Manufacturing and security - why is the sector at the most risk?

According to the World Bank, the services sector represents approximately 62 percent of the global gross domestic product, or GDP. Manufacturing is responsible for 16 percent of the global GDP. Yet, according to the eSentire Ransomware Readiness report, the manufacturing sector was affected the worst by ransomware attacks between 2020 and 2023, with 18 percent of the total amount of attacks hitting companies in this vertical market. For comparison, the business services sector saw 12 percent of the total number of attacks during the same period.

So why is the manufacturing sector affected so much by ransomware, in comparison with other vertical markets? And how can IT teams at manufacturing companies improve their position around security when they are already time poor and under huge amounts of pressure to begin with?

Understanding the threat

To start with, it is worth looking at these ransomware attacks over the past few years in more detail to add some more context. The manufacturing sector is not homogenous - there are huge variations in company size, operations and processes to factor in. A huge multi-national industrial group will be in a very different position compared to a small business in a niche market, for example.

Breaking down the manufacturing vertical, the top three sectors affected were industrial machinery and equipment manufacturers, followed by building materials and food and beverage makers. These companies tend to be larger than other companies in the overall manufacturing sector, which should equate to higher revenues and therefore make them more attractive targets for attack. These companies also tend to work as part of bigger international supply chains.

Looking at the overall company demographics side, the most common company hit by ransomware would earn between $1million and $25 million in revenue, and would have under 100 employees. Why is this group most likely to be attacked? While there are simply more companies of this size than there are global enterprises, there is another reason why they would be more likely to be targeted for attacks. These companies will earn enough revenue to be a potentially worthwhile target for a threat actor, but they may also not be large enough to have a dedicated IT security team or security operations centre of their own. With so many IT tasks and responsibilities to take care of, these teams can miss out on potential security  vulnerabilities that then lead to exploitation.

In terms of the threat actors themselves, the most prolific group over the last three years has been LockBit, followed by the Conti and BlackCat/ALPHV groups. The FBI cites LockBit as being responsible for 1,700 ransomware attacks, and for receiving approximately USD $91 million in ransomware payments over that time. However, due to the actions of international law enforcement agencies, LockBit has been disrupted with several members of the gang and affiliates arrested, but it continues to operate and attacks attributed to them have been announced in 2024. Similarly, the Conti group has been sanctioned in the UK and the US.

Looking at the cyberattacks that succeeded in the manufacturing sector, the most common cause was due to issues around Remote Desktop Protocol, or RDP. This is a legitimate tool used by IT professionals to access computer systems, as well as for end-users to dial into their computers when they work remotely. However, RDP can also be used by threat actors to gain access to IT networks, and can then lead to lateral movement within the network and ransomware deployment. The second most popular attack vector for threat actors to gain access to their targets’ IT systems is via stolen VPN credentials and the third most popular is through email attacks. 

Improving security responses

To prepare for these kinds of attacks, start with your staff. Providing training on cyberthreats that they might encounter is an effective starting point, so make sure your phishing and security awareness training programme covers both email and browser-based threats. As part of this, your training needs to be memorable, and it must be backed up with a culture that encourages users to share potential issues quickly when they may have made a potential mistake. This can help you stop issues, rather than having to deal with the aftermath, if people feel they will be punished for mistakes or that they can’t ask for help.

On the network security side, you can mitigate potential risks by applying security patches and updates as soon as possible. As part of this, prioritise actively exploited vulnerabilities. If any of those issues can’t be patched quickly - and the manufacturing sector can see a lot of this due to the cost of downtime - then implement mitigations that should prevent attacks too. However, you should also document these mitigations and how they are not long-term solutions but stop-gap measures until a full update can be applied.

You should also look at your IT tools and services, as these are often targeted by threat actors. Services, like file sharing, have been targeted because the applications themselves have contained vulnerabilities that led to remote code execution, yet they were not prioritised because the tools themselves were not considered as critical. Yet, it is their status as ubiquitous tools that all employees within a company might use, and the fact that they have to be publicly accessible on the Internet, that made them such susceptible targets for attackers. To make these services more secure, consider restricting access, even when your tools are fully patched, to reduce risk.

Similarly, remote access services like RDP should not rely solely on username and password credentials for security. Remote access should be behind a VPN or restricted access, and all accounts should require multi-factor authentication (MFA). To reduce the impact of compromised credentials, MFA access requirements should help massively, but also look at limiting access to network resources to only managed and compliant systems. In other words, alongside what someone might know and what they might have, the device they use can be another security factor used to decide whether to grant access. Monitor your remote access log-ons for services like RDP and VPNs, and look for any activity that is outside of normal parameters. If you do find that credentials have been leaked, then deactivate and refresh all authentication sessions.

Threat intelligence data can help you prepare for potential issues and attacks, and to prioritise your mitigation steps in the event of any change in circumstances around a security patch or issue. Dark web monitoring services can look out for leaked credentials or rumours of attacks, so you can investigate credible issues that might be relevant to your organisation. At the same time, look at how well you can turn any threat intelligence feed into operational processes so that you don’t overspend on data feeds that don’t actively improve your own security procedures and effectiveness. Reducing false positives and duplication of data can help your stretched team be more effective than adding more redundant data into the mix.

With so many companies getting attacked, it’s a case of when – and not if –  you have an issue around security. Plan ahead when it comes to your incident response readiness, so you can minimise the effect of any disruption, limiting the blast radius for any attack and reducing your recovery costs.

For manufacturing companies, ransomware attacks have moved up the list in terms of risk. To prevent these kinds of attacks from succeeding in the future, look at your endpoint detection and response approach as well as planning ahead on incident response. For time-poor teams, that already have enough to deal with in keeping critical business applications online around the clock, proactively engaging in security planning in advance can make a significant difference to risk mitigation.