Securing the Manufacturing Sector

It is easy to make the case that manufacturing is the backbone of innovation in the United States. Because of its criticality, it is designated as one of the sixteen U.S. Critical Infrastructure (CI) sectors. In fact, if we consider manufacturing a bit more deeply, it can be argued that it is a key element of our national security – because almost all of the other fifteen CI sectors directly rely on production from the manufacturing sector.

Consider that every router and switch in the communications sector relies on securely produced devices from the manufacturing sector. Every Supervisory Control and Data Acquisition (SCADA) system that controls the flow of water in a dam, the amount of power delivered to a grid, and commands and controls elements within our public transportation systems are key elements of our national security. When we consider the big picture, it is evident that the veracity of the manufacturing sector goes to the very heart of the security of nearly all of our CI.

Given the evidence of the interdependency between the security of the manufacturing sector and our national security – and considering that (like every other CI sector), many elements of manufacturing are conducted in cyberspace – the cybersecurity of the manufacturing sector is an extremely high priority for the United States government. The designation of manufacturing as a CI sector brings with it an increased emphasis on the cybersecurity of the systems within it, so why then are an estimated 80 percent of manufacturing companies at high risk for exploitation due to known critical vulnerabilities?

That is not a misprint. One of the most respected providers of third-party cyber risk intelligence, Black Kite, recently reported that figure in a 2024 report, The Biggest Third-Party Risks in Manufacturing. Given that fact, it should surprise no one that the manufacturing industry suffered more ransomware attacks (over 1,000) over the last year than any other industry. In conducting their study, Black Kite examined over 5,000 companies across every sub-category within the manufacturing industry – so it is not a small (or cherry-picked) sample size. Among the most compelling (or some might say damning) statistics:

• Sixty-nine percent of companies analyzed had exposed valid credentials in the last 90 days.

• A significant portion of manufacturing companies also had known open vulnerabilities that are published (along with their fixes) in the CISA known exploited vulnerabilities list.

  
  

So, many of these incursions are actually self-inflicted. More than 2/3 of the companies studied openly ‘spilled’ network access credentials into non-protected areas of cyberspace – free for any for anyone from a two-bit hacker to a sophisticated nation state to acquire and leverage to gain seemingly authorized access to manufacturing systems. Worse, CISA – with help from FBI, NSA, and industry partners – painstakingly publishes a list of known vulnerabilities and how to plug them, but the Black Kite study found that many organizations did not take the time use this tool to ensure that their systems were as secure as possible.

How can this be? There are plenty of totally understandable, but still non-compelling reasons! Many manufacturing systems were developed when cyberspace either did not exist or was in its infancy, so they were never intended for remote command and control via the Internet. Also, companies are understandably ‘bottom-line driven’ and are sometimes accountable to stakeholders. When choosing between security and production, the dollar often carries the most weight. And a third stark reality is that many of these companies do not believe that they are a target for a nation state or cyber-criminal. Risk accepted is one thing, but risks that are not acknowledged or understood are more problematic.

There is no magic bullet, but if companies become more proactive, we harden the target. Every manufacturer – from the smallest to the behemoths – must invest time in studying, understanding, and mitigating the most prevalent threats. If, as a collective, the industry shares intel and invests more time in securing systems, everyone wins, and our national security is bolstered!