Understanding and mitigating the cyber threat to manufacturers

Understanding and mitigating the cyber threat to manufacturers

Thomas Cartlidge, Head of Threat Intelligence at Six Degrees, explains why manufacturers are at increased risk of cyber attacks and how they can protect against them.

Manufacturing is an industry in which up-time, productivity and reputation are everything. Recognising this, cyber-criminals have targeted manufacturing with vigour, so much so that manufacturing has become the most targeted sector for cyber-attacks in 2020.

With high-profile cyber-attacks such as the Honda ransomware attack that interrupted production in some plants, the cyber threat to manufacturers is clear. But why are manufacturers such prize targets for hackers? And how can they begin to take steps to mitigate the cyber threat they face?

Cyber security in manufacturing: the state of play in 2020

A challenging issue commonly facing manufacturers is the antiquity of their systems. Many of the manufacturing systems in use today were developed in a time when cyber security was less mature. They were designed and built with a focus on performance and safety, and now many manufacturers are playing catch-up when it comes to implementing the appropriate cyber security measures throughout their operations.

The nature of manufacturing in 2020 makes it a sector that is especially vulnerable to cyber-attacks. This is because their intellectual property is highly valuable. And manufacturing firms, whether automotive, electronics or pharmaceutical, often rely on very specific software packages that are difficult to patch against new exploits, rendering them extremely vulnerable to attack.

These cyber-attacks are launched by a variety of people, using different methods, and all with different motivations.

Who is attacking manufacturers, and why?

Given the nature of their operations and geographic spread, manufacturers face a number of cyber threat actors on a daily basis. Three of the key types of attacker targeting manufacturers are cyber-criminals, competitors, and nation states.


Ninety-nine times out of a hundred, cyber-criminals are motivated by financial gain. Typically, cyber-criminals will attempt to gain access to manufacturers’ internal systems in order to steal intellectual property and/or deploy ransomware payloads.

The cyber-criminals will then use blackmail to extort money from the victims, threatening to leak intellectual property online or revoke access permanently to data encrypted by ransomware. A real-life example is aluminium manufacturer Norsk Hydro, which in 2019 had its operations halted when cyber-criminals launched a successful ransomware attack on the firm.


Rival manufacturers have been known to steal intellectual property from competitors in order to enhance their own products. Competitors will tend to use less sophisticated attack methods to target rival manufacturers.

Executives moving from one firm to another may take advantage of accounts that have yet to be deactivated, or may siphon intellectual property out of the firm through online storage tools or USB drives. A real-life example involves four ex-employees of an Indian pharmaceutical firm, who were arrested in early-2020 after allegedly stealing data including sensitive details pertaining to drug manufacturing from their former employer.

Nation states

The increasingly global nature of manufacturing has brought belligerent nation states into play as threat actors. Their goals are often to cause widespread damage to organisations or even entire nations.

Attacks sponsored by nation states are often technically complex, using sophisticated cyber-attack methods and the latest malware variants to exploit weaknesses in manufacturers’ cyber security provisions. Swiss drug and technology maker Roche was one of many European companies attacked by a hacking group  with alleged links to the Chinese government, using a malware variant called Winnti, which gave hackers remote access to victims’ computers.

How are manufacturers being attacked?

In 2020, ransomware is by far the most popular cyber-attack method that threat actors use to target manufacturers. In a typical ransomware attack a target organisation’s network is penetrated by hackers. This is often achieved by sending a phishing email to individuals in the organisation that contains malware. It is also sometimes achieved by exploiting a vulnerability in the organisation’s network.

The malware enters the network and the attackers conduct reconnaissance and further activity to achieve the right access they need to execute the ransomware. Once this is done, the target organisation’s network is encrypted and made effectively unusable until either a ransom is paid or the organisation reverts to backups to bring the network back online.

The Norsk Hydro attack demonstrated the massive financial and operational impact ransomware can have on manufacturing firms. The firm suffered millions of pounds in lost revenue and several months of operational turmoil. However, a relatively new trend for double-extortion ransomware attacks introduces a significant reputational threat to manufacturers, too.

The rise of the double-extortion attack

The double-extortion attack first became a prominent tactic as a further method to make money from late 2019 onwards. In a double-extortion ransomware attack, the attackers threaten to leak stolen data onto the internet. The intention of double-extortion ransomware attacks is to shame target organisations into paying a ransom, even if the appropriate backups are in place to mitigate a traditional ransomware attack.

Many double-extortion ransomware attacks lead to sensitive data being publicised on social media. In mid-2020, there was an increasing trend for the publication of screenshots of the stolen data by cyber-criminals and security researchers. This trend means that often the first public indication that an organisation has been hit by ransomware will be stolen sensitive information appearing on social media.

One manufacturer targeted by this sort of attack was the rail vehicle manufacturer Stadler. The company suffered a double-extortion ransomware attack in May 2020, which affected the entire company as stolen data was posted online for sale.

How do manufacturers protect themselves?

The cyber threat to manufacturers is real, and it’s getting worse. In order for manufacturers to protect themselves, they need to understand the risks they face. By understanding these risks, manufacturers can take steps to address them.

The success of a ransomware attack on a manufacturer depends on the level of cyber security the manufacturer has in place. The better its cyber security posture, the lower the chance of the attack being successful and causing significant disruption.

Manufacturers seeking to protect themselves from ransomware should consider short-term mitigating actions alongside longer-term strategic decisions. In the short-term, tailored penetration tests enable manufacturers to test and remediate existing vulnerabilities in their cyber defences. And looking further forward, a trusted cyber security partner can deliver advisory services that enable manufacturers to develop cyber security strategies that align their cyber security postures to their risk appetites.

There is no single method that will enable manufacturers to mitigate the cyber threats they face. However, manufacturers that understand their risk profiles can create risk treatment plans that prioritise investment and enhance their cyber security postures, safeguarding their operations in today’s hostile digital landscape.

Thomas Cartlidge is Head of Threat Intelligence at Six Degrees, a leading secure cloud-led managed service provider that works as a collaborative technology partner to organisations making a digital transition.

Copyright Lyonsdown Limited 2021

Top Articles

2,500 years of Threat Intelligence

In order for threat intelligence to deliver as promised, we need to heed Sun Tzu and start with a data-driven approach.

Don’t fall foul of homoglyph web domains

Homoglyphs are characters from other scripts, which can look like Latin letters. They are used in domain names and they are very hard to spot.

Cyber attack targeted Spanish beer maker Damm; halted brewery operations

Damm, Spain's second largest beer-making company, suffered a major cyber attack targeting one of its IT systems last week.

Related Articles

[s2Member-Login login_redirect=”https://www.teiss.co.uk” /]