Welding the Weak Spots: Strengthening Manufacturing Cybersecurity Practices

As manufacturing processes integrate more deeply with digital technologies, the industry faces a dual challenge: increasing worker productivity by using smart technology and strengthening defenses against escalating cyber threats.

With the advent of smart manufacturing, industry leaders are connecting everything from supply chain management systems to assembly line robots to the cloud. This creates a complex network of unsecured devices that, if not monitored for malicious activity, can expose critical infrastructure to cyberattacks.

Based on threat research conducted by our Threat Response Unit (TRU) for the 2024 SMB Ransomware Readiness report, the manufacturing industry has been the most impacted industry for ransomware attacks from 2020-2023.

It’s no surprise then that a strong cybersecurity posture is as crucial as the sturdiest physical lock on the factory door. Manufacturers must take a holistic view of their cybersecurity programs, the limitations of their in-house cyber capabilities, and implement security protocols for every digital touchpoint, from employee email accounts to industrial control systems.

In this blog, we share the most common cyber threats impacting the manufacturing industry and recommendations on how you can protect your organization from these threats.

Growing Attack Surface

The attack surface has grown considerably for manufacturing organizations in recent years, driven largely by cloud migration, increasing number of edge devices, and reliance on remote desktop services. Personal smartphones, tablets, and laptops can provide convenient access points for employees but can also be easy targets for cybercriminals.

“The unfortunate side effect of this growth is it creates new opportunities for exploitation,” Spence Hutchinson, Staff Threat Intelligence Researcher at eSentire, says. “Cloud migration, edge devices, remote access services are all things that need to be configured and patched, and they unfortunately, creates exposure and opportunities for threat actors.”

Therefore, manufacturing businesses should consider implementing a zero-trust and least privilege approach to access management, to ensure that only authenticated, authorized users and devices can access network resources. In addition, organizations should also have cloud security posture management and cloud workload protection in place to secure the data stored in the cloud and remediate misconfigurations or policy violations.

Increasing Use of Initial Access Brokers

The existence of initial access brokers – threat actors who sell unauthorized access to networks – represents a severe threat to manufacturers. These actors enable other cybercriminals without the skillset to gain initial access to deploy ransomware and other attacks by providing a ready means of entry.

TRU’s research has shown that the most common initial access vectors used to target the manufacturing industry are browser-based attacks, business email compromises, removable media, and valid credentials:

Rise of Browser-Based Attacks

TRU’s research also dictates that cybercriminals are now turning to more subtle techniques to gain initial access into networks. They employ tactics such as malvertising, exploiting ad networks to deliver malware through legitimate websites, and watering hole attacks, where they compromise a site frequently visited by target users.

These sophisticated attacks can easily bypass traditional defenses, making security awareness training and robust threat response capabilities that can identify and block malicious behavior more critical than ever.

Business Email Compromises Still a Concern

Although browser-based attacks are outpacing phishing emails, threat actors are still using business email compromises (BEC) and phishing emails disguised as typical business communications with subject lines like “Invoice” and “Shipping” to target unsuspecting manufacturing employees.

The best way to combat these threats is similar to browser-based attacks – that is, make sure your security awareness training for users is reliant on real-world scenarios so they know how to spot modern phishing emails.

Credential Theft: Safeguarding the Keys to the Kingdom

Credential theft is an insidious threat because it allows attackers to masquerade as legitimate users, moving laterally across the network and accessing sensitive information.

Based on the Manufacturing Threat Intelligence report published by TRU, the majority of the intrusions observed against our manufacturing customers leveraged valid stolen credentials. These stolen credentials can be easily purchased on underground markets and are then used against remote access services or to exploit known unpatched vulnerabilities or zero-day exploits.

To combat this, manufacturers should implement robust password policies, require multi-factor authentication (MFA) for all user accounts, especially those with privileged access, and routinely audit accounts for unusual activity. Security leaders should also leverage identity-based threat detection and response to monitor and respond to anomalous user behavior. It’s also crucial to educate employees about the use of strong, unique passwords and the dangers of credential sharing.

Risk of Removable Media and USB-Based Malware

While removable media devices (e.g., USBs) are convenient for transferring data, they remain a vector for malware to enter and spread across manufacturing systems. In fact, initial access worms such as Raspberry Robin, which often gain initial access through removable media, can be used to deploy malware that leads to ransomware intrusions.

Therefore, manufacturing organizations must implement policies that control the use of USBs and other removable media devices. These might include disabling USB ports where not needed, implementing strict controls over what devices can be connected, and establishing procedures for scanning all devices for threats before use. In addition, employee education is also critical, and all employees should be trained to understand the cyber risks associated with USB devices.

Ransomware: A Systemic Threat to Operations

Ransomware attacks have become one of the most immediate and disruptive threats facing manufacturers today. These attacks can freeze production lines, lead to loss of intellectual property, and incur significant financial and reputational damage. One day of downtime alone can cost manufacturing organizations upwards of $221K USD.

Interestingly, the top industries found in Initial Access Broker auctions align closely with the top industries belonging to ransomware victims mentioned on data extortion leak sites, with manufacturing organizations significantly outnumbering organizations in other industries:

To combat this, manufacturers need more than just standard antivirus software; they require a multi-layered cyber defense strategy. This involves ongoing security monitoring, 24/7 threat detection and response capabilities with proactive threat hunting, and comprehensive backup strategies that include offsite and offline backups to ensure that operations can quickly resume after an attack with minimal loss.

Vendor Risk Management: Securing the Supply Chain

Most manufacturing organizations rely on a highly interconnected environment of vendors, suppliers, and service providers to extend their capabilities and scale operations. Unfortunately, these third-party supply chain partners add considerable cyber risk for manufacturing organizations given that their privileged access adds potential entry points for cyberattacks.

“We spend a lot of time worried about our own networks when attackers may exploit someone else's network and then use it to gain access to yours,” Spence says. “Attackers know this, and there are a handful of underground services like fraud shops and auction sites where they can purchase credentials or network access into third-party providers.”

To manage this, manufacturers must establish a robust vendor risk management program, which includes conducting regular due diligence and security assessments of vendors, contractual agreements that mandate adherence to cybersecurity standards, and continuous monitoring of vendor activities.

By taking a proactive stance, manufacturers can identify and mitigate risks posed by third-party relationships, ensuring that the security of the supply chain is not compromised.

Operational Technology (OT) as the New Cyber Battleground

The interconnectedness of OT and IT systems in modern manufacturing has made OT environments more vulnerable to cyberattacks. While historically isolated, these systems are now in the crosshairs of cybercriminals.

In fact, according to the Dragos 2023 Year in Review report, approximately 70% of OT-related incidents originated from within the IT environment. What’s more is that 17% of organizations shared domain architecture between their IT and OT systems, which can enable cybercriminals to spread laterally between systems and escalate privileges to gain control.

Therefore, it’s clear that manufacturers should enforce strict network segmentation, ensuring that a breach in one part of the network cannot easily spread to OT systems. Additionally, investing in security platforms that provide visibility into both IT and OT systems can help detect and respond to threats quickly.

With clear strategies, continuous vigilance, and proactive measures, manufacturers can protect their operations, safeguard their data, and ensure that they remain resilient in the face of cyber threats.

By committing to ongoing education, investment in advanced defenses, and a culture that prioritizes cybersecurity, manufacturers can stand firm against the onslaught of cyber risks.

To learn how eSentire can help your manufacturing organization reduce your cyber risks and prevent service disruption, connect with an eSentire cybersecurity specialist now.