The 2024 Threat Report: Findings and Takeaways For Manufacturers
Manufacturing, vital yet risky, faces a growing threat: criminal ransomware. Waterfall Security Solutions' 2024 Threat Report reveals a spike in ransomware attacks, causing severe disruptions in the industrial sector. Over half of the 68 recorded attacks in 2023 targeted manufacturing, resulting in costly shutdowns. With incidents nearly doubling yearly, plant operations will continue to see more downtime. However, the report also highlights key areas for improving OT cybersecurity, building resilience, and maintaining competitive operations.
Rees Machtemes, P.Eng.
In the last 5 years, criminal ransomware has become the dominant cyber threat facing manufacturers. Waterfall’s Threat Report documents that in 2023, 68 deliberate cyber attacks caused physical consequences at over 500 sites in manufacturing, heavy industry and critical infrastructures. Of those 68, over half (37, or 54%) impacted the manufacturing industry. Impacts included production shutdowns, work stoppages, and logistical delays. Taking stock of publicly known information, all but one of the 37 manufacturing incidents were ransomware-induced. The United States, Canada, and Germany faced the largest number of incidents and represent one quarter of global manufacturing output. Waterfall’s report shows that attacks with real-world consequences have gone from a handful of annual incidents in the last decade to yearly double-digit counts. Today, Incident counts have been growing exponentially and are nearly doubling every year.
“…all but one of the 37 manufacturing incidents were ransomware-induced.”
Manufacturers See Increasing Impacts From Cybersecurity Incidents
There are no indications this trend is slowing down or becoming less costly to deal with. In the past, production downtime following a ransomware attack could be made up by restoring systems from backup and then running a few extra overtime shifts. Ultimately, no material impacts to the bottom line remained at year-end. Today, ransomware criminals are more efficient at targeting everyone with money. Last year saw one of the costliest incidents to date, with MKS Instruments suspending operations after a ransomware attack, claiming $200 m in lost or delayed sales in a filing with the US Securities and Exchange Commission (SEC). Their customer, Applied Materials later claimed the incident would cost them an additional $250m in lost sales.
In another SEC filing last August, Clorox reported that a ransomware attack so badly damaged their networks that they were forced to take systems offline. This cost them $49 m, impacted production for months, and their CISO left in the ensuing fallout. Production environments can also be dangerous, and cyber-induced shutdowns can have larger market and societal consequences than strictly financial consequences. Financial regulators like the SEC, the London Stock Exchange, and others are concerned and have mandated stricter reporting rules. Meanwhile, governments are concerned about safety and supply chain and piling additional financial and legal risks onto the post-incident burden organizations face, even after response and recovery is behind them.
Are Manufacturing OT Systems Being Attacked Directly?
To help understand modern attacks, Waterfall’s annual report also breaks new ground this year because now all consequential incidents are rated by “attack type,” or how the attack impacted operational technology (OT) networks and control systems. This matters because most OT networks are rarely connected directly out to the Internet or the Cloud, but lie behind a series of cyber defenses joined to IT (or business and enterprise) networks.
After investigating all incidents, the startling conclusion is that three-quarters of ransomware shutdowns were indirect, and the remainder were direct attacks on operations. Indirect shutdowns included the “out of an abundance of caution” scenario, dependencies of OT systems on IT networks and systems, and third-party dependencies. Direct attacks on operations showed no distinction between, or evidence of any security separating IT and OT networks. That these failures in cybersecurity were even possible should give pause for thought. If ransomware criminals can access OT systems directly, how long will it be before they impair Safety Instrumented Systems or protective relays as part of their attacks?
Since 2019, the world has changed, and ransomware attacks on the manufacturing industry seem to be with us for the foreseeable future. How ransomware shuts down manufacturing operations suggests that the long-term security strategy for this sector should include separating and strongly protecting safety and reliability-critical OT networks from IT networks, as well as eliminating all OT dependencies on IT systems and services. This approach – often called network segmentation – is standard practice in critical infrastructures like Power and Water. In these industries, the toughest security is deployed at the IT/OT interface – the so-called “consequence boundary” between networks with vastly different consequences of cyber compromise. Deploying the strongest protection at this consequence boundary enables production to safely continue despite a cyber incident. Even when ransomware impacts the IT network or third parties, there is ample flexibility to respond and recover when production lines can hum along safely and without worry.
For additional details and insights on cyber attacks, please download the Waterfall / ICSStrive 2024 Threat Report.
About the author
Rees Machtemes, P.Eng.
Share
Trending posts
The 2024 Threat Report: Prioritizing Cyber Security Spending
How Likely Is That To Kill Anyone?
Hitting Tens of Thousands of Vehicles At Once | Episode 131
Stay up to date
Subscribe to our blog and receive insights straight to your inbox