By Nigel Thorpe, technical director at SecureAge puts the spotlight on cyber attacks on the manufacturing industry and suggests that it is time for a new data-centric approach
Manufacturing companies are under threat from cyber attacks more than ever before. In a report published by the manufacturing industry organization Make UK, in association with the NCSC (National Cyber Security Centre), it was found that manufacturing is the third most targeted sector in the UK and that nearly half of the companies surveyed, 48%
In fact, manufacturing regularly appears as one of the industries most under threat on the global stage, as cyber criminals and state sponsored groups attempt to steal intellectual property and data or use ransomware attacks for financial gain.
A report published earlier this year revealed that the manufacturing industry spent more than any other sector last year on ransomware payments, paying out $6.9m, according to a study by Kivu Consulting. This represents 62% of the total $11m+ of ransoms transferred to cyber-criminals throughout 2019, despite manufacturing only making up 18% of all paid ransom cases.
In June this year, Tait Towers Manufacturing, a major manufacturing company for live events industry also reported a data breach affecting the personal and financial information of its employees. The US-headquartered multinational company – that waited nearly two months before disclosing the incident – said an unauthorized third party had accessed a server and some employee email accounts.
One of the problems manufacturers face is a complex supply chain of smaller disparate companies, which is often targeted to identify weak links. Earlier this year, a team at Context Information Security identified a new threat group behind a concerted series of incidents targeted at the aerospace and defence industries in the UK and Europe. The AVIVORE group were using legitimate remote connectivity or collaborative working solutions to bypass well-defended perimeters and gain access to the prime target.
Whether the aim is to steal IP and data or demand ransoms, threat actors are developing increasingly sophisticated, multi-function attack tools and using Artificial Intelligence and automation techniques.
Despite efforts to layer up their defences, many organisations are unable to stay ahead of the attackers, while others are struggling to do the basics like patching old vulnerabilities in legacy systems. Many manufacturing systems were designed with efficiency, throughput and regulatory compliance in mind rather than security; while the increased use of smart, connected devices and sensors, hooked up to big data analytics technology, expose
Time for a fresh approach
A fundamental assumption on which the traditional approach to security is based is that you can keep the attackers out. This is simply not true, otherwise we would not see successful cyberattacks. So there needs to be another way of protecting data. IT Security must rethink its traditional ‘castle and moat’ methods of protection and prioritise a ‘data centric’ approach, where security is built into data itself.
And this means protecting data wherever it exists: at rest, in transit and in use. Data at rest is stored in a digital form on a physical device, like a hard disk or USB drive. Data in transit is digitised information traversing a network, such as when sending an email, accessing data from remote servers, uploading or downloading files to and from the cloud, or communicating via SMS or chat. Data in use is information actively being accessed, processed or loaded into dynamic memory, such as active databases, or files being read, edited or discarded.
Securing data wherever it exists ensures that if it is stolen at any point, it remains protected and therefore useless to the thief – even if extracted by a member of staff. With transparent, 100% file encryption, all data will be protected no matter where it gets copied, because security is part of the file rather than a feature of its storage location. And by continuing the 100% encrypted principle, IT security experts no longer need to spend hours tweaking data classification rules, so that ‘important’ data gets more strongly protected.
Historically, there has been a trade-off between security and ease of use. For example, full disk encryption is easy to deploy, but security is compromised because a running system seamlessly decrypts any data for any process – legitimate or not. The good news is that we now have the technology and processing power to deliver both – full data protection that is transparent to the end user.
To stem the increasing number of attacks on manufacturing companies, it’s time to take a step up from a ‘high fences’ approach to data security and shift the focus from stopping threat actors getting access to data to protecting the data itself.