Industry Spotlight: Manufacturing
Manufacturing can seem an impossibly broad class of business, including everything from light assembly to heavy industrial, and a lot in between. But at their core, all manufacturers have an inherent incentive to make production more efficient through incorporation of technology. This can include automation, advanced machinery, simple task augmentation, and many other modern capabilities to reduce human labor with increased precision.
It is this integration of technology that introduces new cyber risk to a manufacturer.
This Industry Spotlight from AXIS Global Cyber & Technology focuses on cyber exposures impacting the manufacturing industry, offering practical steps to build resilience, while also highlighting how prudent cyber underwriters can approach this class.
Cyber Incidents Impacting the Manufacturing Sector
Ransomware Attacks
Manufacturers face ransomware attacks that can halt production, disrupt logistics, and result in significant financial losses.
Examples
- A pottery firm had its servers encrypted and payroll systems disrupted. Recovery was possible due to unencrypted backups
- An aluminium producer was hit by ransomware that disabled antivirus tools, network interfaces, and user access, forcing operations into manual mode
- A global office furniture manufacturer shut down operations for two weeks due to ransomware, delaying shipments
- A supplier of process control products was attacked, severely impacting its ability to ship goods and causing downstream disruption for its customers
Threat Methods
- Phishing emails with malicious attachments
- Exploited vulnerabilities in active directory and remote access tools
- Malware with worm-like propagation
- Lack of segmentation between IT and OT environments
Insider Threats
Disgruntled or former employees can exploit retained access to sabotage systems and disrupt operations.
Example
- A former IT employee used previous account access to alter control configurations, causing production mills to shut down and resulting in millions in damages.
Threat Methods
- Privileged account misuse
- Inadequate access revocation processes
- Weak identity and access management
Data Breaches
Manufacturers are vulnerable to breaches that expose customer data, including personal and financial information.
Example
- A breach of an online order system exposed names, addresses, and credit card details of nearly a million customers.
Threat Methods
- Web application vulnerabilities
- Credential theft
- Poor database security
- Misconfigured systems
Cyber Espionage and Intellectual Property Theft
State-sponsored actors and cybercriminals target manufacturers to steal industrial secrets and proprietary designs.
Example
- Malware linked to a state-backed group infected an industrial automation firm, aiming to extract sensitive data
Threat Methods
- Advanced persistent threats
- Supply chain compromise
- Spear phishing
- Exploitation of OT/IT convergence
Operational Technology (OT) Disruption
Attacks targeting OT systems can paralyze production environments and require manual fallback operations.
Example
- Malware disabled antivirus protection and network interfaces, changed admin credentials, and logged machines off, forcing a manufacturer to operate manually for days
Threat Methods
- Malware with administrative access
- Lack of network segmentation
- Vulnerabilities in industrial control systems
Cyber Exposure Characteristics
What is clear is that nearly every sub-sector of manufacturing has considerable cyber exposure. All these attacks highlight the vulnerability of manufacturing organizations, often with sprawling networks, inconsistent protection, and substantial commercial activity hanging in the balance. These industry-specific attacks illuminate a few key considerations:
- Lower PII Risk: Manufacturers are generally business-to-business (B2B) companies so they tend to hold less personally identifiable information (PII) than companies in the service sector such as retailers and hotels. They are also unlikely to take payments by credit card. There are of course exceptions whereby manufacturing companies sell direct to end customers through online stores. But, broadly speaking, fewer customer records and no credit card payments mean manufacturers are less vulnerable to fines and class action suits following data breaches. The danger from being extorted by cyber criminals over leaked PII data is therefore somewhat diminished.
- Ransomware Target: The manufacturing sector remains the number one target for ransomware, for a fourth consecutive year according to IBM’s X-force threat intelligence report1. Firms with antiquated legacy infrastructure are often highly vulnerable, and the financial impact of shutting down production in a manufacturing facility can be substantial. These high costs of business interruption can promote inflated ransom demands by criminals.
- BI Variability: Manufacturers’ exposure to business interruption can vary widely based on the individual gross margins, which can vary from low single-digit to mid-double-digit percentages. Since business interruption coverage in a cyber insurance policy generally covers these lost profits, the difference from one organization to another can be substantial.
- Legacy: Manufacturers must often deploy disproportionate amounts of budget to maintain legacy IT systems that could otherwise be allotted to more effective security and modernization. An important factor in evaluating a company’s risk management is its financial commitment to security as a percentage of its total IT spend.
Operational Technology
An additional albeit less attention-grabbing risk factor is the incorporation and inherent vulnerability in operational technology (OT) within manufacturing. OT refers to the hardware and software used to control physical processes in systems that may run production lines in factories, manage output in power stations and control trains in transport networks. An example of OT could be a programmable logic controller (PLC) that controls injection of a chemical into a food product, ensuring a safe amount is injected consistently – but where an error could prove deadly.
Generally, OT is more simplistic and harder to protect. To comprehend the unique risk posed by OT, one must understand the environment in which OT is used.
Manufacturing facilities are often continuous production systems, potentially operating 24/7, and often run on very slim profit margins so any downtime can be material. This means there are few windows for software updates and they can only happen when some physical maintenance is also taking place. In the IT world the patching cycle is monthly, or more frequently, but in OT it may be only once every year.
This combination of highly vulnerable systems, with the vital nature of their functioning to keep people safe, means that OT is an emerging risk that cannot be underestimated. Fortunately, many of the recommendations can apply to all technology in a manufacturing environment.
Steps to Build Resilience and Manage Risk
The range of attack vectors facing manufacturers makes it clear that no single cyber security tool or tactic can eliminate the risk, but some approaches deserve continued focus:
- Develop and maintain strong access control hygiene
- Commit to regular and proactive patching cadence
- Practice in-depth defense, including adequate network segmentation
- Ensure effective back-up strategies are in place and functioning
- Don’t overlook the human factor in any response –- focus on disaster recovery, incident response and business continuity planning
Conclusions
Manufacturing plays a critical and ubiquitous role in our lives. The organizations in the manufacturing industry exist in complex supply chain networks vulnerable to disruption and they are supported individually by technology that is too often insecure. As the insurance industry performs its societal purpose to protect business and individuals from harm, manufacturing is an area that requires continued support and understanding of its unique exposures.
Disclaimer
This material is provided for informational purposes only and is not an offer to sell, or a solicitation to buy, any particular insurance product or service for a particular insured. It is intended for licensed insurance professionals. Cyber incident examples may be based on actual cases, composites of actual cases or hypothetical claim scenarios and are provided for illustrative purposes only. Facts may have been changed to protect the confidentiality of the parties. Whether or to what extent a particular loss is covered depends on the facts and circumstances of the loss, the terms and conditions of the policy as issued, and applicable law.
The practices, services or service provider(s) discussed herein are suggested as risk mitigation or incident response resources only. Use of any practice, service or service provider does not guarantee the performance or quality of the services provided, including the avoidance of loss, the fulfilment of any obligations under any contract, or compliance with any law, rule, or regulation. AXIS is not responsible for the effectiveness of a cyber risk management program and encourages each policyholder, together with advice from their professional insurance advisor, to perform its own independent evaluation of any practice, service or service provider as part of its overall risk management strategy.