The manufacturing industry has become a prime target for cybercriminals, with attacks reaching unprecedented levels. According to Statista, the manufacturing sector faced the highest number of cyber attacks in 2023, and the complexity of supply chains means the sector is uniquely exposed to cyber threats.
There are two core dynamics at play.
Firstly, manufacturers are recipients of supply chain risk given most source components from hundreds, if not tens of thousands of suppliers. Secondly, manufacturers are vendors themselves supplying potentially unknowingly vulnerable products that have been compromised during the production process.
18% of Vulnerabilities are Rated ‘Serious’
Assessing the level of systems vulnerability for the sector overall can be achieved via penetration testing – where skilled professionals assume the role of hackers to uncover threats before criminals can exploit them.
Based on 16,000 of these tests carried out over 10 years, manufacturing consistently comes near the top of all industries in terms of serious vulnerabilities uncovered with an average of 18% - far ahead of other sectors such as financial services and information services which average 11%.
This is a concern given that manufacturers are targeted by both nation state actors and organized criminals for financial gain. The former may play the long game, and plan compromises years in advance, embedding persistent access across critical supply chains in preparation for future conflicts. Organized crime groups can be more opportunistic and varied in their attacks.
The More Suppliers, The Greater the Risk
The sheer number of suppliers is a weakness for both types of attackers. Take aerospace manufacturing where a single product may rely on tens of thousands of suppliers, each representing potential points of compromise. Criminals could target a vulnerability in what might appear to be a low-impact component, such as a rivet supplier.
This may pose different risks than one in a GPS vendor, but both can be exploited. Hardware subversion is another risk where tampered or fraudulent microchips introduced through gray markets, often driven by cost pressures or procurement shortages, have been shown to harbor backdoors or defects. Companies may feel they’re safe from this threat and have absolute confidence in their supply chain, yet even NASA has been compromised in the past.
Whilst this may sound daunting, there are steps that manufacturers can take to greatly reduce their risk. It starts with enforcing supplier security requirements. Organizations should mandate annual offensive security testing and security questionnaires for vendors as part of their procurement and risk management processes. And this process needs to be transparent with any pen test report passed up the supply chain.
Manufacturers must also reinforce these processes with their own ‘Red Team’ testing on their suppliers. This sees ethical hackers replicating criminals by simulating supply chain compromises including impersonating vendors, inserting rogue firmware, and testing onboarding and approval processes.
The next step is to conduct vendor sampling and physical hacking. This involves sampling batches of devices or components and subjecting them to physical security testing, including teardown and hacking attempts.
During this process hardware components, especially microprocessors can be scrutinized for evidence of tampering, backdoors, or gray market substitution, particularly when sourced under constrained conditions. Even if this is two in every batch of 1,000 this can still make a marked difference in overall device integrity.
Devices don’t stay secure given malicious firmware can be installed via spoofed or compromised update mechanisms. Firmware should be cryptographically signed by the original equipment manufacturer (OEM) and secured by design so they will not accept an update from any other source.
Employee Education is Key
There is also an important employee education dimension. It’s not uncommon in a manufacturing environment to encounter various legacy devices that were not designed to be connected to the internet which now have been.
Whilst employee intentions may be well-meaning, it’s impossible to retrofit security into old devices which are inherently vulnerable. In an ideal world, manufacturers would love to have the newest technology with the latest security built in, but in reality margins are tight and there might be certain equipment that just cannot be replaced easily.
Unfortunately, we do still find instances of devices supported by Windows 98 – but they should be kept well away from the public internet. It’s easy for any criminal to find an unsecured device in seconds. The tools do so have existed for many years but the advent of AI is making them more effective and even easier to use as the barriers to criminality continue to get lower.
It’s essential to get ahead of threats, and pen-testing can reveal security vulnerabilities that remain unaddressed before criminals can find them. But it is just one tool in a programmatic security approach to prevent vulnerabilities from putting the organization at risk.
Given the sheer complexity of the manufacturing sector, it’s impossible for any company to guarantee they’re 100% ‘safe’ but taking the steps outlined above can go a long way to improving it and in a world where many criminals are opportunistic can mean they move on to an easier target.
