Manufacturing’s Ransomware Risks Aren’t Standing Still — and Neither Should Your Risk Management
Ransomware attacks, a longtime scourge for industries like health care, government and education, are on the rise in the manufacturing sector — with the risk rippling outward to costly effect.
A November 2020 study compiled by Dragos revealed that ransomware incidents in manufacturing tripled in 2020. A Digital Shadows report found that the industrial goods and services sector accounted for 29% of reported events last year.
“The ransomware epidemic has devastated manufacturers, interrupting key operations and snarling supply chains globally,” said Michael Phillips, chief claims officer at Resilience. “[This] must be a priority for directors and officers of manufacturers big and small.”
Experts connect the recent rise in ransomware incidents to manufacturing’s visibility and economic reliance on just-in-time production. It’s much harder to pause or hide a pause in operations, which in turn incentivizes companies to pay ransoms, making these organizations low-hanging fruit for attackers.
At the same time, manufacturers use a combination of operational technology (OT) and internet technology (IT) in a supply chain of production lines multinational sites and logistics that creates a broader attack surface. It’s precisely in this nexus where security lapses occur.
“We’re in the fourth industrial revolution, with the ongoing automation of traditional manufacturing practices using modern, connected technology,” said Brian Kramer, underwriting officer and industry lead, middle and large commercial manufacturing, The Hartford.
“On the manufacturing production floor, the machines making parts are equipped with sensors that are capturing data. These sensors and machines need calibration and periodic software or firmware updates. They can be remotely diagnosed, serviced or recalibrated via the internet. This advancement of technology has also made manufacturing risks more vulnerable.”
Given the relative newness of these systems, the rush to adopt technology has outpaced security measures. A silo effect between IT and OT operations has led to a fragmented approach that can ultimately offset efforts to protect property and data.
“We see a lack of maturity in the risk evaluation of those entities with large exposures to look at security in a holistic way across that continuum,” said Libby Benet, global chief underwriting officer, financial lines at AXA XL. “The more remote monitoring you’re doing, the more you need to be securing the networks.”
An additional concern, Benet said, is the lack of universal security certification for hardware and software products, which is something she hopes to eventually see addressed.
“Until we have a model where buyers are requiring providers to certify the efficacy of these tech products, I believe we will remain vulnerable to these attacks,” she said.
An Urgent Concern
Traditional ransomware attacks, in which the perpetrator holds the victim’s data in exchange for an extortion payment, carry an increasing financial toll, threatening business interruption while the company scrambles to get back online. In manufacturing and industrial operations there is much more at stake — IP, trade secrets, even the integrity of core processes.
“Regardless of the type of data you hold, ransomware potentially goes to the heart of your business, to your ability to operate,” said Aaron Basilius, senior vice president of cyber at AmTrust.
“It’s not just whether you can access the data but whether you can actually now even trust the data. Has it been manipulated? It’s one thing if the threat actor is sitting in there and viewing the data to better understand operations or your trade secrets and sensitive data. But it’s another if they have access and potentially are able to affect the integrity of those operations.”
That could include anything from changing logistics such as scheduling or, as a February 2021 attack on an Oldsmar, Fla. water treatment facility showed, unsecured industrial systems are a few keystrokes away from potential catastrophe that can do physical and bodily harm.
Savvy ransomware gangs are not necessarily after the sensitive data itself anymore — the data may be stolen as a leverage tactic or the access to operational processes are held for ransom.
The Right Coverage
“Ten years ago, most manufacturers would have looked at a cyber policy and said, ‘Well, we don’t have any personal data other than maybe from our employees. But beyond that, we don’t have much of an exposure,’” said Basilius.
Today, manufacturers readily acknowledge the need for cyber policies, and at the same time, insurers are recognizing that it’s in their best interest to actively develop better solutions addressing manufacturing’s unique cyber threats.
“That includes property and physical exposures on top of threats to data,” Basilius said.
“At the end of the day, it’s the company’s business, its reputation, its operation and its ability to ensure the integrity of its products and the solidity of its overall risk management approach — so we need to work together to provide sustainable solutions. It’s not always just a matter of providing the lowest price and the broadest coverage.”
Filling the Gaps
Ransomware attacks in manufacturing have revealed some of the ongoing potential for silent or non-affirmative cyber risk, such as when a ransomware attack impacts physical property or potentially causes bodily injury.
