After the Attack: How to Bring a Manufacturing Company Back from a Cyber Event
As cyber threats grow across the globe, manufacturers are increasingly at risk due to their use of legacy systems, a lack of awareness and insufficient security practices.
As there is a strong chance many manufacturers will experience at least one data breach in the course of a year, experts say one of the best defenses is to establish a plan for recovery.
Identifying the Risk
According to the 2019 Manufacturing and Distribution Report by professional services firm Sikich, half of all manufacturers have fallen victim to at least one data breach in the past 12 months.
Sikich found many manufacturers, especially those with revenues under $500 million, neglect key cyber security preparedness efforts such as cyber audits, penetration testing, security assessments of vendors and phishing exercises on employees.
Manufacturers are vulnerable targets for many cyber criminals, because they are often tied to decades-old machinery, processes and technology with insufficient cyber security, said Nik Vargas, vice president of client services and chief technology officer at Switchfast.
In addition to outdated systems, many also lack training programs to teach their employees how to identify threats such as phishing emails.
“More often than not what we are finding is poorly trained users, and that there has been no broadcasting from the organization, from leadership down, that security matters here,” Vargas said.
Many manufacturers also “grossly underestimate” the impact of such attacks, said Kevin Bong, a senior director in Sikich’s cyber security practice.
When ransomware shuts down access to files for days or a week it can result in production shutdowns, brand damage and significant financial loss. The average cost of a cyber attack now tops $1.67 million due to operational loss and negative customer experience, according to the 2018-2019 Global Application and Network Security Report by Radware.
Anticipating an Attack
Nowadays, even organizations that “check all the security boxes” can still fall victim to attack, said Drew Rosado, client vCIO at CompuData.
Fortune 100 companies with strong security are not immune, and global leaders such as Target, Marriot, JPMorgan Chase, Walmart and Home Depot have suffered attacks in recent years.
In this environment, manufacturers must move security planning from simply trying to prevent attacks to responding when they do happen, Rosado said.
“Do you know what to do? Do you know who to call when there’s a data breach or ransomware attack? A lot of times, the answer is no,” Rosado said.
A good starting point is to identify the scenarios that could happen, determine the possibility of those scenarios occurring and then assess how it might impact operations.
Because time is money, manufacturers must figure out how long operations may be down and when they may get things back in order, Rosado said.
Anticipating attacks, then creating a response could reduce recovery time from weeks or days to only hours.
“Is there a way for you to manage the attack, manage the breach and whatever you’re dealing with, but also make sure that the lights are still on, that you are going to be able to be productive,” he said.
Rosado recommends manufacturers start by talking to their IT teams and vendors and making cyber security a primary issue with planning and strategy. Manufacturers should apply the same principles of ISO compliance to their technology security and vision.
All manufacturers should also create a protocol to follow in a ransomware attack as it is one of the most common threats and can quickly devastate a manufacturer that isn’t prepared to deal with it, Rosado said.
Aluminum manufacturer Norsk Hydro had operations briefly interrupted by a ransomware attack in March 2019. And in April, Swiss vehicle manufacturer Aebi Schmidt and beverage manufacturer Arizona Beverages were hit with ransomware attacks that resulted in temporary disruptions.
Having solid and up-to-date backups can enable the victim to easily restore a system and significantly reduce downtime.
“The best and fastest way to get out of ransomware is to have solid backup,” Rosado said. “If they have backup, we can unstick the situation, but if they don’t there’s a much deeper conversation to have.”
Move Quickly, Continually Test Response Plan
When they discover or suspect a breach, manufacturers should also move quickly to retain their logs, Bong said.
The organization should then temporarily shut down internet connection to their systems as attackers often have unseen backdoors with command and control channels. Some manufacturers will try to clean it up in place without shutting down the machines and by just chasing the attacker around the network.
“But it’s like playing whack-a-mole. You end up with days or weeks of dinging a new place where they are that you haven’t cleaned up yet, having them re-infect things,” Bong said.
As basic recovery plan should also address communications as attacks will often take down mail system and typical company communications.
In some attacks, hackers will take over administrative passwords to interrupt communications and destroy or encrypt backups, Bong said.
Penetration tests can not only identify defense vulnerabilities but also help see how an attack might go down and what the organization needs to recover.
Sikich conducts penetration testing that can simulate Russian hackers, VPN remote access compromise and phishing. Internal penetration tests start by assuming an attacker obtained control, then charting possible courses of action.
By using such planning and penetration testing, manufacturers can put themselves on a much better path to recovery when a breach does occur.
“Many small manufacturers come to us, having it just happened to them, because they’re often unaware how easy it is and how [significant] the impact can be,” Bong said. &