Cyberattacks to metal fabrication companies are not hypothetical

The number of publicly recorded ransomware attacks against metalworking and manufacturing companies have tripled in the last year alone. Here's why shops should reevaluate the level of security in their systems. Getty Images

It’s a typical Tuesday, and your head of accounts payable gets an email that appears to be an invoice coming from a vendor’s SharePoint. He tries his best to view the invoice, downloading and opening the file, and breezing through the typical pop-up windows and warnings. No invoice comes up, and he assumes it’s just a bad file. He quickly moves on to the next task in his busy day, not thinking much about it.

Within an hour, you start getting phone calls from customers about suspicious emails coming from your team. Another customer, who happens to work for the government, just got a call from their credit card company about a fraudulent charge. Minutes later, your email system slows to a crawl. Another member of your office staff reports she can’t open an important file on the company-shared drive.

The floor supervisor calls, reporting the ERP system seems to be down and operators can’t log in. Finally, you see it: A window pops up on your PC demanding a ransom to access your data. No email, no shared drive, no ERP system. It’s spreading to your contacts. You pick up your office phone, hosted on your new VoIP system, and there’s no dial tone.

What’s your next move? Do you have an incident response plan? Do you have disaster recovery backups? Do you have cybersecurity insurance? You were hoping to get the PO today from a big, new customer. Who has the head of IT’s cell number?

Cyberattacks aren’t hypothetical, and the consequences are real. In March 2021 news surfaced of a critical vulnerability in Microsoft Exchange, the popular software that runs on-premises email servers used throughout manufacturing and other industries. Automated attacks were exploiting this vulnerability and infiltrating corporate networks via phishing emails, where unsuspecting users were downloading files or entering their password into a fake website.

The attack spread within organizations by emailing itself to Outlook contacts. Attackers then spread ransomware, stole data, and set up surveillance on networks. Microsoft quickly released a patch, but it was reported that at least 30,000 companies were already victims. Furthermore, many IT professionals were unable to patch systems quickly because they were too busy to keep up with the reports, or they were several versions behind and upgrading seemed risky. Attacks like this can happen to shops of all sizes and are a compelling reason to move from on-premises systems to the cloud.

Why Manufacturing Is a Target

As critical national infrastructure, manufacturing is a major target for cybercrime. Businesses of all sizes and at any point in the supply chain are targeted. Cyberattacks cost businesses $200,000 on average, and four in 10 companies have experienced multiple incidents.

Research shows that the number of publicly recorded ransomware attacks against manufacturing has tripled in the last year alone—and even job shops and contract manufacturers are at risk: 43% of cyberattacks are aimed at small businesses.

For shops that have or are seeking defense work, there is a coming tidal wave in the industry: the Cybersecurity Maturity Model Certification (CMMC). Over the next five years, every business in the defense manufacturing supply chain—an estimated 300,000 companies—will need to obtain third-party certification in cybersecurity. The level of required security will depend on what kind of data is handled by each company.

During the Cold War era, the U.S. government introduced the International Traffic in Arms Regulations (ITAR) to restrict the ability of private companies to ship munitions abroad without an export license. These rules were created to keep U.S.-developed military technology from reaching adversaries. In the following decades, the internet drastically changed what it meant to export technology. No longer was it enough to restrict physical shipments of arms. Technical data, such as 3D CAD models, engineering drawings, and work instructions, if disclosed to foreign entities, effectively exports that technology by giving the recipient the know-how to manufacture the arms themselves.

In response, the Department of Defense is taking action to ensure the supply chain protects its intellectual property and, in turn, its military advantage. Since 2015 the government has published and updated detailed cybersecurity standards and introduced language in defense contracts mandating compliance with them. The next step in this evolution is CMMC. This is a massive undertaking and will create an entire compliance industry and ecosystem as manufacturers race to get certified.

CMMC requirements will be introduced gradually to contracts. If you wait until required by a contract to think about cybersecurity compliance, it will be too late. It takes a typical shop many months to assess and remediate gaps. Third-party certification will no doubt take additional time. One way to get ready is to ask your software-as-a-service (SaaS) vendors now how they will support your CMMC compliance.

Even if you aren’t doing defense work, cybersecurity should be top of mind. The demands of parts buyers across industries are quickly evolving. In addition to expecting fast turnaround times on quotes and a professional digital experience, buyers are including cybersecurity in their vendor evaluation criteria. And why not? For product developers, like OEMs, partnering with a contract manufacturer can be a scary proposition. A buyer’s primary job is to manage risk. In addition to risks with hitting cost and delivery goals, parts buyers are increasingly concerned about their intellectual property.

Designers and engineers invest heavily in creating a product, and they are very concerned about who may have access to 3D models, engineering drawings, specifications, and manufacturing work instructions. It doesn’t matter what IT protections they put in place internally if their vendors, who receive engineering drawings and CAD models, don’t protect data. Information security is only as strong as the weakest link, and buyers don’t want their supply chain to undermine their efforts.

