In focus: MDR and manufacturing

Ransomware presents an existential threat to manufacturing companies by bringing their production to a halt. To restore their business operations and avoid significant loss of revenue, victims in this industry frequently feel they have few other options available except to pay their captors. 

That’s why more manufacturers are making the jump to managed detection and response (MDR), a set of services engineered to thwart even the most sophisticated ransomware attacks. 

In a MDR partnership, a cybersecurity vendor serves as an extension of the customer’s security operations center (SOC), dedicating professional threat hunters and advanced technologies toward investigating threats and vulnerabilities lurking in a customer’s attack surface. 

  • Threat hunters are elite security practitioners who combine intuition and a deep understanding of the latest adversary tactics, techniques and procedures (TTP) to proactively eliminate threats before damage is done to the customer. 
  • MDR threat hunters and incident responders perform threat monitoring around the clock, taking shifts on a rotational basis to make sure that nothing escapes their notice. They can do this because they are extremely well-staffed and have well-established processes and tools for sharing threat intelligence at the beginning and end of every shift, which means that operators are always working off of the most up-to-date information.
  • Because the MDR vendor serves a global customer base numbering in the thousands, they also have visibility over a far larger trove of data than the average organization. This means that if they detect a threat in one corner of the globe, they can immediately notify the affected customer as well as all other customers who could be impacted down the value chain.

These benefits could substantially help security teams in manufacturing companies who feel under-resourced and overwhelmed by the ransomware scourge.

Ransomware attacks on the manufacturing and production sector

According to a 2022 survey fielded by cybersecurity vendor Sophos:

  • Ransomware attacks on manufacturers have increased – 55% of organizations were hit in 2021, up from 36% in 2020
  • Sixty-one percent of respondents employed by manufacturing organizations reported an increase in overall volume of cyberattacks (vs. 57% cross-sector average), and 66% reported an increase in attack complexity (vs. 59% cross-sector average).
  • Manufacturing and production organizations reported the lowest level of backup use across all sectors, with just 58% of respondents using this approach to restore encrypted data compared to the cross-sector average of 73%.
  • One in three manufacturing and production respondents (33%) said their company paid the ransom. Those that paid recovered just 59% of their encrypted data on average. 
  • Overall, manufacturing and production respondents made the highest average ransom payment across all sectors (at $2,036,189). 

John Shier, Senior Security Advisor at Sophos, says: “This is not an indictment or criticism of the companies themselves, but this means that 33% of those companies are directly funding criminals. Sometimes, you just have to because it's incumbent on the survival of your business, so we fully understand that.”

Manufacturing and production organizations reported higher frequency and complexity of cyberattacks within the last year compared to the industry average. Credit: Sophos

In the last year alone, multiple victims saw their production completely halted by ransomware, resulting in revenue losses by the millions. 

  • Technology supplier and IIoT solutions provider Lacroix Group had its electronic system production sites in Germany, France, and Tunisia shut down following a ransomware attack on May 12. The three production sites, which are responsible for generating 19% of its total 2022 sales revenue, went offline for a week while the company worked to contain and recover affected systems.
  • ABB, a Swedish-Swiss multinational automation technology firm, had its operations disrupted by a Black Basta ransomware attack on May 7, prompting the company to sever VPN connections with its clients in an effort to avert further ransomware infections.
  • MKS Instruments, a provider of instruments, systems, and process control solutions for microchips, suffered a ransomware attack in February that impacted its ability to process orders and ship products to customers — resulting in overall losses of at least $200 million. 
  • Although not directly targeted, chip manufacturer Applied Materials suffered collateral damage from a 2023 attack on one of its major suppliers, resulting in $250 million in losses for its second quarter. 

Vulnerabilities in the Manufacturing Sector

As these attacks indicate, there’s a few factors that make the manufacturing sector particularly vulnerable to ransomware. 

First, a manufacturer’s revenue is directly tied to its production volume. If that volume of output gets disrupted (i.e. ransomware encryption of industrial control systems), the manufacturer is virtually guaranteed to see major losses in revenue. Ransomware groups can exploit this fact, putting immense pressure on manufacturers to pay the ransom so they can restore operations.

The Manufacturing Leadership Council states that “savvy ransomware groups recognize the value of uptime in the manufacturing industry and they’re ruthlessly profiting on the fact that manufacturers are often the least mature in their OT defenses compared to other industrial verticals.”

