Nearly half of manufacturers have been the victim of cyber-crime, and a quarter have suffered some financial loss or disruption to business as a result, according to a report by EEF, a trade association of manufacturers.
The report points to manufacturing sector as the third most targeted for attack, with only government systems and finance more vulnerable. Yet manufacturing – which has 2.6 million employees, provides a tenth of UK output and 70 per cent of business research and development – is amongst the least protected sector against cyber-crime in Britain, says the new report, Cyber-Security for Manufacturing. It’s published by EEF, the manufacturers’ trade body and insurer AIG, and was carried out by the security and defence think-tank Royal United Services Institute (RUSI). It raised the susceptibility of manufacturers to cyber risk, revealing that 41 per cent of companies do not believe they have access to enough information to even assess their true cyber risk. And 45 per cent do not feel that they do not have access to the right tools for the job.
The 11-page report includes the cases of damage to a German steel mill after network tampering; and a 2017 malware attack on a petrochemical manufacturer in Saudi Arabia.
Cyber threat is holding back companies from investing in digital technologies, with a third of those surveyed nervous of digital improvement. Some 12 per cent of manufacturers admit they have no technical or managerial processes in place to even to start assessing the real risk. One of the easiest forms of cyber-attack comes through poorly protected office systems, often the first put in historically in manufacturing businesses.
Comments
Stephen Phipson, CEO of EEF, said: “More and more companies are at risk of attack and manufacturers urgently need to take steps to protect themselves against this burgeoning threat. EEF has a vital role supporting manufacturers in the face of this challenge and we are working closely with RUSI, whose world-leading Cyber Security Research Programme is well established as a key voice to understand the fight against the threat of ever evolving cyber-crime to the modern business..
“We know businesses cannot afford to ignore this issue any longer and while we welcome government’s progress in improving cyber-security resilience, to date through the work of the NCA and NCSC, there needs to be an increasing focus given to the specific needs of manufacturing, which hitherto has been lacking.
“Failing to get this right could cost the UK economy billions of pounds, put thousands of jobs at risk and delay the supply of essential equipment to key public services and major national infrastructure projects. I hope this report underlines the critical risk to government and industry.”
David Emm, principal security researcher at the IT security product company Kaspersky Lab, said: “The world isn’t ready for cyber-attacks against critical infrastructure, but attackers are clearly ready and able to launch attacks on these facilities – as this trend towards attacks on the manufacturing sector shows. We’ve seen attacks on power grids, oil refineries, steel plants, financial infrastructure, seaports and hospitals – cases where organisations have spotted attacks and acknowledged them. However, many more companies do neither, and the lack of reporting of these attacks hampers risk assessment and response to the threat. Security must be tailored to the specific needs of each organisation and be seen as an ongoing process. This is true also of the human dimension – tricking people into taking action that launches the initial exploit is as common in attacks on such facilities as it is in any other attack.”
Steve Malone, director of security product management at Mimecast, said: “It’s simply not good enough that only 62pc of manufacturers invest in cybersecurity training. While the sector has specific requirements for control systems and IoT, the risk management reality is much worse, as it is vulnerable to the same attacks as everybody else – particularly spear-phishing emails and ransomware targeted at employees. The upcoming GDPR may be a wake-up call for some, but we’re still not seeing these threats taken seriously. Regulations such as the NIS Directive, which aims to help build cyber resilience for essential and critical services, will be key for fostering a new culture of security.”
Tim Erlin, VP at cyber security product firm Tripwire, said: “It’s important to distinguish between cyberattacks on manufacturers and cyberattacks on industrial control systems. While they may be related, they’re not the same thing. Any organization with connected computer systems may fall victim to cyberattacks across a broad spectrum of technologies, but attacks on the systems that control a manufacturing plant floor are much more specific. Of course, manufacturing isn’t the only industry using industrial control systems. We have seen a rise in attack on control systems themselves, and the impact to the business of these attacks can be very direct. At the same time, cyberattacks in general continue to plague organizations around the globe.”
And Rob Norris, VP Head of Enterprise and Cyber Security EMEIA at Fujitsu said: “With events over the past year revealing just how enormous the potential cost – both reputationally and financially – of suffering a major security breach can be, manufactures cannot afford not to take their data protection and cyber security seriously, or indeed make it a number one priority. In fact, with our latest report revealing a fifth of the UK public believe cybercrime and hacking are the biggest challenges facing the UK today, every single manufacturer has an obligation to make data protection as much of a priority as the public.
“Although organisational awareness is on the rise, it’s clear many still struggle to put in place the right measures to safeguard employees, customers and the broader business. Because even the best-run company could suffer from a hack or data breach, manufactures should adopt a two-pronged approach by complementing employee training and awareness with continued investment in technical and security controls. In doing so, they can be on the front foot for proactively identifying and managing threats instead of waiting for breaches to happen. After all, cybercrime is not a probability, it is an inevitability and it will be the way in which manufactures prepare for it however, that can make all the difference.”
Background
The survey in February 2018 was based on a sample size of 161 responses from UK-based manufacturing businesses, 98 of whom were Small and Medium-Sized Enterprises (SMEs) as per the UK Government definition.
