Our Sites

Learning to take cybersecurity seriously

Retailers and banks aren't the only institutions that need to protect internal data

Metal fabricators may laugh at the idea that they need to be more aware about cybersecurity, but that would be incredibly shortsighted.

Hacking attacks targeting the likes of Target may dominate the headlines, but that doesn’t mean that small companies can’t be targets too. Cyber-attackers can come in the form of a suspicious email that, when clicked on, releases a virus that holds the potential of shutting down manufacturing companyies’ IT systems. These attackers also can target a company’s finances should they be able to garner a vital piece of banking information. In these instances, attackers hope to fly below the radar as they attempt to cause mayhem and reap a small financial reward. But for the metal fabricator that is caught in a trap set by these Internet-based bandits, operations grind to a halt or even customer drawings stolen.

To gain a broader understanding of what cybersecurity should mean to small and medium-sized manufacturers, The FABRICATOR spoke with Steven Douglas, the technology industry segment risk control director for CNA. An edited transcript of the conversation follows.

The FABRICATOR: Why should a metal fabricator be concerned about cybersecurity if it considers itself a small operation, not exactly a company worth targeting?

Steve Douglas: That’s a good question because there is so much noise in the media today about data breaches that we have almost gotten immune to it. It’s hard to focus.

One of the threats that they need to worry about is interruption of business. Bottom line: They are in a business to produce a physical product for a customer, make a profit, retain those customers, and keep those customers happy. One of the things that can come up with the manufacturer is that there are things that can interrupt that process and prevent you from producing those products. Increasingly even the small to medium-sized ones are dependent on information technology systems to run their businesses and production lines.

So process disruption has become a bigger issue. Things can impact that, such as your network getting infected with malware.

Also, there are other things like holding a customer’s intellectual property. These manufacturers have designs or product information that may need to be protected.

Then it may be as small as getting money stolen out of your bank account. For a small to medium-sized business, that can have a big impact when they have some sort of trouble with their online banking.

These types of businesses typically don’t have the resources to respond to such an incident. They don’t have the expertise to understand what kind of legal advice they might need. They don’t know how they can capture the information that law enforcement or some kind of claims investigation would need to resolve this incident. They have no idea how to repair the network and fix the vulnerabilities that allowed the infiltration to occur in the first place.

That’s one of the things that the insurance world can bring to the table. For example, if you get into an automobile accident, you find an attorney that specializes in auto claims. The same now applies to finding people that are familiar with the cyberworld.

FAB: What threats should metal fabricators be most aware of?

SD: It’s simple to understand, but it is a big threat: phishing attacks. Having an email that is posing as something that it is not. Enticing you to click on a link or download an attachment that, when you do, will release malware or cause other types of vulnerabilities that can be exploited to get into your network.

The other thing about phishing is not just the malware piece and the clicking on the link; it’s the fraud transactions that can occur that way. There we see even more specialized forms of phishing, such as spear phishing. That’s a very targeted form of phishing. It’s aimed at executives that might have approval authority for making financial transfers.

That is one of the things to remember: all of the technical details in the cyberthreat. There is a lot of just old-fashioned fraud involved in it that can be done in a remote and systematic way. It is just trying to trick you to do something that forces you to part with your money in a way that is fraudulent.

Social engineering is the term we usually use for it. It’s very sophisticated. It’s hard to tell what is a legitimate email versus a fraudulent email. It’s important to maintain that employee awareness.

FAB: Can you provide examples of metal manufacturers that have been hit by cyber-attacks?

One of the current examples concerns a specific type of malware called ransomware. We have seen incidences of manufacturing companies getting infected with this ransomware, and it’s usually through a phishing email. Someone clicked on the link and downloaded the malicious software that actually encrypted the files on the company network. In this one case, it was engineering drawings that they were using to fabricate parts. It infected an engineer’s workstation and moved to the server and encrypted the files there. So when they are encrypted, it makes them unreadable for anyone that doesn’t have the encryption key. Unfortunately, in this case, it’s the attacker that has the encryption key and he is more than willing to sell it to you.

This type of attack has been around for a few years, but it’s really taken hold because it is so efficient. The attacker sends this out, and it’s very automated. The amounts of money are typically not high enough to prevent you from wanting to pay it. It’s typically around $500, and people are more than willing to pay that in some instances.

Here is the tricky part, however. The impact is much more than just that $500. First, this is a criminal infrastructure, so there is no guarantee that they are going to provide you with the encryption key once the ransom is paid. Sometimes you get back a response that the ransom has been upped to, say, $1,000.

Beyond just paying that, there is downtime involved with this. If you don’t have the appropriate drawings to run your processes, you are dead in the water until you can recover those files in another way or pay the ransom and get your files back. We have seen this type of downtime go on for a week or two.

The attackers want to be paid in bitcoins, which is a crypto-currency that is untraceable. Would a U.S. fabricator know where to go to make the currency exchange for dollars to bitcoin?

To tie it back to insurance, claims folks have a lot of expertise in finding the right resources and understanding these threats. This could be a big benefit to a small company looking for this type of resource.

FAB: What are some small things that small and medium-sized businesses could be doing to protect themselves from these cyberthreats?

SD: There are a lot of technology solutions out there. Having the right firewall and antivirus programs helps. Having some type of intrusion detection system is good. All of those are vital parts of an overall security program.

