Podcast: Why Is manufacturing such a huge target for cyberattacks?

SM: Oh my gosh, that's intense, especially getting that perspective, kind of being there in person.

JS: Yeah, I'm just grateful it wasn't worse, like, you know, shutting down critical systems or anything. This one, while it was very disruptive for Stryker, it wasn't disruptive, at least from my perspective as a patient in a hospital at that point.

SM: That's a relief. And thanks for running through that example. I wanted to follow up and ask regarding how those attacks on the IT side can impact manufacturing operations. Is this something that companies are anticipating and preparing for? Or is this something that's more often overlooked? And why is this something that companies struggle with?

JS: That's a great question. And I would love to say, I think every organization understands that IT impact can IT compromise can truly impact OT results. But I don't see a lot of, I don't see enough of that connection of awareness there. I'm going to give you an example of an organization just to demonstrate how the IT side can impact the OT, the manufacturing, the output side. And this is not to pick on any company. Any organization can be a victim in this, but JLR, so Jaguar Land Rover in the UK operating out of the UK global operations. But they were hit with a cyber attack in August and it was an IT side attack. They had to at one point decide to shut down operations due to that attack. 

So even though the attacker did not attack the OT side, the operational technology side, it impacted it because in order to continue working as an organization, they had to shut that down. And that actually is a great example of the impact there because it ended up costing. I want to say it's an astronomical dollar amount that it the cost of that, and $2.5 billion I think was the cost to the UK for that, not specifically just for that organization, but that also accounts for I think Think of the supply chain ecosystem. It impacted JLR, but it also impacted their downstream, their upstream. Because if they're shut down and they need to supply product to an upstream account, they can't. And if downstream organizations are expecting to provide product that they're not ready for, that impacts them. And there were a lot of layoffs across the whole supply chain for that as well. So IT affects not just OT impact. of that organization, but of the entire ecosystem of that supply chain.

SM: I wanted to kind of ask about other types of attacks as well. So besides ransomware, what other types of cyber threats and attacks are manufacturers facing?

JS: That is also a really great question because supply chain means so many things, right? And as organizations are changing so quickly to AI, for example, That changes the whole landscape right there. So AI is incorporating a lot of new, unpredictable threats for our manufacturing companies. It's enabling attackers to scale, adapt. They're able to launch their attacks faster, and it's harder to predict. So that creates an environment that's a lot less predictable than it was, say, even five years ago, 10 years ago. And the different kinds of attacks are now leaning more heavily on insider attacks as well. And by insider attacks here in relation to AI, I'm not necessarily saying malicious or intentful attacks. Using AI without the right guardrails in place, without the right structure and cybersecurity guardrails again, a lot of insiders are inadvertently creating a new threat for a lot of organizations, not just in manufacturing.

SM: And then regarding supply chain attacks, can you kind of describe the technical details of how those occur? For example, how are attackers kind of getting access to manufacturing systems through supplier networks, for example.

JS: So again, getting access to credentials, there are a lot of credentials for sale on the dark web for manufacturing companies especially. And once an attacker has some information on how to get into a system, it doesn't matter if it's the ultimate goal target manufacturing company for that attacker. If they can get anywhere in that supply chain, if it's a downstream supplier, they can wreak havoc on an organization upstream. So vendors, suppliers, third party software providers can be a really rich environment for compromise across the whole supply chain. I want you to think of it this way as well. 

A supply chain attack doesn't have to be a device or stop a disruption in in a vendor. It can be software that you use in your organization that is widespread, so a library, some software that is used in your environment, a lot of other environments. If there's a vulnerability there, that is something that's in your system and you have to know where it is. Are you vulnerable? And you also have to understand that even if you're not vulnerable, your vendors might be vulnerable. And if you have connections to their systems, understanding how that might affect you can be really important. So the supplier network, that whole ecosystem essentially is so fragile at times. unless you're able to understand how you fit in that ecosystem and how to fortify it.

SM: Now that we've kind of talked about all of the threats that manufacturers are facing, let's talk about what they can do to kind of mitigate the risks of these attacks. So I wanted to ask, what are some protocols that you recommend and what might be some challenges for companies when implementing them?

JS: This is my favorite part because this is what I do for a living and I love being able to help organizations. It's one to say you should be very scared and worried, you know, everything is, everyone's trying to attack you, but that's not the case, especially if you are aware of how you can respond to that. 

So things that people can do, organizations can do is number one, shift their mindset from static plans to continuous readiness model. So preparing, I really love to focus on how to know where you are now, benchmark, where are you, if there's an attack today, What do you have in place to support you to respond to that? And then understanding where those challenges are and improve. What skills do you need to get from where you are now to a better place? Benchmark, know where you are, improve, and then really understand where you are after that improvement. Maybe you've done some exercising, maybe you've done some skill development on your teams.

Know where you are after that and make that continuous. So it's not static. It's not, oh, we're done now. We have all the documentation in place. We're good. It's continuous. We know where we are now. We know how to get better. Now we know where we are, now we know how to get better. So it's shifting that mindset and along that process, You'll be updating your documentation. You'll be updating your technology, your people, your processes. That really is how it comes down to it. 

