Industry Spotlight: Manufacturing

This Industry Spotlight from AXIS Cyber Risk Advisory focuses on cyber exposures impacting manufacturing companies, through the lens of historical incidents and the lessons that can be learned.

Manufacturing can seem an impossibly broad class of business, including everything from light assembly to heavy industrial, and a lot in between. But at their core, all manufacturers have an inherent incentive to make production more efficient through incorporation of technology. This can include automation, advanced machinery, simple task augmentation, and many other modern capabilities to reduce human labor with increased precision.

It is this integration of technology that introduces new cyber risk to a manufacturer. Here we examine how past events within the manufacturing industry can help inform risk management decision-making and elevate resiliency in the future, while also highlighting how prudent cyber underwriters can approach this class.

Over the past decade, various manufacturers have succumbed to cyber attacks with varying degrees of impact from data theft to major operational disruption. Unfortunately, examples abound.

Snapshot of cyber incidents in manufacturing over the decade

February 2014 – An insider threat attack against Georgia-Pacific, one of the world’s largest producers of paper and pulp products, caused over $1m in damages¹. With more than 200 production facilities worldwide and many of its paper mills operating 24/7, any downtime could significantly impact profits and productivity. A former employee in the company’s IT department who apparently held a grudge after their role was terminated used their access to previous accounts to alter control configurations, bringing some mills to a sudden stop.
July 2015 – Hanesbrands, a clothing multinational based in North Carolina, had to notify 900,000 customers after suffering a breach of data from their customer order database. Hackers accessed this through their online order system to harvest names, addresses, and credit card details.²
December 2018 – Steelite International, a pottery firm based in Stoke on Trent, UK, with customers in 140 countries, was targeted in a ransomware attack. Hackers encrypted its servers and disrupted its payroll systems demanding $2m in bitcoin. However, since the company had unencrypted backups, and the payroll system was not mission critical in production, they did not pay the ransom and were able to recover in a few days.³
March 2019 – Norsk Hydro, a Scandinavian aluminum smelter, was one of several manufacturers hit by a ransomware attack from the LockerGoga virus. Other firms affected included French engineering firm Altran and US chemicals companies Hexion and Momentive⁴. The LockerGoga malware is particularly nasty because it goes beyond encrypting files to paralyze systems causing crippling disruption. It gives access to Microsoft’s active directory management tools to turn off antivirus protection, disable network interfaces, change user and admin passwords, and log machines off. This type of indiscriminate closure can be particularly dangerous in a production environment. In Norsk Hydro’s case production was halted and several plants shut down. The attack meant they had no network, no website and no self managed IT⁵. The company had to switch to operating manual mode and held daily press conferences giving details of their recovery efforts. Refusing to pay the ransom, they eventually restored their systems from backups, but the damage is believed to have cost around $75m to remediate⁶.
July 2019 – Siemens, the German industrial automation conglomerate, was infected by Winnti malware.⁷ The reported culprit was a Chinese state-backed group looking for industrial secrets. This followed a similar attack on Siemens in 2017 also by a China-based security company affiliated with the People’s Liberation Army⁸.
November 2020 – International office furniture manufacturer Steelcase, with 13,000 employees and sales of $3.7bn, was forced to shut down global operations for two weeks following a Ryuk ransomware attack⁹.The resulting business interruption led to some shipments being deferred into the next quarter.
In February 2023, MKS Instruments, which makes process control products that monitor advanced manufacturing lines, was hit by a ransomware attack. This severely impacted its ability to ship products, which, in turn, disrupted its customers like Applied Materials, which issued a profit warning linked to the MKS attack.¹²
May 2023 – Hawa Sliding Solutions AG, a Swiss manufacturer of steel construction products, discovered malware in their production management system and subsequently shut it down. They reverted to manual processing of orders while the IT infrastructure was rebuilt from scratch¹⁰, which took several weeks.
September 2023 – Johnson Controls, a Fortune 500 supplier of industrial control systems, was hit by a massive ransomware attack that encrypted many of the company’s devices and put several of its subsidiaries IT systems out of action¹¹.