To keep it simple, I like to get manufacturers to think about what type of sensitive data that they might have or what type of IT or IT-dependent processes they might have. Have they identified where those critical bottlenecks are and where that data is? What if that data were accessed by an unauthorized party? What would be the impact? Most companies haven’t really thought that through, nor do they understand where that data resides. Is it only on a server? Is it on a laptop? Is it in the cloud? How is the information protected in those different places? The first step is really understanding what is there.

What if the system is inaccessible because it has been impaired by some malware? What processes are affected? Is it just the administrative networks, or do those administrative networks attach to your production systems? What backup and data recovery processes are in place around this type of sensitive data?

Starting off with that type of data inventory and understanding your processes are really important steps.

Other things I would look at are the education of the employees and their roles in protecting data. I just can’t emphasize enough the human element that is involved in this because all of those technology systems will get better at filtering and screening emails, but those phishing emails still get through.

Understand that cyberespionage is a very real thing and is a leading threat to manufacturers. It’s important to know what information was accessed and if personal information was accessed. That means you have to notify individuals. So it can be a real mess. It’s really important to keep employee awareness high.

FAB: What about cloud hosting of information?

SD: I think that for small to medium-sized enterprises, and even larger businesses, the cloud has become a very viable option. In many cases, it’s probably a more secure option.

The thing to remember is that although you have outsourced this operation, you have not outsourced the risk. So the business owner still has a responsibility to understand what protections are in place and to decide if it is adequately secure for the type of data that is being hosted in the cloud. For example, what happens if the data is unavailable?

What happens if there is a data breach? What is the consequence of that? If you are hosting your employee information in a cloud-based HR resource and there is a breach, you are still going to be responsible for what the law requires, such as notifying and possibly providing credit monitoring. The cloud provider is not going to be responsible unless it contractually agrees to take on the responsibility, which many of them do not do. Otherwise you have to take care of that cost.

You have to understand the terms of the contract and the service level agreements that these cloud-hosting providers offer.

FAB: In terms of ongoing prevention of cyberintrusion and information theft, what needs to take place?

SD: Absolutely, a strong onboarding process for employees is a good thing. Also, an ongoing awareness campaign helps as well.

Some of the better resources around things like phishing awareness, such as fake phishing emails, have been developed in-house. These can be sent to employees to test them. They are a great educational tool. So if the employees click on the link, instead of downloading malware, they get a message explaining that that was a phishing email. You can capture metrics about it, and you can target employees for more education. It’s a great tool for a safety or risk management program.

The other thing to do is to constantly be looking at increasing the vitality of your overall security program. A lot of resources are out there from entities such as the National Institute of Standards and Technology. These are free resources that would help you structure an incident response program.

FAB: What sort of insurance products are tailored to cyberattacks? Why doesn’t general liability cover it?

SD: General liability is really only good in the broadest sense. I’m talking about coverage in a very general way.

It’s always important for the insured to ask the questions, understand coverages, and find an agent that will help them with this. In the most general sense, general liability coverage is meant to cover third-party damages that your operation may have caused, typically related to bodily injury or physical damage—real-world things. At a high level, general liability policies are crafted to cover those things.

So when information is copied from a network and someone that is not authorized to access that information takes it, is there any bodily injury or physical damage associated with that? I think it is arguable that there is not.

Now there are novel ways to get general liability to respond. But insurance companies have crafted ways to keep that more separate, saying that it is not really intended to cover intangible property, and data is intangible property.

So you have a data breach and you think, “What are the impacts?” If personal information is involved, then all of a sudden you have all of these state and federal regulations that may require you to respond in different ways. All of these things add to your costs. They are not liability costs; they are reimbursement costs. Some coverages have been designed to cover those costs for you. They are what we call our privacy event expense, which is how most companies refer to it. It is designed to help companies cover those expenses that they would incur with a data breach.

Another type of coverage that has been designed and is usually bundled together is privacy and liability. This would be applicable if someone sued you because their data had been accessed or some other damages occurred because of problems associated with your information infrastructure or your networks.

Those are two of the primary coverages. Now manufacturers are probably very interested in business interruption that occurs. What if the company can’t produce a product because the network is inaccessible? That’s what we call a cyber first party coverage. It’s for a business interruption caused by a cyber trigger, not a fire, flood, or earthquake.

It is a very complicated space from an insurance perspective. Metal fabricators need to be savvy buyers and should ask their agents about coverages. They can refer to some of the scenarios discussed here.

For additional information on protecting your company from cyberthreats and the role that insurance can play in protecting you if you are attacked, consult CNA’s archived webcast “Cyber-threats to the Manufacturing Supply Chain” at http://www.thefabricator.com/webcast/cna-cyber-threats-to-the-manufacturing-supply-chain.

Stephen Douglas is technology industry segment risk control director, CNA, 800-262-2000, www.cna.com.

About the Author
The Fabricator

Dan Davis

Editor-in-Chief

2135 Point Blvd.

Elgin, IL 60123

815-227-8281

Dan Davis is editor-in-chief of The Fabricator, the industry's most widely circulated metal fabricating magazine, and its sister publications, The Tube & Pipe Journal and The Welder. He has been with the publications since April 2002.