevention methods in place, manufacturers must also understand just how their organization is performing when it comes to cybersecurity. Are the number of threats detected decreasing? Is employee security awareness increasing through the reduction of the number of links or attachments clicked? For this reason, it’s recommended that organizations take a KPI (Key Performance Indicator) perspective to cybersecurity, by setting goals and metrics to improve security stature. Manufacturing companies should have an ongoing, metrics-based intelligence-driven security program in place to evaluate the effectiveness of common programs, like vulnerability management, data loss prevention and antivirus protection.
With these metrics in place, organizations can develop a heat map of sorts, to outline where they should be focusing their efforts and/or where they should continue to invest in protecting their most sensitive assets. This security snapshot will assist in keeping every aspect of a business secure and prepared, making it that much more difficult for even the most sophisticated hacker to take off with a manufacturer’s crown jewels.
Tim Bandos is Director of Cybersecurity, Global Services for Digital Guardian.