Black Kite published the 2024 report: The Biggest Third-Party Risks in
Manufacturing, which revealed that a staggering 80% of manufacturing companies
have critical vulnerabilities putting them at high risk for exploitation. In
creating the report, the Black Kite Research Team (BRITE) examined nearly 5,000
companies across 10 sub-categories in the manufacturing industry, exploring the
third-party risk landscape and the impacts of cyberattacks within the
sector.
Rapid digital transformation in recent years has made
manufacturing organizations prime targets for cyber attacks. Threat actors know
that defense strategies have not kept pace with the rapidly expanding attack
surface and these companies play critical roles within global supply chains.
Attacks within manufacturing can result in cascading operational disruption and
financial and reputational damage. When considering the potential for impact
and the sector's vulnerable state, it is no surprise that, according to Black
Kite data, manufacturing was the top industry victimized by ransomware attacks
over the analyzed one-year time period (April 2023-March 2024), with more than
1,000 victims confirmed. Industrial machinery manufacturing tops the list of
ransomware victims in the space, followed by motor vehicle parts manufacturing,
and pharmaceutical and medicine manufacturing.
"Due to its critical nature, the manufacturing industry is a prime
target for bad actors to exploit. Although these organizations have invested
substantially in protecting physical and operational technology, their
expanding digital footprints are a point of weakness that must be addressed,"
said Ferhat Dikbiyik, chief research and intelligence officer at Black Kite.
"Organizations in this sector need to immediately take note of their high risk
and fortify their cyber defenses to mitigate the chances of becoming the next
ransomware statistic."
A significant portion of the report highlights the top risks that
are most often present when companies are compromised. Some of these findings
include:
- 69% of
companies analyzed have exposed credentials in the last 90 days.
- A
significant portion of manufacturing companies have also had vulnerabilities
from the CISA known exploited
vulnerabilities (KEV) catalog (67%) and broken crypto algorithms (62%).
- Most
manufacturers analyzed applied good application security practices; however,
30% of companies have critical vulnerabilities in web applications that threat
actors can exploit.
- Poor
patch management is pervasive across the industry; 94% of companies in the
furniture and related product manufacturing sub-industry scored a D or F in
patch management, which means most of tier assets are running vulnerable or
out-of-date products.
"It is important to note that in manufacturing, many systems are
integral to the production process and cannot be easily updated without
potentially impacting operations. However, this does not justify exposing these
systems to the internet, where they can become easy targets for cyberattacks,"
Dikbiyik said. "Unfortunately, the machines we observed were indeed exposed,
heightening the security risks for these organizations."
The report also ranks manufacturing companies' probability of a
ransomware attack occurring using Black Kite's Ransomware Susceptibility Index (RSI). Black
Kite collects data from open source intelligence sources (OSINT) - internet
scanners, hacker forums and sources on the deep/dark web and more - and then
uses machine learning to make correlations with a company's existing security
controls to approximate potential risk for ransomware attacks. With its RSI
score, a company can know the likelihood of an attack in minutes on a
scale that ranges from 0.0 (lowest probability) to 1.0 (highest
probability).
According to the report, every sub-industry in manufacturing
examined averaged a 0.4 or greater RSI score, placing them in the critical
category, meaning they are 3.4 times more likely to experience a ransomware
attack. The risk is significantly higher in many subcategories. For instance,
more than 60% of companies in both chemical manufacturing and transportation
and equipment manufacturing fell into the critical category.