If I can add one thing, because I think this is really important. A lot of organizations think that responding to cyber attacks or any cyber issues are for the cyber and IT teams. They are definitely involved in that. but it is the whole business that should be involved in that benchmark, prove / improve process. It is really a business-wide HR communications, the operators on the devices, the analysts, writing code, everyone in the organization, anyone receiving e-mail that needs to be aware of phishing emails, it's the whole of the business that really is responsible for that and that shift in mindset.

SM: And so when companies are trying to kind of involve the whole of business, how do you recommend they navigate preparing for responses across all of these different teams? For example, are there ways to improve communication across company teams when they're crafting these protocols?

JS: Absolutely. My favorite way to do that is through exercising, tabletop exercises, crisis simulations, but not just at the incident response level. TTX is tabletop exercises at the incident team level, but also at the executive leadership team level, the C-suite level, the board level, incorporating them, really understanding that that response is going to incorporate all of those. Exercising is a great way to understand where your challenges are and where your strengths are. That is how you can make sure you have the right protocols, the right documentation in place, what needs to be updated, and who needs to be involved. Exercising is one of the best ways to eliminate that.

SM: And going back to attacks a little bit, what preparation, including intermediary steps, helps companies avoid having to just kind of pay the attacker to release their data?

JS: Yes, so this is my favorite part of exercises that I facilitate that involve ransomware. Almost everyone I've encountered wants to say no, we will never pay the ransom. And that is fantastic. I hope no one ever has to pay a ransom. But if you want that option to say no, you have to prepare for that in advance. You have to understand that saying no is not always as easy as it should be or it can be. You need to define what that looks like in advance. You need to understand that your stance on paying or not paying is reliant upon knowing what essentially would push you to say yes. 

And I'm not saying your documentation should say for this amount of money we should pay. I'm saying what answers do we need to know to as much as we can know an answer because you will never have all the right answers. You will never have all the information knowing what questions you need answered. as much as you can in advance to make that decision. Most importantly, this, again, needs to be done in advance. The worst time to decide whether you should not pay a ransom is when that clock is ticking, when you have a ransom demand on your desk, because you're not going to be prepared for that and you're not going to be able to make the best decision for your organization. Going through the whole process of who needs to be involved in making that decision, who's responsible for that, who has input and what that decision might look like is critical in being able to prepare for that.

SM: And then on a more broad scale, how does uncertainty on a national policy level impact manufacturers in this context of trying to prevent and prepare for attacks?

JS: It's a tough time right now with uncertainty, regulations, especially, and I'm not a regulatory expert. There are people that are dedicated to understanding regulatory compliance obligations. and they do change a lot. Uncertainty itself, I think, is the focus here because no matter the policy, no matter the regulation guidance that you have, no matter the geopolitical tensions surrounding that, understanding that uncertainty is part of any organization's survival is important because it does make it harder to plan ahead. It does make it harder to allocate resources and make timely decisions. But if you are continually examining your strengths and challenges, that whole process provides you an opportunity to exercise your decision making, if that makes sense. So it's not necessarily having the right information in place, it's having the right capability to make decisions quickly. So you're making decision, making less wrong decisions. and getting to right decisions a lot faster because uncertainty, especially now is going to be there and you want to be able to have the muscle to be able to make decisions, the right decisions quickly.

SM: And to kind of conclude our conversation, if there are a few things that you think manufacturing companies should take away from our discussion specifically about how attacks occur and how they should respond, what would they be?

JS: So how attacks occur is going to be somewhat varying depending on your organization, but you can guarantee that it comes down to the whole business coming together again to respond to that, not just cyber and IT. So number one is understanding that the business as a whole needs to be involved in how to respond to a crisis from the operator analyst level through the help desk through HR, communications, finance, ELT and board. That is number one. 

Number two is enabling that understanding through that benchmark starting, exercising, proving improved process, that continuous process. And I really, I go on a rant on this. I think one of the most important and most impactful ways to enable your organization to be resilient in a crisis is to have a very easy, relatively fault-free way for everyone in the organization to report something, an incident. If they're fearful, they will not report it. You won't know. You can't respond. If it's too hard to find, they won't report it. You won't be able to respond to it because you won't know about it. If you have an easy way for people to say, hey, this is suspicious. I clicked on a link. I'm sorry, even if your tooling didn't pick it up or I got this weird phone call. Sounded like it was the CEO. Maybe it was a deep fake. If they're afraid to report something, they won't. And again, you won't know until the attackers. in your system already causing damage. So I think those are probably the takeaways I would say would amplify any manufacturing organization's resilience.

SM: Thanks, Jen. That was great advice, especially as the manufacturing industry is hit the hardest by ransomware attacks. And with that, I can't thank you enough again for joining us on this episode of Great Question and for lending your expertise to a discussion. From Smart Industry, I'll say goodbye to our listeners and have a great rest of your day.