Inside the Breach: Why & How Manufacturers are Compromised

8 minute read

June 2023

by cybergrx

One single vulnerability is all a hacker needs.

In 2022, manufacturing firms suffered more than 130 data breaches which exposed 38 million records. Additionally, as noted by Retail Dive, 48% of critical manufacturing providers in key sectors are now at risk of “significant” data breaches. And breaches come with costly consequences, too– the IBM 2022 Cost of a Data Breach Report cites that the average data breach cost for manufacturing firms was $4.47 million, up 5.4% from 2021.

Put simply, the manufacturing industry is under threat. When cyber attacks are successful, production performance suffers, and revenue is lost. Manufacturers need to acknowledge the inherent risks they face and proactively mitigate the consequences of network compromise.

In this piece, we’ll break down five manufacturing cyber attacks, explore the common attack ploys, offer advice on spotting potential problems, and provide suggestions to help reduce total risks.

5 Manufacturing Data Breach Examples

Nissan

On June 21, 2022, vehicle manufacturer Nissan received a data breach notice from one of its third-party vendors. The vendor, a software development and testing company, was given customer data from Nissan to help build and evaluate its new solutions. However, a poorly-configured database allowed hackers to compromise the data, exposing more than 18,000 customer records. The exposed data included full names, dates of birth, and Nissan finance account numbers.

Audi and Volkswagen

Nissan isn’t the only automotive manufacturer dealing with the ramifications of a third-party vendor leaving data unsecured– the Volkswagen Group of America, Inc. reported an unauthorized party had accessed its data between August 2019 and May 2021. The breach resulted from a vendor with insufficient cloud storage protections in place. Over 3 million customer records were stolen, 97% of whom were Audi customers and potential buyers. The data exposed ranged from names, email addresses, and phone numbers to Social Security and loan numbers.

Parker Hannifin

Parker-Hannifin, which designs and manufactures aerospace components including hydraulic assemblies and fuel systems for Airbus, Boeing, Sikorsky, Rolls-Royce, Lockheed Martin, and the Commercial Aircraft Corporation of China, was the victim of a ransomware attack that compromised Parker Hannifin’s IT systems between March 11 and March 14, 2022. Hacker group Conti claimed responsibility for the attack. After infiltrating company systems, the attackers compromised the data of current employees, former employees, and their dependents. Compromised data included names, dates of birth, Social Security numbers, addresses, passport numbers, and financial account information, and on April 20, 2022, attackers posted 419GB of stolen data online. As of April 2023, the company agreed to pay the impacted employees a $1.75 million settlement. It is unknown if technical specs were compromised in the attack or if Parker Hannifin’s customers experienced any supply chain disruptions.

Visser Precision

Visser Precision was the victim of a cyber attack in April 2019 that used the DoppelPaymer ransomware. A new strain at the time of the attack, DoppelPaymer first steals files and then encrypts them, giving attackers more leverage when demanding a ransom. Attackers were able to exfiltrate documents, including NDAs with companies such as Tesla and Space X, and stole and published a schematic for a Lockheed Martin missile antenna. Visser Precision maintained operations during the attack, although its customers implemented “standard response processes for potential cyber incidents related to their supply chain” after being notified of Visser’s breach.

Mondelez

2017 saw food and beverage company Mondelez hit by encrypting malware NotPetya. This cyber attack permanently damaged over 1,500 servers and 20,000 laptops, impacting the company’s ability to fulfill order obligations worldwide. Mondelez spent $100 million to get back up and running and sued its cyber insurance company for refusing to pay the insurance claim. 

Cyber Attack Ploys Used in Manufacturing Breaches

Manufacturing companies are often attractive targets for cyber attackers who want to access a more extensive customer base. Compromising manufacturing systems requires an entry point. While  malicious actors continuously develop new methods to breach company networks, four attack vectors are common:

Phishing & Ransomware

Cyber attacks often start with phishing. Why? Because it works. The 2023 State of the Phish report shows that direct financial losses from successful phishing attacks increased by 76% in 2022. 

Phishing opens the door to lateral movement across a manufacturer’s network and allows bad actors to introduce ransomware into an operating environment, which can both shut down production lines and leave companies with a difficult choice: Pay up and risk being victimized again, or ignore hacker demands and run the risk of significant data loss.

Ransomware is a growing concern for manufacturers– and for good reason. The number of successful ransomware attacks spiked by 107% in 2022, according to a report from Dragos. The increase may be due to manufacturers having little-to-no visibility into their systems as well as shared credentials between information networks and operational tech systems. All combined makes for easier prey for lazy cyber criminals.

Insider Attacks

Insider threats have risen 44% over the past two years, and the time to contain these incidents has also increased from 77 to 85 days. For manufacturing companies, insider threats present a dual problem: Not only can users with network access exfiltrate data such as intellectual property or product schematics, but the loss of this data could impact current production operations, in turn leading to production slowdowns as companies work to track down the origin of these attacks.

Legacy Tool and Technology Gaps

According to the InfoSec Institute, legacy systems remain a key point of compromise for manufacturers. These legacy tools are often tied to industrial control systems (ICS) and supervisory control and data acquisition (SCADA) technologies that are critical to the continued operation of production lines. In many cases, these ICS and SCADA tools were deployed in the early years of company growth and have become so interwoven with operational best practices that they’re almost impossible to remove. However, these tools were never designed to work with cloud-connected and Internet-facing technologies, necessitating a “bridge” between legacy and evolving solutions. This bridge creates a potential point of compromise — and once attackers are inside ICS or SCADA systems, they can directly affect critical operations. 

