Australian manufacturers held to ransom
Recent advances in technology have revolutionised the manufacturing sector, driving efficiency, increasing productivity and fostering innovation. But these leaps forward come with new challenges, particularly the escalating threat of cyber attacks.
The industry’s dependence on operational technology and industrial control systems has inadvertently opened new avenues for cybercriminals – and they’re taking advantage at an alarming rate. These systems are typically ageing and until recently operated offline, protecting manufacturers from malicious actors. But as they become connected to internal networks and systems, these core systems are becoming vulnerable to attack.
The need to address these concerns is both immediate and critical, as the repercussions of cyber threats extend beyond operational disruption to potentially significant reputational and financial damage. Now more than ever, understanding and navigating this cyber threat landscape is essential for the resilience and future success of Australia’s manufacturing sector.
A playbook to optimise your operations and grow your manufacturing business
Find out more about Industry 4.0: the Australian manufacturing advantage.
Practical steps to help manufacturers build a competitive edge locally, and on the global stage.
Understanding the cyber threat landscape
Ransomware has emerged as a particularly pressing concern for manufacturers.
In a nutshell, ransomware is a form of malicious software that infiltrates an organisation’s network, encrypts its data and holds it hostage until a ransom is paid. Originally, this caused availability problems for the targets, but more recently it has evolved into a confidentiality issue too.
Picture this: cyber criminals exploit a software vulnerability in one of your warehouse’s smart thermostats. The device becomes an entry point for the ransomware. Silently, the ransomware spreads across the network, encrypting critical data and immobilising your manufacturing systems. Soon you find yourself faced with a double threat – not only is a ransom demanded for the decryption of your data, but the criminals also threaten to publicly release sensitive proprietary information extracted during the attack.
There is considerable risk that a business may not survive such an attack because of the catastrophic impact on their data, systems and supply chains. Data could be lost forever, with downtime profoundly affecting production, sales and customer relationships.
As cyber criminals target industrial infrastructure, the threat of ransomware grows – KPMG expects to see a 15 percent year-on-year increase over the next five years. In 2021, the Australian Cyber Security Centre (ACSC) observed continued ransomware attacks on critical infrastructure entities, reflecting a similar global trend.
Exposing legacy system vulnerabilities
Traditional approaches to cyber defence, such as patching, have become increasing difficult due to the age of machinery or the operational downtime required. Additionally, technologies like IoT devices, automation and AI systems enhance efficiency and competitiveness, but they also expand the potential attack surface for cybercriminals – who can exploit vulnerabilities in operational technology to access back-office applications or even sensitive data.
The recent shift towards remote work further increases the cyber risk, with dispersed workers accessing sensitive systems via less secure home networks. The need to support this way of working is a contributor to the volume of attacks that occur using stolen credentials or compromised accounts.
Cyber incident responses and disaster recovery
Network security incidents could disrupt operations, require costly investigations and be subject to regulatory action, customer complaints and even claims.
There’s also reputational risk for companies if data is affected and that’s amplified if personal data is lost, compromised or shared. And organisations could lose their competitive edge if cybercriminals steal any intellectual property.
The time it takes to resume operations could be the difference to how swiftly the business can continue – if indeed it can continue. If a company is unable to trade for some time after an attack, it may need to make staff redundant. That could have a considerable social impact on communities all over the country.
KPMG global research in 2022 found only 35 percent of high-maturity organisations and 13 percent of low-maturity organisations had network activity monitoring implemented on all operational control systems. That makes detecting, triaging and responding at scale to a cyber incident incredibly difficult.
Locally, we saw a beverage giant experience two cyber attacks within six months in 2020. These attacks caused IT outages, disrupted production lines and sensitive customer and commercial data may have been compromised. A major logistics company was also the target of two ransomware attacks in 2020 and many of its internal and customer-facing systems were taken offline. Further, a US-based pipeline system which transports more than 380 million gallons of fuel across the country, was the target of a ransomware attack in 2021, taking many IT systems offline and forcing a temporary closure.
Laws, regulation and assistance
The legal and regulatory landscapes in Australia are evolving swiftly to reflect these activities and to penalise companies that don’t protect sensitive customer data.
The federal government has given greater powers to the Australian Signals Directorate and the ACSC. In 2021, it provided guidance for identifying supply chain risks. And the Security of Critical Infrastructure Act 2018 will continue to be updated to reflect new risks, including cyber attacks. Earlier this year, it appointed the country’s first ever cyber security coordinator – RAAF’s Air Commander Australia, Darren Goldie – who is responsible for managing incident responses across multiple federal agencies.
Manufacturers may be redefined as critical under that Act, meaning they’ll be legally obliged to provide deeper levels of protection against cybercriminals.
The government is also helping, and manufacturers may be eligible for financial support to identify risk and implement necessary technical changes. The National Reconstruction Fund has the remit to create a positive return. It will finance transformative initiatives for manufacturing, providing loans, investment and guarantees. It has already earmarked $1 billion for critical technologies and another $1 billion for advanced manufacturing.
How to protect legacy systems
KPMG has found manufacturing clients typically have robust security measures for back-office and technology systems, but operational technology and industrial control systems’ security often have vulnerabilities.
Our clients recognise the threats to their large and complex environments. They also understand the complexity of protecting them. Sometimes these issues can’t be addressed because of the age of the system. They may be out of support or need patches and upgrades, or they’re located remotely which makes the logistics of an uplift difficult. Sometimes, it’s hard to know where to begin.
Our approach is to ensure adequate controls are in place. These questions are a good starting point:
-
Impact of change in Federal Government
-
Impact of inflation and pressures around further interest rate hikes both locally and globally
-
Unfolding of the uncertainty around economic and geopolitical climate globally
The answers will help identify risks and then build appropriate defensive controls and threat intelligence to mitigate them. Taking a threat-based approach to a company’s security posture will prioritise activities into must-haves and nice-to-haves. This approach identifies controls that may perform well but won’t necessarily reduce risk, and informs where best to invest for cyber protection.
Where to start
Protecting an ageing technology estate that’s distributed in multiple locations can be a considerable undertaking, but it’s not impossible.
There are four foundational actions that every organisation can take today to understand the risks they may face.
It’s critical for manufacturing leaders to acknowledge that making small improvements gradually over time is better than taking no action.
Why KPMG
Our approach to cyber security in the manufacturing industry begins with forming a holistic understanding of a client’s assets and their threat profile. Our adversary simulations team can impersonate attackers and attempt to break cyber defences. And we seek to understand the most likely type of attack on a company, what assets would be targeted and how they’ll be impacted. Where relevant, we’ll also consider the criminals behind the attack: whether it could be a nation-state, professional criminals or an individual with bad intentions.
This provides a view of weaknesses and the necessary controls to manage the risks.
These activities help us create a maturity assessment which includes the necessary technical controls to mitigate those risks. We can work directly to implement the technical controls or support clients as they implement change. And we can create a roadmap for ongoing activities to ensure protection continues.
And in recognition of the current shortage of cyber security specialists, KPMG’s CISO as a service effectively provides leadership and expertise for our clients. We’re able to deploy swiftly and our model may be faster than recruiting a permanent member of staff.
Contact us
Get in touch to learn how the KPMG manufacturing team can help create a suitable asset optimisation strategy for your organisation and usher you into the era of Industry 4.0.
