Cyber criminals will always opt for the path of least resistance – targeting the weakest link in a supply chain gives them an easy route in to much bigger prey. Relying on hardware, software, and services from third parties makes manufacturers particularly susceptible to supply chain compromise.
Manufacturers of all sizes are attractive targets for cyber attackers. Small manufacturers lower down the supply chain may not have the resource to fully protect their systems, giving adversaries an easy foothold to gain access to bigger fish further up the chain. Conversely, large global manufacturers may be the target at the top of the supply chain, and can be compromised by a weak link further down, allowing attackers to steal valuable data and intellectual property, disrupt operations, and damage the manufacturer’s reputation. Your supply chain is only as strong as its weakest link.
56% of organisations have experienced a breach that was caused by one of their vendors[1]
The software threat
Once manual and labour-intensive, the manufacturing sector is becoming increasingly reliant on technology and automation, and must adapt to keep pace with the risks this poses. William Evanina, of the US NCSC, notes that “software supply chain infiltration is one of the key threats that corporations need to pay attention to, particularly how software vulnerabilities are exploited”[2].
Large, global manufacturers are all too aware of the ramifications of a data breach, so system defences are much more robust than they were a decade ago. Traditional attempts to compromise a system are therefore more likely to be identified and stopped, so cyber criminals are turning to software providers in the supply chain to give them a back door. Adversaries exploit vulnerabilities in the software to gain a foothold – when the seemingly innocuous software is rolled out at the manufacturer, the malicious elements are rolled out with it. Manufacturers are unwittingly affording attackers free rein throughout their network. Evanina summarises that “the impacts to proprietary data, trade secrets, and national security are profound”.
In September, InfoSecurity Magazine reported that state-sponsored attackers had targeted the VPNs that connected suppliers (such as Rolls Royce and Expleo) to Airbus. The aviation giant had already reported unauthorised access to data from a breach back in January, but was unaware at that point that the scope of the attack was much bigger, and that their IP was at stake. “The hackers were after technical documentation regarding the certification process for parts of Airbus aircraft, while other stolen docs indicated interest in the A400M military transport plane, and the A350 propulsion and avionics systems”[3].
Yet manufacturers themselves are not always the end goal. Breaching their systems simply provides a gateway to gain access to their big name customers’ trade secrets. And they’re vulnerable – the continuation of production is often prioritised over keeping systems up-to-date, so manufacturers leave themselves open to disruptive ransomware attacks by exploitable weaknesses in unpatched software.
Working from the bottom up
The manufacturing supply chain isn’t all big engines and multi-million pound contracts. Without small manufacturers providing key products and services, such as microchips, software, and – quite literally – the nuts and bolts of the operation, the supply chain would collapse. These critical links may naively believe they are too small and unimportant to be a target for cyber attacks, but the reality is quite the opposite. Small manufacturers rarely have the resource and cyber skills in-house to adequately secure and protect their systems, making them an easy target for cyber attackers looking to weave their way in. Operations, IP, and customer details are all at risk – a low effort, high reward payday for adversaries.
Moving money
Supply chains are effectively long links of transactions, handling business, products, and finances. Financially-motivated groups will target anywhere large sums of money are changing hands – for manufacturers, this means big contracts and the large transactions that support them. Cyber criminals observe the supply chain at work, to identify when and how money moves, so they can tailor their attack accordingly to maximise their chances of success. A convincing spoofed email requesting payment details, sent precisely when a deal is due to be closed, has more chance of succeeding than an opportunistic phishing attack.
What can be done?
Manufacturers must balance their reliance on the supply chain against protecting their IP, operations, and reputation. The MoD has a keen eye focused on defence supply chain security, so it’s imperative that manufacturers are able to demonstrate they are not the weak link, and that they are taking steps to safeguard their information and systems against compromise from third parties.
Five boring but really important security mistakes you need to stop making
Cyber security can be dull, but ignoring it won't make the problem go away. Turning a blind eye to your cyber defences leaves your business vulnerable to state-sponsored and ransomware attacks.
Download our free PDF guide to find out the top five critical security mistakes your manufacturing business is making, and what preventative measures can be put in place to solve them.
Find out more about how CORVID can benefit the manufacturing sector.
Footnotes
More CORVID blog posts
Patching up life support: why critical care is at critical risk
Keeping people alive is unquestionably more important than patching software, but unpatched software is vulnerable to exploitation, and won’t keep anyone alive if it leads to a breach ...
Symptoms of a COVID-19 scam
Like the virus itself, scam emails claiming to be related to coronavirus are everywhere and spreading fast, preying on the public’s panic and an insatiable hunger for the latest ...
Happy to lose £300k to cyber crime? Get a university research partner
A higher education research partner has the potential to be hugely beneficial for your business, both financially and reputationally. But universities – especially the well-funded, ...
Most popular posts
1. How to effectively manage, detect and respond to a data breach
2. Three reasons the education sector is a prime target for cyber attacks
3. Four questions you need to answer after a cyber attack
4. Top 7 steps to reduce the chance of cyber attacks
5. Happy to lose £300k to cyber crime? Get a university research partner