The Fourth Industrial Revolution, with its accelerating pace of digitization and automation, means that organizations are becoming more dependent on data processing and connectivity to deliver value to their customers and stakeholders. Threat actors exploit this growing attack surface to achieve their aims: fraud, extortion, harassment, espionage, and other harms. They are smart, adaptive, and ruthless—and getting rich as a result.
Defending against cyber threats is an increasingly difficult task for any organization. For owners and operators of critical infrastructure, the stakes are uniquely high. Societies depend on these sectors for a variety of essential services, such as energy, water, telecommunications, healthcare, and financial services.
Critical manufacturing stands out as an at-risk sector with a long way to go to achieve cyber resilience. As defined by CISA, critical manufacturing includes “Primary Metals Manufacturing,” “Machinery Manufacturing,” “Electrical Equipment, Appliance, and Component Manufacturing,” and “Transportation Equipment Manufacturing.”
SecurityScorecard recently analyzed a cohort of all critical manufacturing organizations included in The Global 2000 Forbes list. Forty-eight percent of companies in this sector have a SecurityScorecard rating of F, D, or C. To put this in context, organizations with an A rating are 7.7x less likely to sustain a breach than those with an F.
We consider ten factors when developing an organization’s security rating. When analyzing critical manufacturing further, the SecurityScorecard team found that the patching cadence factor—which analyzes how quickly an organization installs security updates to measure vulnerability risk mitigation practices—experienced a significant drop across the year from 2021 to 2022, moving from an 88 (B) to a 76 (C).
This decline is likely due to an increased volume of vulnerabilities. Critical manufacturing experienced a 38% year-over-year increase in high vulnerabilities. In 2022 alone, 76% of critical manufacturing organizations have high- and medium-severity CVEs. These CVEs may, in some cases, facilitate ransomware groups’ targeting of organizations in the sector.
Of further concern regarding critical manufacturing: Security Scorecard’s Threat Intelligence team found that the sector experienced an increase in malware infections from 2021 to 2022. In 2022, 37% of critical manufacturing organizations had malware infections.
Critical manufacturing organizations are attractive targets for threat actors. Ransomware groups are going after manufacturing most frequently and, within the sector, have attacked metal components manufacturers most. Conti and LockBit groups are the ransomware operations responsible for the largest number of manufacturing compromises.
The Conti ransomware group claimed an attack against Delta Electronics, an electronics manufacturing firm that supplies power components to Apple and Tesla, among others. The attack reportedly resulted in the encryption of more than 1,500 of Delta’s servers and 12,000 of its individual workstations and forced it to launch a new website using a new web server while its official site was offline (presumably because its web server was one of the 12,000 encrypted in the attack).
Conti also claimed responsibility for an attack against wind turbine manufacturer Nordex SE, illustrating the potential for geopolitics to impact certain manufacturing sectors. Conti publicly declared its support of the Russian war against Ukraine, and European manufacturers supporting renewable energy (like Nordex). The European response to Russia’s invasion of Ukraine has brought renewed attention to the centrality of Russian oil and gas imports to daily life in Europe, and the attempt to reduce Europe’s dependence upon those imports could drive demand for renewable energy. A subsequent investigation by the SecurityScorecard Threat Intelligence team revealed that Nordex might face ongoing risks related to the attack.
In the face of all this, there are five steps that critical manufacturers can take to protect themselves, and build and maintain trust with their employees, customers, and partners—as well as citizens worldwide.
Quantify the effectiveness of your security program. The way many companies prioritize and allocate their security budget has been elevated to the board level, where any spending recommendation demands increased scrutiny and clear communication. Make a business case for investment in your security stack by articulating risk in financial terms.
Assess the Security Posture of Your Third and Fourth Parties. Between September 2021 and September 2022, 54% of organizations experienced a data breach through one of their third parties. Identify all the players in your business ecosystem and make informed choices about who you work with.
Incorporate continuous monitoring into your security program. The threat landscape is dynamic, and organizations’ attack surfaces are constantly evolving and expanding. Stay ahead of hackers with up-to-the-minute measurements of your security posture.
Create an incident response plan. Have a plan in place to take immediate action toward remediating incidents. The initial 24 hours after a breach are critical, so it’s important to act immediately to stop additional losses, fix lingering vulnerabilities, and notify all affected parties.
Gain trust with transparency. Communicate openly about the measures you’re taking to maintain security at your organization. This not only eliminates the silos associated with threat identification and management, but importantly, it builds trust with your customers, employees, and vendors.
In the midst of the Fourth Industrial Revolution, as we all rely on digitization to thrive and survive, there’s nothing more crucial and pivotal than trust. It can be lost in an instant. Critical manufacturers—and, indeed, all of the world’s organizations—can earn and grow trust by measuring, monitoring, and increasing their cyber resilience.
For more on addressing the trust deficit in critical infrastructure, read SecurityScorecard’s latest research report.