Third-Party Compromise

Threat actors are targeting the manufacturing sector because of the vast connected network of suppliers and partners– third parties who may not have as robust security practices as you and may be easier targets. In our Nissan and Volkswagen of America examples, both breaches stemmed from a vendor’s poor security and cloud protection practices, making your data easy prey for hackers. These examples also beg the question, if the automotive manufacturers had visibility into the security gaps of their vendors, could these compromises have been prevented?

From CyberGRX Exchange data, on average, 20% of an organization’s vendor portfolio exhibits a high inherent risk profile. Are you aware of which providers are most prone to a successful cyber attack and where common gaps occur across your portfolio?

Get the answer by booking time with our sales team.

Pinpointing the Indicators of Compromise

With manufacturing attacks on the rise, threat detection is critical. If security teams can spot potential cyber attacks before compromising key systems, they can significantly mitigate — or entirely avoid — possible damage. However, security teams need to know what they’re looking for to accomplish this goal.

First and Third-Party Phishing Emails

If threat actors manage to get emails containing malicious links or attachments into employee inboxes and convince them to click through, manufacturing operations are at risk. Security awareness training programs help employees to recognize suspicious emails and provide protocols should a staff member fall for the phishing bait. But the phishing risk extends beyond just your organization. 

When a third party lacks a robust security awareness program, it also poses a risk to your organization. Data from the CyberGRX Exchange shows 83% of third parties report conducting social engineering training, but 42% aren’t testing whether the training is effective or the level of staff vulnerabilities. With phishing on the rise, knowing how your suppliers protect their organizations is just as important as your internal security awareness program.

Insider Attack Patterns

Insider attacks are characterized by abnormal activity and data movement. Consider a staff member facing the prospect of employment termination but still has system access. Using their current credentials, they may access product or production line data and then send it to personal email addresses or transfer it to USB drives. Without proper access control protocols, malicious privilege escalations are hard to notice. By implementing solutions capable of monitoring user behavior and comparing it to generalized use across the organization, teams can spot insider threats more easily.

Similarly, if your suppliers have recently undergone a reduction in workforce, the same potential risk exists here, too. In instances where mass layoffs have occurred, hackers may also look for dormant accounts that may provide a back door into systems.

Unusual Activity and Tool Connections

When it comes to legacy tools, companies should be on the lookout for a sudden uptick in requests from ICS or SCADA systems outside the realm of normal operations. It’s also a red flag if these tools begin interfacing with Internet-facing solutions that are only peripherally connected to ICS and SCADA functions.

Holding the Line: How Manufacturers Can Reduce Total Risk

If production lines go down, companies are losing money. The longer these lines are down, the worse the outcome— what begins as lost revenue from volume decreases can quickly turn into reputation damage as stakeholders and customers become concerned about a business’s ability to safeguard key processes and fear disruptions in their supply chain. 

However, a strategy that combines improved security hygiene, enhanced access control, and increased third-party insight can help reduce total risk.

Good Security Hygiene

Security hygiene ensures that all devices on a manufacturing network, from advanced automation tools to familiar machinery and legacy SCADA/ICS controls, are governed by the same set of protocols. In practice, this could take the form of end-to-end data encryption to prevent malicious eavesdropping or the connection of all devices to a commonly-visible cloud network that allows IT teams to see what’s happening in real time.

Zero Trust

Enhanced access control is all about zero trust. As noted by Venture Beat, Zero Trust Network Access (ZTNA) is a vital part of the “cure” for the current manufacturing attack epidemic. It makes sense: By implementing controls such as multi-factor authentication (MFA) and remote browser isolation, companies can keep systems safe even if attackers manage to compromise employee credentials. Using a “never trust, always verify” approach combined with solutions such as single sign-on (SSO) architecture, organizations can frustrate malicious actors while streamlining the authentication process for legitimate users.

Managing Third-Party Risk

Third-party protection depends on the ability to quickly evaluate and quantify potential risk before manufacturing partners, suppliers, or logistics vendors are compromised. With 50% of companies rating themselves as ineffective in completing vendor due diligence and 20% of third parties classified as high risk, organizations need a better way to assess their third-party ecosystem. 

When a third party has succumbed to a cyber attack, you don’t have time to reference answers to your assessment questionnaire– you need insights into your vulnerabilities immediately. To solve this dilemma, CyberGRX’s Portfolio Risk Findings leverages attested and predictive risk data, which can be applied to an industry framework, such as PCI DSS, NIST, or to a threat profile to understand which controls matter to that specific event and which vulnerabilities are most susceptible to being exploited. Learn more in this short video:

Summary

Cyber attacks targeting manufacturers are becoming more common. To manage the evolving risk landscape, companies need strategies that tighten up first-party security defenses and address the vulnerabilities coming from their third-party ecosystem. After all, just because you don’t see the risks doesn’t mean they aren’t there. 

Better managing manufacturing risk starts with visibility into your third-party network. Want to see what dangers are lurking in your vendor ecosystem?  Schedule time with our team now.

Related Articles

About Us

ProcessUnity is a leading provider of cloud-based applications for risk and compliance management. The company’s software as a service (SaaS) platform gives organizations the control to assess, measure, and mitigate risk and to ensure the optimal performance of key business processes. ProcessUnity’s flagship solution, ProcessUnity Vendor Risk Management, protects companies and their brands by reducing risks from third-party vendors and suppliers. ProcessUnity helps customers effectively and efficiently assess and monitor both new and existing vendors – from initial due diligence and onboarding through termination. Headquartered outside of Boston, Massachusetts, ProcessUnity is used by the world’s leading financial service firms and commercial enterprises. For more information, visit www.processunity.com.