This past May, Brazil-based JBS, the world’s largest meat processor, suffered a cyberattack that temporarily halted operations in the U.S., Australia, and Canada. That same month, a cyberattack on the Colonial Pipeline, the largest fuel pipeline in the U.S., interrupted deliveries in a dozen states, causing millions to line up for gas, some hoarding it in plastic bags and other fire hazards. Other manufacturers reportedly victimized this year include New Cooperative Inc., Kia Motors, Acer, Quanta, Brenntag, and many more manufacturers of everyday necessities.
Media reports of companies brought to their knees by cybercrime have become like surround sound, with many likely tuning them out as “other people’s problems.” Until they become our own, big problem.
The manufacturing sector has quickly become a top target of threat actors because of its reliance on automation and digitization, the cost of shutdowns and the high value transactions for materials and finished goods. Modern manufacturing facilities feature interdependent IT systems. If breached, criminals gain access to monitoring and control systems and designs, and intellectual property. A 2020 study by PwC revealed almost one in five cyberattacks targeted manufacturers, and security firm Dragos reports attacks against manufacturing companies tripled last year. Sophisticated tools like ransomware-as-a-service are bought and sold on the dark web and a growing pool of tech talent chooses crime as a career.
It’s time to get worried.
Manufacturing companies that want to avoid joining these statistics need to marshal cross-functional resources, with internal and external IT security and communications professionals at the head of the table. The following five steps should be prioritized:
- Practice a culture of caution.
While everyone needs to get involved with cybersecurity, stern directives from the executive suite and constant nagging from IT aren’t an effective approach to employee engagement. A culture of security enablement must exist at every level of a manufacturing organization. The solution is a joint effort by the security team and communications functions to develop a comprehensive awareness program, that includes an employee communications plan that includes research, engagement measures, trust building, and constant, positive reinforcement from the company’s leadership. The security function working in consortium with the communications function will enable executive buy-in and ensure messaging is concise and broadcast through the right channels.
- Harden the organization’s defenses.
In manufacturing environments, most attacks are the result of unpatched security vulnerabilities on legacy systems (both network and operations), human error, and the loss or theft of devices containing corporate data. Manufacturers must reduce these vulnerabilities via a properly resourced and empowered IT and security team, ongoing technical assessments of the environment, operational discipline, and enforcement of corporate policy. Communication of the financial and reputational risks to business operations from the security team to the executive is critical and often done poorly in the manufacturing sector. Consider hiring outside experts who bring external experience and perspectives and understand the manufacturing environment. A risk assessment that includes the potential costs to the company of cybercrime (including manufacturing downtime, ransom payments, communications and even fines from regulators) is a good way to create a burning platform for security program improvements and IT currency initiatives.
- Have your team and backup ready to go.
Criminals don’t wait for an invitation, and historically strike on a long weekend or the dead of night. That means the security team needs to marshal its partners in advance it’s easy to engage them quickly. These may include IT forensics consultants, incident response firms, breach coaches, internal and external legal counsel, public relations firms, insurance professionals, and even call center resources to address customer concerns if operations are interrupted. The security team must map out these resources in conjunction with the stakeholders to ensure that all scenarios are covered, and that roles and responsibilities are well understood. A crisis is not the time to decide ownership of tasks, or who to call.
- Plan the response…then test it.
A cyberattack can come swiftly and unexpectedly and requires many decisions, often under pressure. Table-top exercises run by third-party experts, in conjunction with the organization’s security team will stress-test the company’s plans and ensure the organization has the appropriate plans and resources to respond effectively. Failure in a simulation is the most effective way to surface vulnerabilities, and also a compelling way to convince company executives that resources and prioritization is necessary. Senior leadership and executives should be encouraged to participate in these assessments, as they often will have an identified role to play in incident response plans.
In an attack, it’s essential to have clear, consistent, and informed communications. If the security team isn’t empowered and prepared to provide an explanation, others will step in to fill the void, and the security team (and top management) may not like their take on the situation. Often, the media will look for comment, and regulators, shareholders, and clients will watch closely. During or after a cyber crisis, it's critical to respond to media inquiries from an informed position, and the appropriately designated individual should be identified by the executive or board, and media-trained in advance.
- Pre-identify the company’s stakeholders.
At the very least, a cyberattack can create a minor inconvenience such as a temporary network outage. At worst, it can create a financially-crippling manufacturing standstill, a dangerous supply chain disruption, fines from regulators, and a long-term loss of trust. For global manufacturers, the stakes are even higher. When the company’s problems become other people’s problems, the situation often goes from bad to worse. That’s why it’s vital to pre-identify who could be affected by your issue, and who else needs to know.
But knowing what to say to who isn’t much good if nobody can hear the company’s POV. A cyberattack can paralyze email and networks, so it’s important to take steps now to establish back-up communications channels. If social media has become the venue for speculation and conversation about the company’s crisis, it’s important to have a presence with followers on those same platforms if the security team wants to weigh in.
And finally, don’t forget social media monitoring. The company will have a hard time restoring trust if others are spreading misinformation on social media that the security team does not see, especially in under-the-radar platforms such as subreddits, or gated communities like Facebook.
While companies should worry about cybercrime, worrying won’t make the risk go away. By bringing together internal and external experts and listening to the security pros, it’s possible to reduce much of the worry and stress.
Josh Cobden, executive vice president, Proof Strategies; Iain Paterson, chief executive officer, Cycura