Under attack; why manufacturers must act against the cyber threat

David Atkinson UK Head of Manufacturing SME & Mid Corporates, Lloyds, sits down with colleague Giles Taylor, Head of Resilience and Cyber Security, to discuss why so many manufacturers are being targeted in cyberattacks.

?

David Atkinson: “The UK manufacturing sector has become a key focus for cybercrime. Why are manufacturers such an attractive target in 2024?”

Giles Taylor: “It’s true that attacks on manufacturers have increased over time and manufacturing has replaced financial services as the most targeted sector. Partly this is because financial services firms have invested very heavily in cybersecurity and are now very well protected.? But it’s also because manufacturers are increasingly digitising their operations.? This creates valuable efficiencies, but also means they have more IT and connected operational technology that can be attacked.

?

“All kinds of plant and machinery now have sensors to help optimise production, which are essentially small computers. These are all potential points of entry for hackers. At the same time, many manufacturers have legacy equipment, with software that is no longer getting the latest security updates, which also creates vulnerabilities.”

David Atkinson: “So, who are committing these cyberattacks and why?”

Giles Taylor: “At the highest level, there are nation states that are engaged in cyber espionage. They want the intellectual property, which might be a product design or a manufacturing process, because it can save them millions in R&D costs.

“Then there are the organised criminal gangs, which may be acting on behalf of the nation states, or for their own benefit. They are in it for the money, and ransomware is the primary tool in their armoury.

“Their strategy used to be to simply hold firms’ systems and data to ransom until they get their payoff.? But they have now realised that they can demand a second ransom by threatening to release the data that they have stolen in the first attack, and even a third ransom by threatening to make the success of their attack public.? This can cause huge reputational damage to a business and is a tactic known as triple extortion.”

David Atkinson: “And what options do firms have in situations like these?”

Giles Taylor: “If you have cyber insurance, you should first contact your insurer, who will support your recovery. If not, then you will need to consider engaging appropriate legal, PR and specialist cyber incident response teams to help recover your business.

“As part of this, you may consider reporting the attack to Action Fraud, the national reporting centre for cybercrime, and your bank, to see how they can support the additional demands on finance.”

David Atkinson: “And what are the implications if your data and systems are exploited?”

Giles Taylor: “It depends on the types of data exposed and the systems that are impacted. If either your IT/office systems or manufacturing systems are attacked, then you may not be able to continue business and you can be exposed to an increased likelihood of fraud or other criminal acts.? You could also be fined by the Information Commissioners Office if people’s personal data has been put at risk.

“That’s beyond the challenges of getting your operations back up and running, and the financial cost that entails. Any downtime can mean you may have breached your contractual obligations to your clients, who you may have to compensate. There can be regulatory fines too.

“Insurance can help mitigate some of this risk, but any payout will only get you back to where you were before the attack. You’ll then need to invest to improve your defences, or you will remain vulnerable to further attacks.”

David Atkinson: “How does the Cyber Resilience Act play into this?”

Giles Taylor: “This legislation relates to the products that you manufacture, distribute or import and puts an obligation on you to make sure that whatever you're supplying to your customers is secure by meeting a set of standards.

“If you are making electronic devices, for example, it means you have a responsibility to make sure that they are appropriately protected so that they should not cause a problem for your customer.

“That applies to every aspect of a product, including hardware and software, so could include providing security updates and support for years to come.”

David Atkinson: “So, as a manufacturer, what should your strategy be in the face of this cyber threat?”

Giles Taylor: “It’s all about risk management; the idea that you can turn your organisation into an impenetrable fortress is not realistic.? Especially in the age of Artificial Intelligence, which can be trained to seek out vulnerabilities in companies’ systems far more quickly and cheaply than ever before.

“But, while manufacturers can never guard against attacks 100%, they can take steps to make sure they can recover as quickly as possible. That starts with identifying your biggest vulnerabilities.

“If your strength is your intellectual property, such as product designs, for example, then you can make sure that is encrypted and has strong access controls. But if your priority is to maintain access to systems to make sure production can continue uninterrupted, then having offline backups so you can restore systems quickly will be more important.

“Understanding your up and downstream supply chains and potentially subcontractors/fourth parties, is increasingly important to be able to manage your risks. Particularly if you are operating in sensitive sectors like defence.

“As a management team, you need to have a robust response plan that sits at the heart of your resilience and business continuity planning.? It should include the financial aspects, including working capital and cash flow, as well?as operational, reputational and legal, and consider if cyber insurance would be beneficial.

“Lloyds has created a free Cyber Risk Guidance document that lays out the safeguarding steps in a very practical way.

“For me, the key message to manufacturers is that this is a real and present threat and you need to understand what the key risks are for your business, because every business is different.”

To download Lloyds’ Cyber Risk Guidance visit lloydsbank.com/cyber

Authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and the Prudential Regulation Authority under Registration Number 119278.