Country / Language

Manufacturing – A Persistent and Prime Cyber Attack Target


9/26/14

As manufacturing companies increasingly rely on software to automate processes, manage supply chains, and facilitate research and development (R&D), the threat of cybercrime within the industry has risen significantly. A massive increase in exports from emerging markets, where theft often occurs, means that manufacturers should be vigilant in implementing cybersecurity measures to ensure their businesses remain efficient and innovative. How? CohnReznick recommends that manufacturing and wholesale distribution companies should focus on fundamental cybersecurity principles that are shared in the forthcoming discussion.

Cybersecurity and Awareness Threats in Manufacturing

Symantec, a leading security software provider, reports the manufacturing industry was one of the most targeted sectors for cyber attacks in 2013, with the odds of a manufacturing company being attacked 1 in 3.2.1 Targeting the supply chain has become increasingly attractive to cybercriminals. “Attacks against manufacturing companies tend to be specifically targeted and planned with the intent of stealing intellectual property – designs and customer lists, or interrupting operations and revenue,” says Tom McDermott, director, CohnReznick Advisory Group. “They are therefore more likely to be a successful breach resulting in the exfiltration of data.”

Attention-grabbing media headlines have focused to a large degree on high profile retail and technology cybersecurity breaches. However, small- and medium-sized manufacturing businesses should not assume that their size precludes them from threats and avoid being lulled into a false sense of cybersecurity. In the same regard, Nils Onsager, Director of Security Information Technology, CohnReznick, cautions, “The smaller the business is, the easier it is to hack. Smaller companies might not have the technological sophistication and they become a prime target.” McDermott adds, “Attackers may target a smaller manufacturer because they share in and possess some of the intellectual property of larger manufacturers.”

Talk to your bank about protections they offer

Some banks will implement a number of controls around wiring funds, transferring funds, or adding accounts.  And it is in their best interests to protect a business from fraud.  Some controls that should be requested are dual factor authentication or a call to a specific approver when transferring or wiring funds. A number of current hackers’ attacks focus on wiring funds through utilizing internal hacked email accounts. A secondary bank control will help protect against this.

In a study published in January 2014 by the National Association of Manufacturers, unfair competition fueled by stolen software represents a sizeable drain on manufacturing in the United States, with estimated losses between 2002 and 2012 totaling nearly $240 billion in manufacturing revenue, $70 billion in gross domestic product (GDP) and 42,220 U.S. manufacturing jobs.2 Companies in the government supply chain and defense sector are especially targeted, as factory floor systems represent a weak link in safeguarding technical information. “Cyber criminals are honing in on the manufacturing defense industry. They are looking for bank accounts that have loose controls, and typically manufacturing companies don’t have strong controls when it comes to their systems,” says Onsager.

Moreover, the threat is likely to exist closer than imagined. McDermott explains that attacks on manufacturing companies, more than in other industries, are likely to involve internal actors, sometimes specifically recruited by external attackers. In addition, while more than half of attacks originate overseas, McDermott states, “a large percentage of attacks – nearly 20 percent3 – originate in the U.S.”

An Example

One such attack is “Zombie Zero,” which targeted robotics manufacturers as well as shipping and logistics firms, compromising systems for over a year. According to an article in eWeek4, this is a suspected nation-state attack (in this case, China) which compromised at least eight companies beginning in May 2013. The compromise was caused by malware preloaded in proprietary scanners used by shipping and logistics companies which compromised networks from the inside. Once the scanners were installed the hackers infiltrated the companies’ ERP systems, allowing for the theft of financial and shipping information. Many of these threats go unidentified for extended periods of time, and cyber attackers are becoming more savvy in how they perpetrate attacks; in this case, embedding malware into the scanners by infecting the operating system and then shipping to the intended targets.  While the details of damages caused by these attacks remain undisclosed, security experts are concerned with how well-camouflaged the attacks have become and the unknown damage caused.

Taking Action Against Cybercrime

With such tremendous potential for loss at stake, how can manufacturers bolster their security measures and substantially reduce the cost of any given cyber attack? “Cybersecurity is like insurance,” says Onsager. “It is something you want to implement before an attack happens.”  

In addition to the traditional security risk management framework comprised of policies, controls, monitoring, and training – manufacturing and wholesale distribution companies should pay specific attention to these fundamental security principles to protect  and mitigate risk in their organization, including:

  • Define controls and invest in security monitors and systems – Controls exist to mitigate the risks identified in the risk assessment and are defined as either soft (policies and procedures) or hard (system restrictions). For example, controls to address hiring an employee would likely be policy-based, whereas password restrictions would be considered a hard control. 

    Functioning in tandem with controls, monitors aid in discovering when a potential breach or policy violation of controls may have occurred. In essence, security controls without monitors are ineffective. Basic preventive controls such as firewalls block unauthorized traffic, yet they also monitor data as it flows into and out of the network. They provide constant visibility and protection. Monitoring of systems used for authentication and rights management is essential; and should also be available for hosted solutions, although it is under the control of a service organization. When a user entity uses a service organization the user entity relies on the service organization to monitor access to the hosted solution. Industry best practice suggests designating an individual within the organization to review monitors daily and investigate suspicious activity.

  • Least Rights – Defined as employees having the minimum rights necessary to do their jobs. For example, those outside of HR should not have rights to access employee records. This principle helps protect businesses from basic fraud and limits exposure when a breach occurs.