Outside of the defense industry, buyers look for third-party certifications, like ISO 27001, and it’s more and more common for buyers evaluating a new vendor to expect documentation describing a shop’s cybersecurity program. Not having a strong written set of policies could disqualify you from even getting the opportunity to bid on a request for quote. Security questionnaires are also quite common, asking manufacturers to explain their internal IT policies, what security standards they follow, whether they have had a third-party assessment, and whether they have had cybersecurity incidents in the past. Manufacturers need to speak effectively to these concerns and show evidence of a strong security posture.

Cloud-based Software Can Protect You

Companies that had already made the switch to cloud-based email services (like Office 365 or Google Suite) found themselves completely protected against many of the recent cybersecurity threats. Why? The major cloud providers staff 24/7 network operations centers and keep their systems up to date. They are better positioned to detect and block phishing and malware campaigns spreading through email.

Cloud providers are responsible for backup and recovery when an incident occurs. As a bonus, you don’t need to make capital investments in servers. Cloud-based tools generally reduce some burden on your IT staff or eliminate the need for in-house IT resources. This is especially important in manufacturing, where many organizations don’t have dedicated IT staff; instead, IT responsibilities fall on the member of the operations staff with the most technical knowledge. It’s very hard for these busy jack-of-all-trades to keep up with threats as they unfold in real time and be prepared to take quick action to patch and isolate vulnerable systems.

Steps You Should Take

In today’s digital world, cybersecurity is not optional. Digital transformation is empowering manufacturers to find entirely new levels of efficiency and automation. With skilled workers being hard to find, technology lets each employee get more done.

With all its power and benefits, digital-based workflow also introduces a lot of risk. As you rely on digital tools, you make your business more susceptible to security breaches, service outages, and data loss. In order to stay competitive, you need to adopt leading technologies while managing that risk. But before you adopt new technologies, you need a cybersecurity strategy.

A good cybersecurity strategy includes written IT policies including annual training for the entire staff, PC management and maintenance, embracing cloud options where possible, and clearly defining and delegating IT responsibilities.

First, you can embrace the cloud. Cloud computing can be a great way to shore up security, but not all cloud providers are created equal. Evaluate your software partners’ security in the same way your customers evaluate yours.

How does your shop manage part files and prints? How old is your ERP system? Where do you back up your hard drives, and is it done automatically?

If you’re storing customer files on your PC and running shop floor data systems on-premises, have you considered moving to a cloud-based platform? Running your shop in the cloud has some serious benefits. Activities like sales, estimating, quoting, and procurement require a lot of collaboration and benefit from a secure cloud platform that can streamline efforts and protect against cybersecurity breaches, one of the largest threats to the manufacturing industry.

To evaluate any software partner, ask where the software was developed and where its support and system administrative staffs are. Will they natively speak your language, and do their hours of operation align with yours?

Also, find out who has access to your files and for what reasons. Do you own the data you upload? Read the terms and conditions and ask yourself whether you’re comfortable with what the vendor is allowed to do with your data.

Finally, what is your disaster recovery plan? OVH is one of Europe’s top cloud providers, providing IT infrastructure for a variety of websites and applications. In March 2021 its data center in France suffered a major fire, destroying servers, hard drives, and networking equipment. Many popular websites in Europe were knocked offline for hours or days. SaaS vendors who didn’t maintain disaster recovery backups located in a different data center faced irreversible loss of their customers’ data. Ask your vendor whether and where they store backups and how long it would take to restore service in the event of a major infrastructure incident.

Complying with cybersecurity standards and implementing written policies are essential. However, compliance and security are not the same thing. To make sure a vendor walks the walk, ask about third-party penetration testing, where ethical hackers are hired to test a SaaS product’s defenses. Some findings are to be expected, so make sure the vendor remediates issues promptly.

Also, don’t assume a SaaS vendor has a strong cybersecurity program—verify it. Secure SaaS vendors will be happy to share some documentation about the investment they have made in information security. Don’t expect every detail, which the vendor would consider proprietary, but you should expect an overview. What cloud provider does the SaaS company use? Does the staff use best authentication practices, including multifactor authentication and single sign-on? Can the provider describe any security breaches it’s had in the last two years? How do its software developers protect against the most common vulnerabilities?

Consider what regulations govern the type of data you store and process. Are you aware that many U.S. states have adopted or are considering regulations around digital privacy and personally identifiable information (PII)? This impacts how you need to handle information like payroll data and customer and employee contact information. Contracts for customers in the medical or defense industries may come with additional regulations.

Ensure a Secure Digital Transformation

As manufacturers create their compliance programs, they need to consider how every vendor and software system impacts their security posture. With traditional software tools, export-controlled data is frequently exchanged and stored using noncompliant systems such as email, unencrypted mobile devices, and inadequately maintained on-premise computers and servers. It is critical to adopt leading technologies that provide the benefits of automation and digitization while ensuring your data remains secure.