What if someone had stolen the designs for the first iPhone? Would you still fork out hundreds of pounds for the latest model, or would you buy the exact same handset for a mere fraction of the cost from another manufacturer? Moreover, would Apple still be in business?
Manufacturers are privy to highly confidential information, data, and contracts. Coupled with their valuable intellectual property (IP), it’s not difficult to see why they’re an attractive target for cyber criminals and state-sponsored attacks. Whether the attack is levelled against the manufacturer directly to steal its IP, or the aim is to compromise the manufacturer to climb the supply chain to bigger targets’ confidential data, manufacturers need to ensure their systems can defend against sophisticated attacks from some of the world’s most powerful adversaries.
State-sponsored attackers are after your IP
IP is a manufacturer’s bread and butter, which gives them a competitive advantage in their market. Its unique nature makes the manufacturer’s name known, and allows their product to be successful without cheap copies devaluing the brand. But this significance makes IP an irresistible target for cyber criminals.
Valuable, innovative IP is sought after by a very specific, well-funded and highly-skilled small group of people (typically nation-state actors) who will pay handsomely to get their hands on it. State-sponsored attacks are commonplace to gain this competitive advantage – just look at the recent Comac C919 revelation. China’s goal was to steal enough IP to be able to build all the parts for their new plane within its borders, enabling the country to compete on a global scale with the likes of Boeing and Airbus.
In September, InfoSecurity Magazine reported that state-sponsored adversaries had targeted the VPNs that connected suppliers to Airbus. “The hackers were after technical documentation regarding the certification process for parts of Airbus aircraft, while other stolen docs indicated interest in the A400M military transport plane, and the A350 propulsion and avionics systems”. Airbus had already identified a data breach back in January which resulted in unauthorised access to data, but at the time, the aviation giant was unaware that the scope of the attack was much bigger, and that its IP was the target. Once again, take a look at the Comac C919.
Focussing on the supply chain
Top secret government and critical national infrastructure (CNI) contracts are particularly attractive targets for cyber attackers. Not only do they involve huge amounts of money changing hands, but the repercussions of data being stolen from these contracts can be a matter of national security. These high stakes, high reward targets are understandably heavily protected by state-of-the-art security systems, so a direct attack isn’t likely to yield much success. That’s where manufacturers come in, albeit unintentionally.
Whether the manufacturer is providing apps, technical systems, tiny microchips, or enormous jet engines, they are an exploitable weakness in the supply chain that links to that big contract. They are the comparatively low effort route in for attackers to gain access to the bigger players’ secrets. To curtail the disastrous ramifications of such a data breach, the MoD is taking steps to ensure robust cyber measures are in place to secure the defence supply chain, with a particular focus on small manufacturers that may not have the cyber skills and resource in-house to adequately protect their systems from compromise.
What can be done?
You need to prove your manufacturing company is not the weak link in the supply chain, by having robust and comprehensive cyber security measures in place, and being able to demonstrate they are effective.
The potential cost of a data breach – including system downtime, significant loss of business, and hefty GDPR fines – is substantially more than the cost of implementing preventative measures. Ensure your manufacturing company’s cyber security strategy includes proactive threat hunting that detects suspicious activity before it causes damage.
If a data breach does occur, you need to be able to prove compliance with strict data protection regulations, by confidently and accurately reporting exactly what information was accessed, who accessed it, and whether the data was exfiltrated from your systems.