Complacency about cybersecurity should be a crime in manufacturing

Cybercriminals remain committed to the their trade because they operate in countries that will not punish them, making the payoff much greater than any risk that would normally be associated with such an illegal activity. With that in mind, manufacturing companies need to have some sort of strategy to keep from becoming the victim of a cybercrime. Thitichaya Yajampa/iStock/Getty Images Plus

The FABRICATOR’s Technology Summit, an event that provides metal fabricators the opportunity to see several different manufacturing operations in one geographic area, gives industry personnel the chance to not only see some of the latest manufacturing technology in action, but also have some conversations with other inquisitive fabricators. In fact, some of the subjects can be quite enlightening.

In 2015, when the summit took place in Cincinnati, I heard about a case where a metal fabricator&emdash;not one attending the event, but a company that an attendee knew&emdash;was the victim of a ransomware attack. Someone within the company had opened an email that he thought was an official communication from a customer, and that eventually led to management and all employees being locked out of their software programs and databases until a ransom was paid. It literally was the first time that I had heard about a ransomware case in the metal fabricating industry, even though I heard regularly from cybersecurity experts pitching ideas for articles.

That proved to be a prescient conversation, because since that day, the tales of manufacturing companies being the victim of a cybercrime are much more familiar. A 2023 survey from SecurityScorecard, which is involved in cybersecurity ratings of products and services, and the Cyentia Institute, a cybersecurity research firm, revealed that 98% of organizations have vendor relationships with at least one third-party firm that has experienced a security breach in the last two years. These aren’t just noteworthy anecdotes; this is a massive trend worthy of concern.

In early April alone, reports of infiltration of information technology (IT) systems involved a Minnesota public school district, an Illinois hospital network, and a German builder of yachts and military vessels, just to name a few. Around this same time, multibillion-dollar company Applied Materials, which supplies equipment, services, and software to the semiconductor industry, announced that a ransomware attack on its supplier MKS Instruments would cost it $250 million in late shipments in Q2 2023. These stories are being shared publicly because they are common occurrences, and targets are not just mom and pop shops.

Bryce Austin, the founder of cybersecurity firm TCE Strategy, said that the vulnerability of manufacturing companies is much greater today because everyone is embracing the potential of the Industrial Internet of Things. This digital connectivity is a doorway to more manufacturing efficiency, but it’s also a possible access point for unwanted cyber-intruders to gain access to a company’s internal systems.

“We are now creating Internet-of-Things-enabled devices that are designed without any thought towards cybersecurity,” Austin said. “You hook them up to a network that is hooked up to the internet, and you’re exposing your company to a literal war zone.”

As he made that statement, I had to laugh to myself as I’ve seen the way the USB drives are used on shop floors. People just plug them into machines without even thinking. Are these drives checked for malware? Are they locked down? I had never really thought to question the use of those convenient tools, but it does make you think.

Austin offers some really good advice for metal fabricators that can help them keep the cybercriminals on the outside of their networks. The tips are applicable to both small and medium-sized companies as well.

At the very least, it doesn’t take a lot of effort just to back up systems after a day and to keep those backups off the network. Put them in a drawer, and it might as well be Fort Knox to someone limited to crawling around a server looking for them. That always gives a company the ability to start over and avoid a painful ransom negotiation.

Any company not taking cybersecurity seriously is putting itself at great risk. In its “Threat Intelligence Index 2023” report, IBM reported that 30% of all extortion-related cyberattacks targeted manufacturers, making it the most popular sector for cybercriminals to target. These web-based wrongdoers know that manufacturing companies deal with serious deadlines, so they need their systems up and running to keep production going. Because they are more likely to respond quickly to a ransom demand, the bad guys are going to keep looking for entryways into these manufacturing companies.

Business is good for cybercriminals, so they won’t be shutting down shop anytime soon. That’s why metal fabricators need to shut these thugs out, teaching the bad buys a lesson in interrupted business practices.