Breaching the Assembly Line: When Cyberattacks Target Manufacturing
On May 13, 2017, workers arriving onsite at an auto manufacturing facility in northern France were greeted with a message being broadcast on the company’s TV screens. It was from hackers: pay the ransom or critical files would be deleted.
As the WannaCry, Petya and NotPetya cyberattacks spread across the globe in the spring of 2017, businesses, hospitals, transportation, and government agencies around the world felt the impact. Yet the one area of business to see some of the greatest impact of those attacks was the one least talked about – manufacturing.
At five of the above-mentioned auto company’s manufacturing sites across the world, the attack brought down the company’s production capabilities, reducing or prohibiting business as usual. While the company was able to contain the spread of the attack and get back up and running within a few days, the impact could potentially be felt for months.
In fact, the ripple effect of just one hack can be devastating for manufacturing. A North Carolina-based manufacturer stood to lose $270,000 in revenue for each hour the plant’s systems were held captive by hackers. The transmission manufacturing plant was hit with a malware attack via email in August 2016. Had the hackers been able to compromise systems, the company would not have been able to supply parts to the nine plants in the US it had contractual agreements with.
However, the company was prepared. While there was some data lost on laptops, a strong firewall blocked larger damage. In April 2017, the plant was once again the target of a malware attack. Once again, the firewalls helped contain the damage and prevent its spread.
Yet not all manufacturers are prepared for cyberattacks. A major international snack food manufacturer was hit with the Petya cyberattack on June 27, 2017, causing a four-day disruption in the company’s ability to invoice and ship product. The result: the company reported a loss of three percentage points from second-quarter sales growth .
Impact on Business
Yet the financial impact on manufacturers is just part of the story. Particularly for highly automated manufacturing where a cyberattack can halt production, it can bring with it plenty of residual damage. Manufacturers face a litany of issues beyond the cost of the business interruption: disruption within the supply and distribution channels, the cost of the extortion, upheaval in the manufacturing schedule, potential theft of personal information, reputation damage, and exposure to third-party liability.
For just-in-time manufacturers, the impact is compounded. With a minimal amount of inventory in the supply chain, losses can mount quickly. Lost revenue, fines, even lawsuits stemming from a company’s inability to meet contractual responsibilities can be just part of the issue. System vulnerabilities can also expose companies to costly losses connected to theft of customer data. For instance, Anthem, the US’s second largest health insurer, recently agreed to pay $115 million to settle class-action lawsuits stemming from a 2015 cyberattack breach that potentially affected the personal information of nearly 80 million customers, company officials.
Just how often are manufacturers targeted? A recent report shows that between January 2015 and April 2016, manufacturers suffered 17 percent of the viruses unleashed on business . It is a number that shifts based on the whims of the attackers: in 2013, manufacturing was one of the most targeted sectors for cyberattack .
Lost revenue, fines, even lawsuits stemming from a company’s inability to meet contractual responsibilities can be just part of the issue."
In some cases, manufacturers are making it easy for hackers to attack. System updates are overlooked or ignored, and manufacturers could be working with outdated systems. These older operating systems in particular may not be supported and lack the essential security updates.
Such unsecure software can create an open door for hackers. In a recent experiment, researchers were able to exploit a remote code vulnerability in an industrial robot, illustrating how hackers can alter easily manufacturing parameters, which could cause large-scale product recalls or critical defects in products .
It wasn’t news to Fiat Chrysler. In 2015, the company voluntarily recalled 1.4 million vehicles after security researchers revealed the vulnerability after taking control of one of the company’s vehicles by hacking into the infotainment system. It was the first automotive cybersecurity recall. The company’s third quarter earnings showed a $330 million net loss attributed to the recall.
Other vulnerabilities lie within the company’s operating procedures. Some manufacturers have implemented policies that allow employees to access company networks and systems via personal devices, such as cell phones. Such systems often lack appropriate firewalls and security, which could leave an entire manufacturing operation exposed to hackers.
Yet many times the most effective vulnerability is the simplest for hackers to exploit. Email phishing scams have been a favorite delivery method for hackers distributing malware attacks, with ransomware being the most prevalent attack of 2017 to date .
Plugging the Holes
It is imperative then that manufacturers build a solid approach to cybersecurity that encompasses all facets of operations. That includes uncovering areas of vulnerability and reviewing current business practices. Organizations should consider the following:
Update all systems and software. One of the biggest exposures is one of the easiest to fix. System and software updates often contain security patches and updates, yet too often these updates are forgotten or ignored. Regularly update and make sure all software and hardware is still supported.
Establish firewalls and reinforce existing ones. That includes ensuring that all personal devices that are connecting to the organization’s cyber infrastructure are doing so through secure networks. Require password protection, and require employees connecting via personal devices to install and update security software. Hire security experts to create system network segmentation across the organizations that deter the spread of any cyberattack.
Conduct a risk assessment. Including vendors and suppliers along the entire supply chain, organizations should examine potential vulnerabilities, particularly within the systems of each entity. Contractual agreements should include cybersecurity requirements that meet or exceed the organization’s own security.
Review and establish stronger policies and procedures. Tighten existing policies and establish cybersecurity-specific procedures that spell out what employees can and cannot do while connected to or attempting to connect to the company’s network and systems. Also, policies should describe what devices are allowed, what updates are required, and what actions will be taken in the event of a breach.
For email vulnerabilities, companies should train employees on how to handle emails containing links. Put in place a two-step verification process that has employees verifying the sender’s email address and contacting the sender via phone or a separate email before clicking on links.
Review insurance coverage. Policies should contain coverage for the cost of cyberextortion and ransomware business interruption, dependent business interruption (if a critical vendor is the victim of a cyberattack), as well as crisis response costs (including forensic coverage to help mitigate costs associated with any investigation and cleanup) and third party liability coverage.
As hackers become more sophisticated in breaching systems and software, manufacturers can expect to see in increase in the frequency and severity of cyberattacks. For larger organizations, such breaches could cost millions. Yet by reviewing operations and planning both prevention and response, manufactures can decrease the impact of cyberattack and keep the business up and running.
About the author . . .
Greg Chambers is a senior underwriter in XL Catlin’s Cyber and Technology insurance business. He can be reached via email at firstname.lastname@example.org.