skip to main content

Hackers Turn Attention to Manufacturing Sector

Hackers Turn Attention to Manufacturing Sector

A wave of hackers is anticipated in an industry dependent on sensitive data, intellectual property and trade secrets.

Maintaining a high level of cyber security is vital for the manufacturing industry. Generally defined as companies in the automotive, electronics, textile, and pharmaceutical space, these companies struggle to protect their anticipated wave of hackers as well as prevent or mitigate any damage, manufacturing companies must adopt a relevant framework, protect their data, educate employees and implement official cyber policies.

According to an IBM X-Force Research study, over the next few years the manufacturing sector is expected to be one of the most targeted industries for hackers, largely due to the wealth of manufacturing companies’ intellectual property. Installing antivirus software and firewalls is not enough. With threats becoming more and more sophisticated, manufacturers need to develop the capabilities to manage such threats before they affect their business. The IBM study found that manufacturers are more vulnerable to older attacks, such as SQL Injection, and Shellshock. SQL injection remains the most prominent form of attack being waged against manufacturers. In addition to these brute force attacks manufacturers also face the threat of malware. The top malware distribution method in manufacturing environments remains web-based downloads, accounting sensitive data; intellectual property, trade secrets and details about their customers. The threat to their business mainly exists as “bad actors”, hackers focused on manipulating, stealing, or deleting sensitive information are causing manufacturers to spend considerable resources on cyber security. Manufacturers are spending more money each year trying to pinpoint where hackers can potentially infiltrate their systems. In order to stave off the for 58 percent of malware. Targeted theft of intellectual property is real and has financial implications. Other cyber-attacks that either purposefully or accidently corrupt critical systems could have more immediate damaging effects. For example, a cyber event that corrupts the configuration file for a robot controller software forcing the robotic arm to draw a line that is 2 mm off while welding the valve of a natural gas grill, could result in a product recall or a lawsuit from an accidental death.

So what are manufacturers expected to do? The first step is to develop a cyber program that looks at the problem from an enterprise risk management perspective. Developing a practical cyber program should come even before installing firewalls and antiviruses. This initial step will do more to protect information than the most expensive firewall. The cyber program sets out a plan to ensure that your company as well as your computer systems are adequately protected. Companies should adopt an operating framework that identifies the most critical risks and implements a program to reduce your critical risks. There are multiple frameworks to choose including the National Institute of Standards and Technology Cybersecurity Framework and International Organization for Standardization 27000. Developing a risk based cyber program provides you the roadmap so that you can understand your risks and adopt the components of the framework that best suits your company’s security needs.

The next step is to protect your information. One of the greatest cyber threats is malicious code; computer programs designed to harm your systems. There are many products in the market that protect your information, from encrypting your data to preventing malware from entering your environment. Selecting the right one is just as important as selecting the right email system; it has to be effective without disrupting your business. Critical to protecting your information is protecting your company from the Internet. The most common method is by installing a hardware firewall between your internal network and the Internet. One of the most common mistakes is failing to update software products with patches provided by the major software vendors. Software vendors identify security vulnerabilities in their products on a periodic basis and send out updates that correct security problems. Not patching your software exposes you to bad actors that review the patches and accompanying information and specifically target companies that do not patch. Additionally one of the most practical information protection methods is to have a disaster recovery plan. Computers die, hard disks fail, employees make mistakes, and malicious programs can destroy data on computers. Having a disaster recovery plan and a backup of information will allow you to recover a loss of data.

Finally, equally critical to a cyber program is educating employees. Individuals with access to your computers and networks can do great harm. Individual employees - even those without any hacking credentials or intentions - can install malicious software, or engage in other forms of actions harmful to your company. Employees, more often than not, inadvertently create risks for your company. Making employees aware that their actions either increase or decrease your cyber risk is one of the most effective investments you can make to better secure your company.

Technology alone will not assist your organization. Holding employees accountable for how they interact with technology can enforce a consistent cyber workforce. Cyber augment the technical tools and techniques and document how employees need to interact with data and the possible penalties for violating those policies.

As we continue to integrate technology into all facets of the workplace, we also increase our risk. There is no perfect tool, policy or procedure that can protect your organization from every cyber event. However establishing a program with a solid framework will lead you down the path of protecting your data. Without a program you are at the mercy of the bad actors. Today and in the future, practical cyber means practical protection for your systems and employees.

Hide Firm Disclaimer


UHY LLP is a licensed independent CPA firm that performs attest services in an alternative practice structure with UHY Advisors, Inc., and its subsidiary entities. UHY Advisors, Inc.’s subsidiaries, including UHY Consulting, Inc., provide tax and business consulting services through wholly owned subsidiary entities that operate under the name of “UHY Advisors” and “UHY Consulting”. UHY Advisors, Inc., and its subsidiary entities are not licensed CPA firms. UHY LLP, UHY Advisors, Inc. and UHY Consulting are U.S. members of Urbach Hacker Young International Limited, a UK company, and form part of the international UHY network of legally independent accounting and consulting firms. “UHY” is the brand name for the UHY international network. Any services described herein are provided by UHY LLP, UHY Advisors and/or UHY Consulting (as the case may be) and not by UHY or any other member firm of UHY. Neither UHY nor any member of UHY has any liability for services provided by other members.

On this website, (i) the term "our firm", "we" and terms of similar import, denote the alternative practice structure conducted by UHY LLP and UHY Advisors, Inc. and its subsidiary entities, and (ii) the term "UHYI" denotes the UHY international network, in each case as more fully described in the preceding paragraph.