The following article was first published by Shipman & Goodwin LLP in the News & Insights section of its website. It is reposted here with permission.
The manufacturing industry was the most attacked industry in 2021, surpassing financial services, according to billions of data points analyzed by IBM.
Ransomware, the top attack type, accounted for nearly a quarter of the attacks on manufacturing companies.
In the past, cyberattackers focused their attention on the financial, healthcare, retail, and energy industries, allowing many in manufacturing to sail by on the belief that threat actors were not interested in them.
Several factors have combined in recent years, however, to make manufacturing the preferred prey.
Increased utilization of internet-connected operations and industrial control systems, the Industrial Internet of Things, increased security and regulation within other heavily targeted industries, an expanded remote workforce, and other workforce vulnerabilities all act like chum in the ocean to attract predators.
In the past, the sharks may not have shown much interest in manufacturers, but now, “You’re gonna need a bigger boat.”
Phishing attacks, while targeted at various industries, have been increasing year-over-year in the manufacturing industry, which is now a top target for phishing attacks each year.
A phishing attack tricks the target into opening a malicious email attachment or website by spoofing the identity of the sender.
The attachments and websites contain trojans or other malware that are downloaded and scan systems for vulnerabilities to exploit and/or data to collect—either to be held for ransom or sold on the dark web by the threat actor.
The manufacturing industry is particularly vulnerable to phishing attacks because of legacy equipment, which is fairly easy for attackers to exploit, fragmented security infrastructures attributable to location-based variations in hardware and software technologies being utilized, and large workforces with varying levels of information technology expertise and training.
In addition to ransomware and phishing attacks, manufacturers are also frequently targeted for intellectual property theft, IIOT attacks, and supply chain attacks, where the actor infiltrates an organization through a third-party vendor or supplier through viruses or malware in order to disrupt the manufacturer’s operations and ripple delays through the entire supply chain.
Analysts predict global cybercrime costs to reach $10.5 trillion annually by 2025, more than triple the amount spent in 2015.
If your organization has purchased or renewed a cyber insurance policy, you likely felt the impact in your increased premiums and more rigorous underwriting process.
Cyber insurers raised premiums by a staggering 92% in 2021 according to information submitted to the National Association of Insurance Commissioners.
Those premiums increased by 34.3% in the fourth quarter of 2021 alone.
In tandem with the costs of responding to cyberattacks, the notification requirements to individuals and regulators have also been increasing in recent years, with states modifying their breach notification statutes to increase the scope of affected data that must be reported, and shorten the timeframe to do so, for example.
Most recently, and specific to manufacturers, in March Congress passed the Cyber Incident Reporting for Critical Infrastructure Act of 2022, which will require companies considered to be “critical infrastructure” to notify the Cybersecurity and Critical Infrastructure Agency within 72 hours of a significant cyberattack, and within 24 hours of making a ransomware payment.
While the law does not identify which critical infrastructure sectors will be covered by the reporting obligations, CISA’s future rule-making may look to the 16 critical infrastructure sectors it has identified as vital to the US, which includes the critical manufacturing sector.
In the face of these increasing threats and compliance obligations within the industry, manufacturers must act now and make investments to defend and maintain production; to protect intellectual property, confidential information, and customer data; to avoid financial losses, and to safeguard against physical damage to machinery and other critical systems.
A comprehensive cybersecurity plan is imperative, including the following (among other items):
- Identification of systems, assets, and data, and the risks to each;
- Protection of those systems assets, and data with appropriate safeguards to ensure continuity of critical infrastructure and to limit or contain the impact of a cybersecurity incident (eg, strong password rules, two-factor authentication, timely application of software patches, network segmentation, etc.);
- Develop and implement the appropriate processes to monitor systems and detect a cybersecurity incident in a timely manner;
- Develop and implement a detailed response plan, setting forth the appropriate actions to take when a cybersecurity incident occurs to contain its impact;
- Develop and implement a recovery plan to restore operations and capabilities impacted by the cybersecurity incident; and
- Training and education for employees at all levels about the dangers of cybercrime, how to recognize phishing and other threats, and how to report concerns or incidents.
Consider engaging professional cybersecurity experts and qualified counsel early in the development of a cybersecurity plan, and especially upon the occurrence of a cybersecurity incident.
Most importantly—practice your response plan. No coach would expect a team to execute effectively plays simply by reading the diagrams in a playbook.
The best designed response plan will likely fail in several areas amidst the chaos of a cyberattack if your team has never simulated it, posing significant operational and compliance risks.
About the authors: Marc Lombardi and Damian Privitera are lawyers at Shipman & Goodwin LLP, both practicing in the firm’s Privacy, Cybersecurity and Data Innovation practice.
For more information about Shipman’s manufacturing practiceplease contact Alfredo Fernandez (860.251.5353; email@example.com).