According to the World Economic Forum, manufacturing is one of the most targeted sectors by cyber attackers. Criminals prefer manufacturing firms because of the valuable data and evolving connections.
Data is constantly being generated, and the data types that manufacturers collect and store offer immense value to attackers. From product specifications and intellectual property (IP) details to operational parameters and customer transaction details, data stolen from manufacturing firms could prove lucrative for attackers to sell, ransom, or even destroy.
Additionally, the evolving nature of digital connections within the manufacturing sector provides an opportunity for hackers. If they can disrupt production line automation, shut down a supplier, or interfere with artificial intelligence (AI) tools, they could cost your organization a lot of time, effort, and revenue.
This article looks at some of the top vendor risk management challenges for the manufacturing industry, the impact on first- and third-party operations, and what manufacturers can do to reduce their total risk.
The Manufacturing Threat Landscape
According to the IBM Security X-Force Threat Intelligence Index 2023, 27% of all attacks in 2022 were extortion-related. Of these, 30% targeted manufacturing firms, the most of any industry. It makes sense: Attackers know that for manufacturing firms to generate revenue, they need to produce products. If hackers can exfiltrate and encrypt the data required to run production lines, they can extort firms for significant sums of money.
The Internet of Things (IoT) also plays a growing role in manufacturing processes and the potential for cyberattacks. According to recent survey data, 69% of manufacturing industry leaders are implementing Industry 4.0 solutions that enable digitization and connection across the enterprise. Among these leaders, 66% point to the Industrial Internet of Things (IIoT) as "very important" to their future success. While IIoT enables real-time data sharing and analytics, this framework also increases the attack surface. With more devices come more endpoints and, in turn, opportunities for compromise.
Dig deeper into this topic: How Manufacturers are Transforming TPRM with Cyber Risk Intelligence
Manufacturing firms are also susceptible to attack vectors such as phishing and ransomware. As noted by a recent report, ransomware attacks against the manufacturing industry rose from 211 in 2021 to 437 in 2022—moreover, 70% of ransomware attacks against the industrial sector targeted manufacturing firms.
If you feel like your organization has a cyber target on its back, it's because you do.
Why Manufacturing Data Matters to Hackers
Adopting IoT, AI, and automation solutions within manufacturing has created a data-rich environment. While this environment enables companies to leverage new solutions, such as creating digital twins to track products throughout their lifecycles, it also increases the value of manufacturing data, making it a prime target for malicious actors.
Consider a ransomware attack that moves laterally onto networks from a third-party service. Once inside IT perimeters, attack payloads could seek out high-value data, such as intellectual property related to new product development or financial predictions based on supply and demand. But once attackers find this data, they can exfiltrate and encrypt it, then demand a ransom from companies for its return.
In the best-case scenario, companies crack the ransomware code and recover their data without meeting hacker demands. In the worst case, companies pay up, and attackers still refuse to decrypt the data. Most attacks end somewhere in the middle: Companies agree to the ransom and regain some of their data. Or they refuse to pay and are forced to restore much of their data from backups.
No matter the end result, the beginning is always better if manufacturers can find ways to better detect, identify, and frustrate attackers before they compromise networks.
Addressing the Dual-Party Problem
Manufacturers face two security problems simultaneously: first- and third-party risk management.
First-party risk management deals with data collected, stored, and handled by in-house applications, servers, and storage devices. Good examples are supervisory control and data acquisition (SCADA) and industrial control systems (ICS) devices, often legacy tools left over from the initial stages of manufacturing growth.
Many of these devices were never designed to work with current and next-generation IoT solutions and often lack even the basic security controls found in modern systems. Coupled with firmware that's difficult or impossible to update, legacy devices present an ongoing risk to operations. If attackers manage to compromise the controls, companies may need to shut down indefinitely.
First-party risk is also tied to internal customer data handling. When data is compromised, regulatory authorities may get involved, and the affected parties must be notified. As a result, a manufacturer’s reputation and revenue may take a serious hit.
Third-party risks refer to applications, vendors, and services that lie outside the direct control of manufacturing organizations. Third parties can take many forms, including material suppliers, machinery providers, data analytics firms, cloud-based human resources systems, and more peripheral services such as HVAC or electrical contractors that use internet connections to monitor the status of specific equipment remotely.
The biggest challenge with third-party risk is visibility and understanding how secure your vendor network really is. A material supplier with a gapped control or “more relaxed security practices” is an open door waiting for an attacker to use to get to your data. For example, vehicle manufacturer Nissan saw the data of nearly 18,000 vehicle owners stolen after a third-party developer was breached. Because the vendor stored Nissan’s data on an insecure cloud storage website, hackers were able to compromise it.
Given that the average organization is now connected to more than 6,000 third parties and two out of every three breaches happen via a third party, managing vendor risk is critical to keep first-party data safe and your organization operating without disruption.
Taking Control of Third-Party Risk
While first-party risks can be mitigated by creating and deploying new internal processes and policies, third-party risk is more challenging to manage.
Consider a company dealing with first-party data problems due to unauthorized access. By implementing solutions such as multi-factor authentication (MFA), manufacturing companies can frustrate the efforts of both attackers and insiders. Meanwhile, the process becomes more difficult when it comes to reducing third-party risks.
Here's why: Consider the same scenario, but this time it's a third-party vendor struggling to restrict employee access. While manufacturers can request that this vendor implement MFA, confirming that the vendor followed through (and stays compliant) isn’t as easy.
If the security assessment process comes immediately to mind, remember that assessments are self-reported information subject to human error, not to mention you only see their security posture for a moment in time. While questionnaires have their place and purpose, they provide an incomplete picture on their own. That’s the benefit of having access to multiple data points to bolster your vendor analysis, like outside-in scanning and scoring and threat intelligence data.
In vendor risk management, three components are critical:
Identification and Assessment
Effective vendor risk management requires identifying third-party risks and evaluating their overall impact. Given that 20% of third parties used by organizations are typically considered high-risk, identification and assessment are essential for manufacturers to prioritize protective action or take steps to remove third parties from active service.
Analysis and Reporting
Total risk isn't defined simply by current third-party risk — it's also connected to industry-wide threat industry data. With ransomware and phishing attacks on the rise, knowing which vendors have control gaps and which controls are commonly exploited equips security teams with an understanding of current threats and their role in potential breaches.
Monitoring and Security
Finally, manufacturers need tools capable of continuous monitoring and security. Given the dynamic nature of attack surfaces, attack vectors, and the extensive third-party network required to streamline operations, manufacturers need to know what's happening across their environment at any given moment — and need solutions that equip security teams to take the appropriate action when issues emerge.
Making it Right With Improved Vendor Risk Management
Manufacturing risk is on the rise as digital connectedness and supplier networks increase. To help mitigate the potential impact of cybersecurity threats, effective vendor risk management strategies are key in preventing avoidable business disruption.
By implementing tools that can go beyond static assessments to deliver real-time risk insights, manufacturers can build third-party risk management frameworks that help limit the chance of compromise — and quickly make things right when incidents occur.
Want to explore what better vendor risk management looks like for your manufacturing company? Book a CyberGRX demo today.