As ransomware threats continue to evolve, investing in Operational Technology (OT) cybersecurity solutions is vital for manufacturers.
Ransomware has evolved from simple extortion software into complex cybercrime operations that threaten businesses and critical infrastructure worldwide.
Unlike regionally or sector-focused cybercriminals, groups operating under the Ransomware-as-a-Service (RaaS) model have elevated these operations to the next level. These groups adapt and innovate to maximise extortion efficacy, impacting organisations across all industries. These industries include those where operational downtime is highly disruptive or intolerable, particularly in industrial and critical infrastructure sectors.
Financially motivated and opportunistic, these ransomware groups often collaborate with other cybercriminal entities, such as Initial Access Brokers (IABs), who provide them with preliminary access to victims’ environments. Cybercriminals’ ecosystem of collaboration accelerates ransomware deployment and amplifies the risk, making RaaS operations a challenge for global cybersecurity.
Dragos monitors the activities of ransomware groups, which disrupts operations within Industrial Control Systems (ICS) and Operational Technology (OT) environments.
Ransomware incidents impacting industrial sectors nearly doubled between Q1 and Q2 2024. The manufacturing sector even accounted for 66 per cent of all attacks on industrial organisations globally. These incidents highlight the increasing overlap between operational technology (OT) and IT systems, where breaches in IT can disrupt OT operations, leading to shutdowns and cascading supply chain disruptions.
Ransomware incidents nearly doubled from 169 in the first quarter of 2024 to 312 in the second quarter. The increase in incidents and their impact is notable, considering significant law enforcement operations involving ALPHV (BlackCat) and Lockbit 3.0 in previous quarters. These ransomware groups quickly adapted and recalibrated their strategies, increasing incidents in Q2 of 2024. Necessity drives innovation, and ransomware groups frequently adjust their strategy and tactics to avoid exposure and achieve their goals. The resilience and adaptability of ransomware groups make them an ongoing and growing risk to industrial sectors.
The manufacturing sector was the most affected, with 316 observed incidents across the first two quarters of 2024. The second most affected sector was developers and manufacturers of Industrial Control Systems (ICS) equipment and software, with 68 incidents.
In the Asia-Pacific region, which includes Australia, several key manufacturing sectors – such as automotive and food and beverage – reported disruptions as ransomware incidents targeted IT systems, indirectly impacting production operations. In the second quarter, indirect impacts of ransomware attacks on OT included system shutdowns, OT disruption, and access to SCADA system data, which had the potential to halt production and disrupt services.
Although ransomware groups have not yet directly attacked OT systems, the interconnectedness of OT and IT environments means that IT breaches can paralyse OT functions.
For example, ERP systems that manage supply chains or production scheduling often share infrastructure with OT systems, allowing ransomware to propagate quickly through both environments.
The financial and operational impact: Australian context
A ransomware incident in manufacturing can quickly spiral into financial losses.
Globally, production delays due to ransomware cost manufacturers an excess of $1 million per day, with downtime in Australia further compounded by its reliance on just-in-time supply chains. In some cases, manufacturers also face penalties for missed contracts or regulatory non-compliance.
A ransomware incident 2023 involving the Brunswick Corporation cost the company an estimated US$85 million due to production disruptions. A similar incident in Australia could result in comparable losses and cascading effects across domestic and international markets.
How ransomware moves across networks
Ransomware typically starts by compromising IT systems through phishing emails, weak or stolen credentials, or vulnerabilities in remote access software.
Once inside a network, adversaries often pivot toward OT systems due to poor network segmentation or shared authentication systems. This scenario is dangerous for manufacturers, where compromised OT systems can disrupt automated production lines, damage machinery, and jeopardise worker safety.
A notable example is the ransomware attack on an Australian automotive parts manufacturer in the second quarter of 2024. The attack started with the compromise of IT systems, but the lack of network isolation allowed it to spread into OT systems, forcing a week-long production halt. Such disruptions underscore the need for OT-native defences to isolate critical systems and detect intrusions early.
Why OT-specific solutions are crucial for manufacturers
Manufacturers need OT-specific cybersecurity solutions to address the unique risks of industrial environments. Traditional IT security tools often lack the visibility and control to protect OT systems. Additionally, OT systems may run on legacy hardware or software, making them harder to patch and secure without disrupting operations.
OT-native solutions can make a difference within:
· Network Segmentation: Implementing segmentation between IT and OT environments limits the movement of ransomware across systems, containing breaches before they escalate to impact business-critical physical operations.
· Advanced Threat Detection: OT-specific monitoring tools can detect abnormal behaviours, such as unauthorised access to SCADA systems before ransomware takes hold.
· Integrated Investigation and Response Playbooks: Incident response plans with OT considerations enable fast recovery with minimal downtime, reducing an attack’s financial and operational impact.
· Automated Recovery Systems: In OT environments, real-time recovery systems ensure critical operations can resume without extended manual intervention.
Return on investment in OT-specific cybersecurity
Investing in OT cybersecurity is not just a technical upgrade – it provides measurable business benefits. These include reducing ransomware recovery times, minimising downtime, and avoiding the need to pay ransoms. Furthermore, these solutions help manufacturers avoid fines for regulatory non-compliance and maintain strong relationships with suppliers and customers by ensuring production continuity.
The systems also help manufacturers in reducing downtime, which even by one day could save millions. It also can help businesses in maintaining uninterrupted production to avoid fines from delayed deliveries, which can run into millions for large-scale manufacturers.
With ransomware attacks expected to continue rising, Australian manufacturers must act now. OT-native cybersecurity solutions are no longer a luxury but a necessity. Manufacturers must adopt a proactive, layered defence strategy as ransomware groups evolve tactics, targeting IT systems with OT consequences. Executives should assess their organisations’ cybersecurity posture today and invest in OT-native solutions to ensure operational resilience.
Ransomware presents a growing threat to Australia’s manufacturing sector, with disruptions increasingly affecting IT and OT environments. Investing in OT-specific cybersecurity solutions offers manufacturers the best chance to contain attacks, minimise downtime, and protect business continuity. The lessons from recent ransomware incidents are clear: A failure to secure OT systems is not just a cybersecurity risk – it’s a business risk. With the proper defences, Australian manufacturers can safeguard their operations, protect their bottom line, and stay resilient in the face of evolving threats.