Cyberattacks are costing UK manufacturers a fortune and the simple truth is, the sector is not tackling the issue as rigorously as other key sectors, such as finance and health. Helen Saunders discusses the threats.
The UK is currently the ninth largest manufacturing nation, with industry not only generating 10% of GVA, but 45% of exports, 14% of business investment and a whopping 68% of business research and development (themanufacturer.com/uk-manufacturing-statistics).
So, it’s no surprise to learn that our manufacturers represent a very attractive target for cyberattackers.
From a global perspective, manufacturing might not actually make the world go round, but it certainly plays a hugely significant role in just about every aspect of everyday life, representing 14.73% of world GVA and generating £8.6tn in global revenues.
From food to life sciences to technology and the components that make up our national infrastructures, we’re reliant on the value chain to keep on delivering.
Manufacturing is now one of the top three industries targeted in cyber-espionage, the second in percentage of spam in email and the third in spear-phishing (emails that appear genuine, but are targeted at a particular organisation).
Worryingly, the number of attacks on industrial supervisory control and data acquisition (SCADA) systems doubled from 2013 to 2014, as these antiquated systems were increasingly connected to corporate networks and the internet.
Who is targeting the UK’s factories, and why?
In the roll call of those with the means, the motivation and a proven track record of cyberattacks on manufacturers, global organised crime groups rub shoulders with state-sponsored corporate espionage groups and politically motivated activists.
And they’re fighting for supremacy with dishonest employees and former employees, who also have vested interest in illegally accessing networks and data.
To understand why manufacturers top the list of targets for cyberattacks, let’s take a look at what cyberattackers have to gain.
Valuable intellectual property and confidential data
Acquiring information such as product specifications, designs or formulae or customer order schedules can enable a catalogue of nefarious activity, including counterfeiting of goods, interception and theft of physical goods and unfair competitive advantage in commercial negotiations such tenders.
To put this into context, the UK government has estimated £9.2bn is lost to cyber-theft of IP and £7.6bn to cyber-espionage each year.
Cold, hard cash
Downtime and disrupted production schedules are guaranteed to impact manufacturers’ revenues, while benefiting others who could step in to fulfil a key customer requirement.
And knowing the cost is adding up by each hour production is down, cyberattackers are in a strong position to demand a ransom, a tactic which is gaining popularity fast. A recent analysis of downtime by sector estimated the cost of unexpected stoppages in the automotive industry at over £17,000 per minute (read.bi/2cCVM13).
With factories and machines connected more and more, the reliance on remotely controlled operational technology is growing rapidly, and with it the opportunities to infiltrate and subvert – see the case studies on the next page.
Damage to brand/reputation
The jury is out on the precise monetary impact of a publicised data breach. Analysis by security experts such as the Ponemon Institute suggests cyberattackers create a negative perception on the scale of an environmental disaster, although the stock prices of global brands including Target and eBay have bounced back post-incident.
It’s fair to summarise that publicised breaches are not good news for corporates and create some tough questions for the C-suite. Regulatory changes including, notably, the EU GDPR (General Data Protection Regulation), will force industrial businesses to disclose cyberattacks, even where no customer data has been compromised.
The unpalatable truth is that many manufacturers are behind the curve in security because they have not been held to compliance standards like those introduced in financial services (e.g., PCI DSS – the payment card industry data security standard) or the healthcare industry. This means there is a lower investment in cybersecurity and adoption of critical information security practices such as penetration testing across the industrial sector.
Control attack case studies
Case #1 – a massive cyberattack on German steel giant, ThyssenKrupp in 2016 saw hackers steal project data from the company’s plant engineering division and from other areas yet to be determined. ThyssenKrupp announced the attack in December 2016 having identified and cleansed infected systems and implementing new safeguards.
Case #2 – Chinese manufacturer, Hangzhou Xiongmai Technology Co Ltd recalled some of its products sold in the US in 2016 after security researchers identified it had made parts for devices that were targeted in a major global hacking attack. Hackers unleashed a complex attack on the internet through common devices like webcams and digital recorders, and cut access to some of the world’s best-known websites in a stunning breach of global internet stability.
And the result? Put simply, cyberattackers are costing UK manufacturers, and the economy as a whole, dearly.
According to UK government research, 90% of large businesses and 74% of small businesses reported having a security breach in 2015, both figures up on 2014. The average cost of these breaches was between £1.46m – £3.14m for a large firm and £75k – £311k for a small business.
The cost alone, even without the implications of being required to publicly report an attack, makes information security a significant corporate governance issue, which companies are increasingly including in their annual reports.
There is no way of completely preventing a cyberattack in the same way that there is no way of stopping an attempted burglary. However, there are ways to mitigate the threat and impact of a security breach.
A cybercriminal is more often than not going to take the path of least resistance. This means that organisations with stronger cybersecurity programs are less likely to attract cyberattackers in the first instance, and in the second are better placed in the event of an attack.
As digital transformation brings more users, devices and applications online, manufacturers are challenged to protect an expanding attack surface. With more space to operate in and greater opportunities to generate a profit, active adversaries are relentlessly targeting the industrial sector who, in response, are deploying up to 70 disparate security products to address a variety of needs – a practice that is difficult to manage and often leaves businesses more vulnerable.
While potentially increasing capabilities, this conventional, niche-product approach to security can create unmanageable complexity that results in a security effectiveness gap. One approach is through a system-wide architecture. Technology providers (for example, Cisco) can offer security portfolios that increase capabilities, but also decrease complexity, helping clients to close the gap and be more secure.
Industrial cybersecurity takeaways
- Network security challenges are part of a much bigger problem around cybersecurity risk management.
- Legacy network security based upon technology silos and manual processes, and requiring advanced security skills, can’t scale to address the volume, variety, and sophistication of today’s cyber-threats.
- Disconnected solutions contain blind spots that sophisticated attacks exploit. Once hackers establish a successful beachhead, they often remain invisible for months at a time as they navigate across networks, gain access to business-critical systems, and ultimately steal sensitive data.
Helen Saunders, content marketing storyteller, CISCO