The manufacturing sector is now one of the most frequently hacked industries, second only to healthcare, a new report says.
Healthcare, which has a wealth of exploitable information within electronic records, moved into the top spot of the rankings, replacing financial services, which dropped to third place in IBM X-Force Research’s new 2016 Cyber Security Intelligence Index. Manufacturing rose from third place in last year’s report, which offers a high-level overview of the major threats to IBM’s clients' businesses worldwide over the past year.
Manufacturing includes automotive, electronics, textile, and pharmaceutical companies. Automotive manufacturers were the top targeted manufacturing sub-industry, accounting for almost 30% of the total attacks against the manufacturing industry in 2015. Chemical manufacturers were the second-most targeted sub-industry in 2015, according to IBM.
Many attackers are financially motivated and therefore are more likely to go after corporate networks where they could steal potentially valuable intellectual property or sensitive information, says John Kuhn, senior threat researcher with IBM X-Force.
Meanwhile, The 2016 Manufacturing Report by professional services firm Sikich also reports a rise in attacks on the manufacturing sector -- with theft of intellectual property as a primary motive.
“The FBI estimated that $400 billion of intellectual property is leaving the US each year because of cyberattacks” and nation-state actors and other adversaries are starting to target manufacturing companies for this information, says Brad Lutgen, a partner in Sikich’s compliance and security practice.
Many manufacturing companies are behind the curve in security because they have not been held to compliance standards like financial services has, with the Payment Card Industry Data Security Standards and The Gramm-Leach-Bliley Act, or in the case of the healthcare industry, with the Health Insurance Portability and Accountability Act, Lutgen says. “Because of that, they [manufacturers] tend to be a little laxer with security in terms of some other industry verticals.”
As a result, there is a lack of adoption of key information security practices that have become standardized procedures across most industry verticals, Lutgen says. For example, only 33% of survey respondents indicated that their organizations were performing annual penetration testing within their IT groups.
Heartbleed, SQL Injection Leading Forms Of Attack
Manufacturers appear to be vulnerable to older attacks, such as Heartbleed and Shellshock. SQL injection is another prominent form of attack being waged against manufacturers, IBM’s Kuhn says. “Those [types of attacks] happened in volume,” last year, he says. The Heartbleed bug is a serious vulnerability found in the OpenSSL cryptographic that allows attackers to eavesdrop on communications, steal data directly from the services and users, and to impersonate services and users.
Attackers also targeted manufacturing companies’ enterprise servers via spearphishing schemes to lure employees to malicious websites, Kuhn says.
Manufacturing companies are starting to fortify their networks and corporate systems, Kuhn says, but their industrial control systems also pose a challenge. ICS systems might run a copy of Microsoft Windows or Unix that was issued ten years ago, so they can’t necessarily update it without the change causing an equipment failure, according to Kuhn.
“When you talk about this industrial control space, it gets into a doomsday thing. It [an attack] might shut down a water plant or a nuclear plant. They are hard to defend,” Kuhn says.
Take the proliferation of ransomware. What if it an attacker deploys ransomware to lock down manufacturing computers and says, “pay the ransom or you won’t be able to manufacture your products?” These are all things to consider, he says. “So there is a lot of work to do in the manufacturing industry to shore up their defenses for industrial control systems and corporate networks.”
Sikich’s report offers manufacturers some advice about how to mitigate threats:
- Conduct an annual IT risk assessment to properly understand where threats are originating from.
- Perform annual penetration tests to simulate the threat of someone trying to break into your organization’s network.
- Conduct ongoing vulnerability scanning throughout the year to help the organization stay up-to-date with new threats.
- How Incident Response Fails In Industrial Control System Networks
- Healthcare Data Security Performance Stagnates
- 8 Active APT Groups To Watch