Almost half of UK manufacturers have been subjected to cyber attacks, according to trade group EEF’s report published today.
Britain’s spy agencies recently warned of Russian hackers invading unprotected networks and putting utilities, transport and health services at risk.
Almost 170 manufacturers across the country took part in an anonymous survey to form the EEF report. According to The Daily Telegraph head of EEF, Stephen Phipson, said: “There seems little doubt that many more attacks will have gone undetected.”
Oliver Welch, EEF’s security expert, said: “There’s evidence out there that there is quite a lot of malware that is designed to sit in the background, not really do very much, while the person infected doesn’t even know that it is happening.”
David Emm, principal security researcher, Kaspersky Lab, said: “The world isn’t ready for cyber-attacks against critical infrastructure, but attackers are clearly ready and able to launch attacks on these facilities – as this trend towards attacks on the manufacturing sector shows.
We’ve seen attacks on power grids, oil refineries, steel plants, financial infrastructure, seaports and hospitals – cases where organisations have spotted attacks and acknowledged them. However, many more companies do neither, and the lack of reporting of these attacks hampers risk assessment and response to the threat. Security must be tailored to the specific needs of each organisation and be seen as an ongoing process. This is true also of the human dimension – tricking people into taking action that launches the initial exploit is as common in attacks on such facilities as it is in any other attack.”
Lack of measures in place for cyber attacks
The report also revealed that only 62% of manufacturers have invested in cyber security training and 12% admitted to not having any technical or managerial measures in place to assess or mitigate cyber attacks.
Steve Malone, director of security product management at the cyber security company Mimecast, said: “It’s simply not good enough that only 62% of manufacturers invest in cybersecurity training. While the sector has specific requirements for control systems and IoT, the risk management reality is much worse, as it is vulnerable to the same attacks as everybody else – particularly spear-phishing emails and ransomware targeted at employees.
The upcoming GDPR may be a wake-up call for some, but we’re still not seeing these threats taken seriously. Regulations such as the NIS Directive, which aims to help build cyber resilience for essential and critical services, will be key for fostering a new culture of security.”
Rob Norris, VP Head of Enterprise & Cyber Security EMEIA at Fujitsu, said manufactures cannot afford not to take their security seriously: “With events over the past year revealing just how enormous the potential cost – both reputationally and financially – of suffering a major security breach can be, manufactures cannot afford not to take their data protection and cyber security seriously, or indeed make it a number one priority. In fact, with our latest report revealing a fifth of the UK public believe cybercrime and hacking are the biggest challenges facing the UK today, every single manufacturer has an obligation to make data protection as much of a priority as the public.
Although organisational awareness is on the rise, it’s clear many still struggle to put in place the right measures to safeguard employees, customers and the broader business. Because even the best-run company could suffer from a hack or data breach, manufactures should adopt a two-pronged approach by complementing employee training and awareness with continued investment in technical and security controls. In doing so, they can be on the front foot for proactively identifying and managing threats instead of waiting for breaches to happen.
After all, cybercrime is not a probability, it is an inevitability and it will be the way in which manufactures prepare for it however, that can make all the difference.”
Incorrect tools for cyber attacks
45% of those surveyed claimed to not have the right tools, processes and technologies to cope with cyber attacks.
Tim Bandos, Director of Cybersecurity at Digital Guardian, commented: “Manufacturing companies are one of the most popular targets for cybercriminals, based on the sheer amount of classified information they hold. Increases in cyber-attacks targeting manufacturing can be attributed to a growing number of financially motivated, state-sponsored hackers. Typically, government-funded organisations target manufacturers’ networks to steal intellectual property (IP) and trade secrets. Data or more specifically intellectual property is the lifeblood of this industry and it must be protected accordingly.
It’s recommended that organisations take a KPI (Key Performance Indicator) perspective to cybersecurity, by setting goals and metrics to improve security stature. A key benefit of this is the ability to develop a heat map of sorts, to outline where they should be focusing their efforts and/or where they should continue to invest in protecting their most sensitive assets.”
Sylvain Gil, VP Products at Exabeam, added: “The issue with industrial systems is that many of them are old, ten to twenty years old in some cases, and there is not necessarily a practical way to upgrade them due the criticality of their availability. Industrial networks were designed before cyber threats emerged and as a result, they lack the visibility and policy enforcement layers that enterprise IT networks have.
We need more insight into the behaviours of these systems. They are rudimentary and were never thought to be vulnerable to people outside the operating facility – but they certainly are. We’ve seen enough examples that we know they can be manipulated, not just in terms of being used for cybercrime, but they can actually have physical consequences, as well, like a shutdown or explosion.”