Manufacturing operations in the U.S. are under attack — not by saboteurs physically breaking into a plant and smashing equipment, but by cyberattacks that take control of operations to remotely damage equipment or hold the company’s digital systems hostage.
The threat is rising. The U.S. manufacturing industry experienced at least 437 ransomware attacks in 2022, more than double the attacks from the year before, according to cybersecurity firm Dragos.
If a manufacturer is hacked, there are steps executives can take to deal with the cyberattack, including both government services and third party vendors. These entities can help companies break free from a hacker’s hold and ensure the exploited vulnerabilities are shored up against future threats.
U.S. manufacturing as a target
Manufacturing is subject to the same kind of ransomware that seeks to infect any company, wherever and whatever it can, said Howard Grimes, CEO of the Cybersecurity and Manufacturing Innovation Institute at the University of Texas at San Antonio. Perpetrators are less interested in who they hit than in what money can be made from a successful ransomware attack.
But when it comes to direct attacks from malicious foreign actors, U.S. manufacturing is often a prime target, Grimes noted.
“U.S. manufacturing is the number one target for sponsored and other types of cyberattacks,” he said.
These types of attacks are seen as a way to destabilize not just one company’s operations, but to slow down or even shutter the entire economy, he added. Hackers view attacking a manufacturing site as an opportunity to destabilize the U.S. and threaten the country’s position on the global stage.
“Manufacturing is a major driver of our gross domestic product and is a major factor in our global competitiveness,” Grimes said.
In the event of a successful cyberattack
How to respond to an attack depends on the size of a manufacturer’s operations and the scale of the assault. For companies that don’t have in-house cybersecurity team or an ongoing contract with a cybersecurity vendor, they may need to secure one immediately to stop an attack, recover data and get operations back online, Grimes said.
If a manufacturer lacks that existing infrastructure, “my next step of advice is to call the FBI,” he added.
The bureau can help put a company in contact with resources immediately, especially if an attack is holding operations ransom or has otherwise shut down the manufacturer’s systems. The FBI can also conduct an investigation into the attack.
The last thing a company should do is not tell anyone what happened. Reporting the incident helps “the entire intelligence community understand what these threats are and where they’re coming from,” Grimes said. Sharing the experience also helps identify what types of vulnerabilities were exploited in the attack.
Most small- and medium-sized manufacturing companies don’t have a cybersecurity team on deck to help respond to an attack. This is where a third party cybersecurity professional can come in and remediate the problem and help prevent against future attacks, Grimes said.
Ethan Schmertzler, CEO and co-founder of network security firm Dispel, also suggests companies familiarize themselves with documentation from the National Institute of Standards and Technology, which has a cybersecurity measurement guide designed to identify, protect, detect, respond and recover from an attack.
“It’s stuff your tax dollars already pay for,” Schmertzler said.
Legal ramifications of a cyberattack
While cyber threats against manufacturers are high, the legal risks they carry are typically not as dire as attacks to companies in the financial and healthcare sectors.
“You don’t see as much personal data and information,” said Aaron Tantleff, a partner in Foley & Lardner’s privacy, security and information management practice.
However, if companies handle any kind of personal data, they still need to know their relevant state laws in regards to data notification breaches. Companies that operate in the European Union will also need to make sure they’re acting in accordance with its General Data Protection Regulations.
Manufacturing tends to be more interconnected than other sectors, meaning that an attack at one manufacturing company could spread up and down the supply chain to customers and contractors if they lack appropriate cybersecurity barriers, Tantleff said.
As a result, there is no legal precedent for which party is liable for the fallout of a cyberattack.
“It’s not exactly clear that just because a threat actor came from environment A into environment B that operator A is going to be responsible for operator B because operator B has its own cybersecurity obligations,” Tantleff added.
Schmertzler also noted that manufacturers can’t rely on insurance companies to bail them out if they’re sued by clients or vendors, or to cover costs related to an attack. Insurance companies are being “very aggressive” about denying claims if they feel companies did not have industry best practices in place before an attack.
“Companies are taking this much more seriously, not because of government regulation but because of insurance saying it's not acceptable anymore to try to pass this risk off to us,” Schmertzler said.