Cyber exposure characteristics

Cyber exposure characteristics card img

What is clear is that nearly every sub-sector of manufacturing has considerable cyber exposure. All these attacks highlight the vulnerability of manufacturing organizations, often with sprawling networks, inconsistent protection, and substantial commercial activity hanging in the balance. These industry-specific attacks illuminate a few key considerations:

Lower PII risk: Manufacturers are generally business-to-business (B2B) companies so they tend to hold less personally identifiable information (PII) than companies in the service sector such as retailers and hotels. They are also unlikely to take payments by credit card. There are of course exceptions whereby manufacturing companies sell direct to end customers through online stores. But, broadly speaking, fewer customer records and no credit card payments mean manufacturers are less vulnerable to fines and class action suits following data breaches. The danger from being extorted by cyber criminals over leaked PII data is therefore somewhat diminished.
Ransomware target: The manufacturing sector remains the number one target for ransomware, for a fourth consecutive year according to IBM’s X-force threat intelligence report¹³. Firms with antiquated legacy infrastructure are often highly vulnerable, and the financial impact of shutting down production in a manufacturing facility can be substantial. These high costs of business interruption can promote inflated ransom demands by criminals.
BI variability: Manufacturers’ exposure to business interruption can vary widely based on the individual gross margins, which can vary from low single-digit to mid-double-digit percentages. Since business interruption coverage in a cyber insurance policy generally covers these lost profits, the difference from one organization to another can be substantial.
Legacy: Manufacturers must often deploy disproportionate amounts of budget to maintain legacy IT systems that could otherwise be allotted to more effective security and modernization. An important factor in evaluating a company’s risk management is its financial commitment to security as a percentage of its total IT spend.

Operational technology

An additional albeit less attention-grabbing risk factor is the incorporation and inherent vulnerability in operational technology (OT) within manufacturing. OT refers to the hardware and software used to control physical processes in systems that may run production lines in factories, manage output in power stations and control trains in transport networks. An example of OT could be a programmable logic controller (PLC) that controls injection of a chemical into a food product, ensuring a safe amount is injected consistently – but where an error could prove deadly.

Operational technology card img

Generally, OT is more simplistic and harder to protect. To comprehend the unique risk posed by OT, one must understand the environment in which OT is used.

Manufacturing facilities are often continuous production systems, potentially operating 24/7, and often run on very slim profit margins so any downtime can be material. This means there are few windows for software updates and they can only happen when some physical maintenance is also taking place. In the IT world the patching cycle is monthly, or more frequently, but in OT it may be only once every year.

The event that really thrust OT risks onto the front page was the 2021 Colonial Pipeline ransomware attack, attributed to DarkSide, a Russia-affiliated cybercrime organization. Colonial Pipeline was responsible for almost half the gasoline supply to the East Coast. A ransom of $4m in Bitcoin was paid but the pipeline was shut for a week causing fuel shortages in airports and gas stations. The US President declared a state of emergency, and the DarkSide group issued a rare public apology. The full force of the US security establishment was turned on the criminals and within a month the justice department announced that it had recovered 90% of the Bitcoin ransom payment from DarkSide’s servers. While the worst outcome was avoided, the incredible vulnerability and reliance on OT was made alarmingly clear.

This combination of highly vulnerable systems, with the vital nature of their functioning to keep people safe, means that OT is an emerging risk that cannot be underestimated. Fortunately, many of the recommendations can apply to all technology in a manufacturing environment.

Steps to build resiliency and manage risk

The range of attack vectors facing manufacturers makes clear that no single cyber security tool or tactic can eliminate the risk, but some approaches deserve continued focus:

Develop and maintain strong access control hygiene
Commit to regular and proactive patching cadence
Practice in-depth defense, including adequate network segmentation
Ensure effective back-up strategies are in place and functioning
Don’t overlook the human factor in any response –- focus on disaster recovery, incident response and business continuity planning

In conclusion

conclusion card img

Manufacturing plays a critical and ubiquitous role in our lives. The organizations in the manufacturing industry exist in complex supply chain networks vulnerable to disruption and they are supported individually by technology that is too often insecure. As the insurance industry performs its societal purpose to protect business and individuals from harm, manufacturing is an area that requires continued support and understanding of its unique exposures.

Sources

Disclaimer

This material is provided for informational purposes only and is not an offer to sell, or a solicitation to buy, any particular insurance product or service for a particular insured. It is intended for licensed insurance professionals. The services and service providers discussed in this document are suggested as risk mitigation and incident response resources

Accident & Health

Casualty

Construction

Cyber & Technology E&O

Environmental

E&S Property

Inland Marine

Life Sciences

Lower Middle Market

Management Liability

Ocean Marine

Professional Liability

Program Business

Renewable Energy

A&H Reinsurance

Agriculture

Aviation

Casualty

Credit and Surety

Marine

Mortgage

Property