Paul May, operations engineering manager, FM Global, urges manufacturers to be on their toes when it comes to securing their networks and to take nothing for granted.
If you see this text then your files are no longer accessible, because they have been encrypted,” read the message on the computer screen. “Please follow the instructions and send $300 of Bitcoin to the following address.”
With these words, a Cadbury’s factory in Tasmania was forced to close for three days in June 2017 when parent Mondelez International’s entire global IT network was knocked out by the Petya ransomware attack. With 500 employees and 50,000 tonnes of chocolate produced a year, the impact was significant – and not just on Aussie chocolate lovers.
To date, Cadbury’s is one of the unlucky few manufacturers in Australia to have been hit so hard by a cyberattack. But our data suggests it may just be the tip of the iceberg. Counter-intuitively, manufacturing has proven to be one of the sectors most vulnerable to cyber risk. The reasons why suggest there’s much more pain to come.
A shifting risk landscape
As one of the world’s largest commercial property insurers, this is just one of several worrying cyber-risk trends we’ve observed. Australian manufacturers, and businesses in general, should be paying closer attention.
The rise of indiscriminate attacks, like last year’s WannaCry and NotPetya, is one of the reasons why manufacturers are among the most impacted by cyber threats in recent years, according to our loss data. Due to the global interconnectedness of business operations, such untargeted attacks spread easily throughout the system. The Cadbury’s shutdown in Tasmania was part of a worldwide shutdown of Mondelez International.
The fact that these untargeted strikes are resulting in the greatest damage, negates the argument relied on by some business leaders. They say their business isn’t interesting
to potential attackers so they don’t need a comprehensive cyber-risk strategy or insurance policy. Yet although a targeted attack strikes fear into the hearts of executives and risk managers, the risk of becoming collateral damage should not be underestimated.
Cyberattacks are increasing in number, roughly doubling every year since 2015. The financial impact to business is also on the rise, jumping 62 per cent between 2016 and 2018.
These attacks are also becoming more physical in nature, damaging property as well as disrupting operations. Imagine a wind turbine that gets hacked and spins out of control, causing millions of dollars in damage. As recently as 2015, there had been only two such recorded cases but tangibly destructive outcomes are now increasingly common.
Manufacturing under threat
Financial services companies were previously the most likely to be hit by cyberattack but when Petya struck in 2016, FM Global’s loss data shows that two-thirds of those affected were in manufacturing.
And it’s not just smaller or less sophisticated companies that are threatened. Our loss data shows large multinationals were badly impacted, with one major client taking 75 days to get operations back online.
Access to valuable intellectual property is one reason why the manufacturing industry is a target. But the main reasons for this spike in attacks are structural. Network access has been at issue in about 40 per cent of cases we’ve dealt with. Ageing industrial control systems that monitor equipment are also to blame, along with poor patching discipline and easily guessed passwords.
Physical security has proven to be another reason why manufacturing is a soft target because people can walk into some facilities without checks. Globally, almost two-thirds
of the physical security deficiencies we’ve found have been in this sector. As companies become more technologically sophisticated, implementing more robotics and automation into their manufacturing processes, the attack surface will grow.
Resilience beats compliance
The threat landscape is evolving rapidly and cyber risk must be considered a business issue, not an IT or legal one. It’s a matter of ensuring resilience, not just compliance. This is because the extent of losses is determined largely by how long it takes your businesses to get back to normal – you can’t predict an attack but you should be prepared to respond.
There are three key aspects to managing cyber risk in the manufacturing sector – physical security, industrial control systems and information security. Boards and leadership teams looking to ensure their businesses are protected effectively must implement products, processes and educational initiatives taking each of these areas into account. These should be reinforced with appropriate insurance coverage based on a holistic view of cyber risk.
Our threat intelligence indicates that Australia is a medium-risk country when it comes to the potential for targeted cyberattacks. In March, the UK and US governments issued a first-of-its-kind warning that Russian state-sponsored cyber actors were trying to access devices that control internet traffic. Australian intelligence agencies joined their counterparts in the US and UK, advising that about 400 Australian businesses were among those targeted.
There’s a lot more than chocolate bars at stake when risk gets overlooked. Manufacturing accounted for about seven per cent of Australia’s total economic output in 2016. It employs close to a million workers, making it the sixth largest employer. Cyberattacks are increasingly indiscriminate but the same approach cannot apply to risk management strategies.