Five steps to protect your factory from ransomware attacks

Posted on 30 Jun 2017 by The Manufacturer

Ransomware attacks are rising in frequency and manufacturers are a key target for organised crime. Helen Saunders discusses the threats and outlines the steps you can take to minimise the damage to production, reputation and the bottom line.

Ransomware is the cyberattack of the moment, and it has the potential to send your productivity into freefall and it doesn’t discriminate – businesses of all sizes and types are at risk.
Ransomware is the cyberattack of the moment, and it has the potential to send your productivity into freefall and it doesn’t discriminate – businesses of all sizes and types are at risk.

The threat of downtime strikes fear into manufacturing businesses of every type, and with good reason – downtime inevitably costs money, and plenty of it. A recent analysis of downtime by sector estimated the cost of unexpected stoppages in the automotive industry at over £17,000 per minute.

However, it’s no longer just malfunctioning machines and user error that manufacturers need to contend with in the battle to preserve productivity.

Ransomware is the cyberattack of the moment, and it has the potential to send your productivity into freefall and it doesn’t discriminate – businesses of all sizes and types are at risk.

The recent ‘WannaCry’ ransomware cyberattack that affected the NHS infected more than 300,000 computers in 150 countries, especially Russia, Taiwan, Ukraine and India, according to Avast Software, a Czech antivirus software and interent security firm. Large firms and organisations that were affected include FedEx, Spain’s Telefonica and Deutsche Bahn.

Ransomware involves businesses or individuals being taken hostage by malware that locks up critical resources. It uses traditional malware attack methods such as phishing emails and exploit kits to gain access to a desktop computer.

This article first appeared in the June issue of The Manufacturer magazine. To subscribe, please click here

Once there, it takes over systems and stored data, encrypting their contents, denying access, and holding them hostage until a ransom is paid. Ransomware uses well-established public/private key cryptography, so that the only way to recover the files is to either pay the ransom or restore files from backups. Typically, if the ransom demand is paid, the attacker often, but not always, provides the decryption keys to restore access.

Cyber goldmine

This is the most profitable type of malware in history, with every business or individual who does pay up in order to recover their files, sending money directly to the attackers, who are usually organised criminals.

Anonymous currencies such as Bitcoin and Ripple offer attackers an easy way to profit with relatively low risk, making ransomware highly lucrative and self-funding. Cisco Talos research shows that a single ransomware campaign can generate up to $60m annually.

Blockchain CyberAttackers CyberSecurity Hack CyberThreat Data Digital - Stock
Ransomware is evolving at an alarming rate – it has grown at a rate of 350% in 2016 alone, and new versions of ransomware are constantly being unveiled.

As a result, ransomware is evolving at an alarming rate – it has grown at a rate of 350% in 2016 alone, and the FBI has said it is on its way to becoming a $1bn annual market.

And new versions of ransomware are constantly being unveiled.

Cisco has recently seen a strain whereby victims get the option to give the details of two other computers to have their data unencrypted, so they don’t have to pay up.  Think of the potential chaos!

Manufacturers are targets

Worryingly, manufacturers are right up there at the top of the target list for ransomware attacks, as shown by recent Fortinet research.

Between 1 October 2015 and 30 April 2016, Fortinet monitored and collated network traffic for 59 mid-sized to large manufacturers, spread out over nine countries in key markets across the Americas, EMEA, and APAC. During those seven months, it recorded 8.63 million attempted attacks, 78% of which were targeted at large manufacturers with 1,000 or more employees.

If you’re wondering just how much of a risk ransomware is to your business, the case study below details the anatomy of a ransomware attack on a manufacturer (based on a genuine example).

Ransomware cast study

Day 1
• An employee in the ‘carpeted’ factory office falls victim to a social engineering scheme when clicking an email attachment which has been made to look genuine, but is actually laced with malware.
• Cryptowall malware gets on to the employee’s computer and quietly propagates throughout the company network, encrypting accounting data and files critical to several production systems as it goes.

Day 2
• Hack is discovered when a colleague on the plant floor is unable to access production files and a message flashes up on screen warning him that the system and all files within it have been locked. The company has 72 hours to pay a ransom to unlock it, or lose the files forever.
• Production cannot be started, leaving the whole production line inactive and operatives with nothing to do.

Day 3
• Downtime continues, costs rack up.
• Frantic activity between company IT and outsourced service provider.

Day 4
• After two days of downtime, the manufacturer opts to pay the ransom to decrypt the system and bring in external consultants to clean the network.

Days 5-7
• External consultants work round the clock but are unable to uncover 100% of the lost data as the hackers did not fully unencrypt all of it and the company did not have up-to-date backups.
• Significant damage to brand and reputation as the manufacturer was unable to meet agreed deadlines and unable to communicate clear timescales.

So, why are manufacturers at such high risk from ransomware attacks, and what should you do if you are a victim?

Digitisation and unpreparedness

Two key factors make manufacturers an attractive target for cyberattackers. The first is the perfect storm of digitalisation, which is driving manufacturers to connect their factory systems with their enterprise networks to drive a range of improvements ranging from efficiency to flexibility to profitability, while also relying on legacy ‘industrial automation and control systems’ (IACS) which were never conceived with security or IP connectivity in mind.

CyberAttackers CyberSecurity Hack CyberThreat Data Digital - Stock
Cisco’s Ransomware Defence Solution is designed to prevent ransomware from getting into the enterprise wherever possible.

The second factor is a marked lack of preparedness, where manufacturers are behind the curve in security because they have not been held to compliance standards such as those introduced in financial services (eg, PPCI DSS – the Payment Card Industry Data Security Standards) or the healthcare industry.

This means there is a lower investment in cybersecurity and adoption of critical information security practices such as penetration testing across the industrial sector.


There are no silver bullets nor absolute guarantees for protection, but products such as Cisco’s Ransomware Defence Solution, do help to prevent ransomware from getting into the enterprise wherever possible, stop it at the system level before it gains command and control and detect when it is present in the network.

Importantly, it also works to contain it from expanding to additional systems and network areas while performing incident response to fix the vulnerabilities and areas that were attacked. These capabilities work together to create several layers of defence, protecting an organisation against the threat and spread of ransomware.

To defend against ransomware attacks, having a robust architecture designed with security in mind is only the beginning. To recover well and with the minimum impact to your operations, it’s essential that you know the critical priorities for your factory, and whether they can be impacted if your systems are locked down.

A good start is the list of ‘Top tips’ in the box below, which help a rapid return to ‘business as usual’ following a ransomware attack.

Five top tips for recovery from a ransomware attack

  1. Ensure you have good backups If you do weekly backups, transition to daily; if you do daily, consider hourly or real-time.
  2. Develop a good disaster recovery plan Ensure that it is regularly tested and updated as the business grows and changes.
  3. Carry out security awareness training Identify all of the people, processes, and tools necessary to handle a critical disruption or event. Perform drills to test these plans on a regular basis.
  4. Develop a comprehensive baseline This covers the applications, system images, information and your normal running network performance. It gives you visibility into changes on your network, enabling detection of the unusual.
  5. Standardised images of operating systems and desktops This allows for easy re-imaging to recover infected infrastructure.


What 1 minute of unplanned downtime costs major industries – Business Insider UK:

Cisco Ransomware Defense: Keep Ransomware at Bay – Cisco:

Move over Healthcare, Ransomware Has Manufacturing In Its Sights – Fortinet: