Manufacturing's Secrets and Lies

Increasing numbers of hackers are banking on employee access to valuable information

Manufacturing Industry Hacks

The manufacturing industry is now a No. 1 target, according to Verizon’s respected data-breach report. Last year, of 620 incidents, at least one-fifth led to confirmed breaches. Most threat actors (93% of them) were external, and the vast majority (94%) were related to espionage.

The latter is particularly telling, because in the past few years, hackers have grown alarmingly strategic. They’re targeting bigger bounties over quicker payoffs, even if that requires more work. Proprietary company secrets yield priceless rewards compared with, say, simple identity theft. The damage, in turn, is much worse—compromising blueprints, trade secrets, and business maneuvers. These are assets on which entire companies can be built.

The nature of manufacturing breaches (graph courtesy of the "2017 Verizon Data Breach Investigations Report")

A recent USA Today story revealed that the U.S. spends $500 billion annually on early-stage R&D, while China spends primarily on backend R&D. In other words, China is in the habit of letting America do the innovating, then investing their money into translating those discoveries to competitive, commercial products. In many cases, this can be done legally. However, it’s also an apt metaphor for what motivates cyberattacks on manufacturing businesses: stealing intel to make and/or distribute the same product with less overhead.

In 2014, the U.S. government charged five Chinese government officials with hacking six sizable American manufacturers to benefit their state-owned companies. Their exploits included: nuclear-plant technology and business strategy (Westinghouse Electric); strategic trade information (U.S. Steel); and solar-panel innovations (SolarWorld).

U.S. President Barack Obama and Chinese President Xi Jinping later agreed on a diplomatic treaty that diminished China-based espionage. Still, the Department of Homeland Security has been reporting an astounding spike in manufacturing attacks, including a malware campaign that’s targeted manufacturing for more than a year.

Types of Manufacturing Data Breached (graph courtesy of the 2017 Verizon Data Breach Investigations Report)

A year back, Southeast Asian hackers stole project data from ThyssenKrupp, one of the world’s largest steel makers. “The incident is not attributable to security deficiencies,” the (German) company puzzlingly said in an official statement. “Human error can also be ruled out. Experts say that in the complex IT landscapes of large companies, it is currently virtually impossible to provide viable protection against organized, highly professional hacking attacks.”

Actually, this technology does exist. And the truth is, manufacturing is woefully behind in deploying proactive cybersecurity. Though ThyssenKrupp didn’t divulge the method of attack, phishing and malware—inside threats—are major obstacles in the industry.

There’s hope that compliance can push companies away from band-aids such as firewalls and SIEMs, towards behavior-based analytics that actually widen and sharpen threat visibility. Stateside, manufacturing is subject to several laws, such as those dictated by the U.S. Foreign Corrupt Practices Act (FCPA) and Office of Foreign Assets Control (OFAC). But when it comes to risk management, especially compared to finance and retail, it’s short on cybersecurity regulations.

It’s up to board-member, investor, and stockholder demands to fill that compliance gap. Why? Because in the same way that cyber espionage is used for economic advantage, cybersecurity should be thought of as an enterprise’s competitive edge.