“Given the increased sophistication of ransomware attacks, there is a shift in non-affirmative cyber coverage grants being eliminated from traditional property and general liability coverage,” Kramer said. “That shift is really driving the need for standalone cyber products that offer the necessary cover to protect manufacturing risk as well as a need for clarification of coverage in property policies.”
These concerns can cut both ways across insurance coverage.
“We in the insurance industry should be ready to collaborate and put in place coverages that will address not only the cyber risk and the risk to data, but there’s often a crossover there with property and casualty coverages as well,” Basilius said.
“Cyber risk doesn’t only exist in the digital world. If a company has a business interruption loss or a loss of data or to networks and systems, how is that loss covered under traditional policies such as property?” he added.
“There’s no single answer across the industry. There are varying degrees of cyber exposure within traditional lines of business that insurers now have to account for. And that’s a perfect opportunity for a cyber policy to come into play, to develop work together with traditional lines of coverage to help ensure that our clients’ true risk is covered.”
Basilius believes that ransomware and other cyber attacks in sectors like manufacturing will continue to spur change in the insurance industry and how it approaches coverage offerings.
“I’m not sure you’ll see broad expansions of cyber policy forms to include property coverages,” he said. “But you are seeing, especially in the large space, the crafting of coverage to meet insureds’ needs, and it’s only a matter of time before that concept starts moving down market into a more standardized offering.”
Helping Insureds Guard Against Ransomware
Cyber policies are just one tool in the risk management toolbox, but insurers are uniquely positioned to help insureds shore up their security practices. To start, insurers can be proactive in helping policyholders understanding ransomware threats and their potential losses if they get attacked or infected with ransomware.
Cyber insurers already have years of insight in assessing cyber risk using tried and true tools such as cyber security rating applications to help manufacturers identify vulnerabilities in their industrial control systems and IT networks.
But vigilance must extend through the entire supply chain.
“Insurance companies have long promoted better safety standards for areas like property, but the technical nature of cyber security, especially when dealing with industrial control systems, means that traditional insurers aren’t able to provide this same level of risk engineering for industries like manufacturing,” Phillips said.
“Manufacturers must simultaneously ‘protect the castle’ and think about the integrity of their supply chains across borders, jurisdictions and vendor relationships. This means applying rigorous security standards, both at home and across the value chain, to make sure that data, systems and devices can continue to operate in the face of growing threats,” Phillips continued.
“Insurers should use their visibility into this challenge to show the return on investment of tech updates. While patching might mean system downtime, operational disruptions caused by cyber attacks are often much longer, more destructive and significantly more expensive.
“These are not academic scenarios — they are real, and insurers can help insureds quantify them to make the right decisions regarding cyber risk management spending.”
Insurers can also be helpful in guiding insureds through the vast sea of cyber security products out there — which ones are actually useful in mitigating risk. Recommended vendors or products can help create a sense of assurance.
“Based on our forensics reports and incident response work through our partners, we get very good insights into what would have potentially prevented this attack or how you could have recovered from it more easily or reduced your loss costs,” said Jacob Ingerslev, head of global cyber risk at The Hartford.
There are, of course, some baseline steps all organizations should be taking to mitigate ransomware risk.
From a cyber security perspective, that includes deploying multifactor authentication, running routine employee awareness training about phishing and other social engineering schemes, segregating externally facing systems from core operations and operational technology, and using VPNs and firewalls to hide services and communication so they are not detectable by scanners.
All organizations in 2021 should be readying for cyber incidents with tested, securely stored backups, tabletop exercises and robust, regularly updated incident response plans.
The increase of ransomware and cyber attacks in manufacturing and operational systems will continue to vex insurers. The worry, of course, is that there are bigger impacts yet to come, such as a large supply chain attack — a SolarWinds-like event with catastrophic scale.
“As more technology is incorporated into manufacturing processes and the manufacturing output itself, the connectivity with third party vendors and suppliers will make manufacturers more vulnerable to supply chain attacks and in general,” Ingerslev said.
Again, this is a broadening of the attack surface with more devices and potential vulnerabilities that can be exploited.
None of this is unique to manufacturing, but it’s something that insurers are warning manufacturing policyholders about and will continue to keep a close eye on as these threats take shape in the coming months. &