John Shier, Senior Security Advisor at Sophos, knows it’s not an easy decision for victims of an attack. “This is not an indictment or criticism of the companies themselves, but this means that 33% of those companies [we surveyed] are directly funding criminals. Sometimes, you just have to because it's incumbent on the survival of your business, so we fully understand that.”

Secondly, another factor at play is the convergence of IT and OT, and an industry-wide uptick in digital manufacturing practices. To survive in this competitive sector, more and more manufacturers are using data analytics, automation and networking to improve efficiency and cut costs. But while these same innovations have enabled the rise of industrial Internet of Things (IIoT), additive manufacturing and digital twins, they’ve also expanded the attack surface by creating more vulnerabilities for adversaries to target.  For example, in the Colonial Pipeline breach of 2021, the OT system was taken offline out of caution even though the ransomware had actually only affected IT systems. 

Finally, the supply chain. Manufacturing companies depend on a vast network of partners to make their business model possible. Some partners provide them the raw materials to make their products, others might lend them the technology to modify their engineering blueprints, and still others handle logistics and transport of finished products so they can reach consumers. Imagine a giant Jenga tower — pull out enough blocks, and the whole operation comes crashing down. Because of this arrangement, manufacturers are particularly vulnerable to disruptions in the supply chain — and therefore third party cybersecurity risk management is critical. 

“If a large manufacturer like that goes down for any length of time, then it has these ripple effects through the supply chain,” says Shier.

To address these vulnerabilities, many have begun subscribing to the MDR model. Here’s why. 

MDR for manufacturing and production

Here’s why manufacturing and production companies are using MDR to combat ransomware.

1: Access to diverse security expertise

The cybersecurity skills shortage continues to leave budget-strapped organizations vulnerable to data breaches. Even companies that do have in-house experts can find themselves overwhelmed by a constant barrage of alerts, contributing to security fatigue and burnout over time. But with MDR, organizations can add expertise without adding to the headcount, tapping into a community of skilled cyber veterans who know how to parse through false positives and separate real threats from the noise.  

2: Active threat intelligence

MDR vendors relay threat intelligence on an ongoing basis to the customer, providing weekly and monthly reports of network activity and periodically sharing insights into security investigations or alerts meriting customer attention. The MDR vendor can provide their manufacturing customers access to a dashboard where they can view real-time alerts, scheduled reporting, and other intelligence that threat hunters have collected in their investigations. The vendor can also conduct routine account health scans to inform customers of basic settings and configurations of endpoints in the network.

3: XDR and telemetry capabilities

MDR vendors combine extended detection and response tools, or XDR, with robust telemetries to gain continuous visibility and automated analysis of an organization’s entire information environment – including endpoints, cloud assets, network data, user identities and so on. Context is crucial to identifying suspicious behavior, and MDR vendors harness the full range of contextual data by leveraging third-party telemetry to investigate threats that escaped detection of basic tool sets. An added advantage is that if MDR detects a vulnerability in one customer’s environment, they can then fix that vulnerability within every other customer’s environment where it is present.

4: MDR providers have the expertise to integrate and understand third-party tools

Ransomware attacks and tools are evolving, and manufacturing companies have responded by acquiring a larger portfolio of third-party security tools. However, sometimes these tools resist being easily integrated with one another, which can reduce efficiency of how organizations respond to ransomware. MDR providers can assist organizations with integrating third party tools, even if those tools don’t belong to the MDR vendor. 

5: 24/7 monitoring and speed to response

MDR vendors tend to carry a much larger geographic footprint, employing multiple SOC teams around the world and at all hours of the day. Many attacks happen at night or over the weekend when criminals suspect the majority of the workforce is at home. Even if suspicious activity is flagged and an alert is generated, it could easily be lost in a multitude of other lookalike noise. But MDR personnel in charge of monitoring a customer’s network around the clock will have the resources to immediately thwart an attack before data or services are compromised.

Daniel Thomas

Daniel Thomas is a technology writer, researcher, and content producer for CyberRisk Alliance. He has over a decade of experience writing on the most critical topics of interest for the cybersecurity community, including cloud computing, artificial intelligence and machine learning, data analytics, threat hunting, automation, IAM, and digital security policies. He previously served as a senior editor for Defense News, and as the director of research for GovExec News in Washington, D.C.. 

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.