  • Segregation of Duties – Defined as dividing and assigning responsibilities so that one person does not have access to control all steps of key processes. By separating a process to various departments or individuals, it helps protect the company from internal threats or limits what a hacker can do with one compromised employee’s account. When setting up a new employee, HR, Finance, and IT should all be involved to ensure only legitimate employees are added to payroll and given benefits or system access.

  • Enforced Password Complexity and Protection – Passwords are the keys to a company’s systems and software, and systems are the keys to the bank or payroll, confidential information, or client information. Yet, many businesses do not enforce basic password controls. Passwords should be complex in nature (eight or more characters and contain at least one number, letter, and symbol). Policies prohibiting password-sharing even within an IT department should also exist. It is recommended that employees be prompted to change passwords at least once every 90 days. There should be no exceptions from the password polices and rules.

  • One Employee per Account – Shared accounts are inherently unsecure, as more than one person knows the password. When accounts are shared, there is a lack of accountability, as an employee’s individual actions cannot be identified within logs or monitors. User accounts should allow employees to perform their jobs, and elevated rights should not be granted through the use of shared server accounts or administrator accounts. A secure protocol to follow is to enable a highly privileged employee to have a second unprivileged account for everyday use when privileged access rights are not necessary.

  • Multifactor authentication (MFA) – Manufacturers should implement multifactor authentication which utilizes two or three independent authentication factors when validating computer users.  While not a new security concept, MFA’s implementation against a myriad of new devices including smart phones and tablets is crucial as organizations struggle with combining data flexibility with security.

  • Review state data security laws and industry standards – Every manufacturing company should review local and state security and privacy laws annually, including not only states where the company operates, but also jurisdictions where its customers reside. Most states have specific laws guiding the protection and use of customer information and personally identifiable information. There are also a number of industry standards and requirements that companies may need to adhere to, including the Health Insurance Portability and Accountability Act (HIPAA), and the Payment Card Industry (PCI).  A policy review should focus on compliance with respect to changing laws.
     

What Does CohnReznick Think?
Establishing, enforcing, and reviewing the security framework is essential for manufacturing companies to fight the war against cyber attacks. Companies must also promote vigilance and vulnerability awareness beyond their IT departments, and this message should permeate the entire organization.  While even the best security framework and policies mitigate significant risk, companies must stay motivated and disciplined in protecting a company’s most valuable data. Manufacturers may also consider cyber insurance policies, which can often complement internal processes and transfer risk from the company.

Contact

For more information, please contact Tom McDermott, Director, CohnReznick Advisory Group, at 973-364-7836, Nils Onsager, Director of Security Information Technology, CohnReznick, at 404-250-4186, or Alan Wolfson, Partner and CohnReznick’s Manufacturing and Wholesale Distribution Industry Practice Leader, at 646-254-7416.

To learn more about CohnReznick’s services around cybersecurity, click here.


1 Symantec Internet Security Threat Report, 2014 http://www.symantec.com/content/en/us/enterprise/other_resources/b-istr_main_report_v19_21291018.en-us.pdf
2 Economic Impact of Global Software Theft on U.S. Manufacturing Competitiveness and Innovation - http://iptheft.nam.org/
3 2014 Verizon Data Breach Investigations Report
4 Zombie Zero’ Cyber-Attacks Hit Logistics, Robotic Firms for Months
http://www.eweek.com/security/zombie-zero-cyber-attacks-hit-logistics-robotic-firms-for-months.html


This has been prepared for information purposes and general guidance only and does not constitute professional advice. You should not act upon the information contained in this publication without obtaining specific professional advice. No representation or warranty (express or implied) is made as to the accuracy or completeness of the information contained in this publication, and CohnReznick LLP, its members, employees and agents accept no liability, and disclaim all responsibility, for the consequences of you or anyone else acting, or refraining to act, in reliance on the information contained in this publication or for any decision based on it.

Search Our People

Search Our People

Look ahead. Gain insight. Imagine more. Is your business ready to break through?

View our new TV commercial..

Industry Outlooks

Industry Outlooks

Gain insight into what is ahead for the Commercial Real Estate, Technology and Middle Market Private Equity industries.

READ MORE

Learn about our upcoming events.

READ MORE

Working With Us

Working With Us

What makes CohnReznick different from others in our profession? And what should our clients come to expect when working with us? The answer is The CohnReznick Advantage. Contact us to learn how we can out the CohnReznick Advantage to work for your business.


People

The value of an organization is determined by the skills and qualities of its leaders. With more than 280 partners serving clients nationwide, CohnReznick is renowned for the diverse experiences, knowledge and backgrounds of its leadership.

Learn More

Services

We align our services in three segments: Accounting and Assurance, Tax, and Advisory. This approach allows us to provide holistic solutions to complex business problems and to seize upon opportunities requiring an integrated approach.

Learn More

Industries

Accounting and tax issues different significantly based on an organization's industry. We provide clients with expertise in nearly two dozen industries – we know the opportunities, the obstacles, the competitive landscape.

Learn more

Insights

CohnReznick professionals are thought leaders in their industries. Clients benefit from relevant and timely economic, legislative and industry insights that can keep them a step ahead of competition.

Learn More

Global Reach

Our involvement in the Nexia International network of firms enables us assist our clients wherever they do business-providing local expertise and connections wherever they needed. Nexia is comprised of 20,000 professionals operating in over 100 countries.

Learn More