ReliaQuest is proud to announce the publication of our Manufacturing Sector Threat Landscape report, which provides a detailed overview of the evolving cyber threats facing this industry. The manufacturing sector is an attractive target for cybercriminals due to its reliance on legacy systems and operational technologies (OT) that are difficult to update, and the high costs of operational downtime that victims strive to avoid.
In this blog, we’ll summarize the key themes of the report, including the most pressing threats, common MITRE ATT&CK techniques used against this sector, ransomware trends, and dark web insights.
Top MITRE ATT&CK Techniques Targeting the Sector
The most common MITRE ATT&CK techniques observed in the manufacturing sector over the last year include:
- T1566.002 – Phishing: Spearphishing Link (29.7%)
- T1534 – Internal Spearphishing (22.86%)
- T1566.001 – Phishing: Spearphishing Attachment (16.93%)
- T1204.002 – User Execution: Malicious File (12.46%)
- T1566 – Phishing (12.02%)
Initial Access Vectors
Threat actors frequently use a narrow set of initial access techniques to target the sector compared to other industry verticals. The prevalence of less–sophisticated compromise techniques, such as “Phishing,” “Spearphishing Link,” and “Spearphishing Attachment” suggests that adversaries are targeting the manufacturing sector with a broad, indiscriminate approach that relies on attacking large numbers of organizations with simple methods, hoping that some will fall victim.
Post-Ingress Techniques
The only post-initial access technique to appear in the top five, “User Execution: Malicious File,” involves users opening malicious files commonly spread via phishing links, underscoring the critical role of phishing–based techniques in targeting the sector and the need for robust protections against these threats. Malicious file execution was observed in 12.46% of manufacturing sector incidents, over three times the rate at which they occurred on average in incidents affecting other sectors.
GreyMatter and Dark Web Insights
Reducing mean time to contain (MTTC) incidents is critical for maintaining business continuity and minimizing the impact of cyber threats. The manufacturing sector faces unique challenges due to its mix of legacy OT systems and modern IT systems, which can complicate incident response efforts.
Our analysis found that:
- The average MTTC for manufacturing organizations using manual response strategies is 1 day and 17 hours, more than double the all-sector average.
- Many manufacturing sector CISOs are hesitant to adopt automation due to concerns about potential operational disruptions.
- Organizations using ReliaQuest Automated Response Plays (ARPs) have reduced their MTTC to an average of just four minutes for relevant alerts. ARPs have proven to significantly mitigate threats and minimize disruptions, allowing organizations to contain threats quickly and maintain operational continuity.
What We Are Seeing on the Dark Web
Posts about the manufacturing sector are common on dark web forums, where cybercriminals discuss vulnerabilities in industrial control systems and IIoT devices. Although these vulnerabilities provide cybercriminals with limited opportunity for large-scale campaigns, they are likely easier to exploit due to a lack of systematic patching in the manufacturing sector.
For example, on the Russian-language cybercriminal forum XSS, we have uncovered posts from users describing vulnerabilities and proof-of-concept exploits in electric vehicle charging systems and industrial control devices. This highlights the keen interest threat actors have in IIoT vulnerabilities, even those concerning highly specialized technologies.
Cyber Threat Forecast for Sector
The manufacturing sector faces several emerging cyber threats:
Industrial Internet of Things (IIoT): The lines between OT and IT domains are blurring as businesses demand more access to operational data from IIoT devices, which have a predictive and preventative impact that ensures standards in maintenance, safety, and environmental protection. Threat actors are responding to the growth in IIoT and IoT device use; security researchers recorded a 400% increase in IoT malware in 2023 compared to 2022. To protect against the emerging threat to IIoT devices, it’s essential for organizations to ensure full visibility into their tech landscape and encrypt communications across all IIoT infrastructure.
Supply-chain attacks: Industrial manufacturers possess valuable intellectual property, sensitive OT environments, and tight production timelines, making them prime targets for third-party data breaches and supply-chain attacks. We expect the threat to escalate as organizations increasingly adopt cloud services, microservices architectures, and third-party software.
Ransomware: Looking ahead, the manufacturing sector should brace for evolving ransomware threats and the likely emergence of new ransomware groups, particularly ransomware-as-a-service (RaaS) groups. The emergence of newer groups is expected to disproportionately affect the manufacturing sector, as RaaS groups have already shown a strong preference for targeting manufacturing organizations. If newer affiliates also perceive these organizations as easy targets, they are likely to focus their efforts there.
Key Takeaways
The manufacturing sector faces a particularly aggressive threat landscape. Financially motivated threat actors disproportionately target organizations in the sector, believing them to be soft targets likely to pay ransoms due to the severe consequences of operational downtimes. Additionally, the cautious use of automated responses like ReliaQuest ARPs means that manufacturing sector organizations often respond more slowly to incidents. This delay can have serious consequences, as it provides threat actors more time to establish themselves within networks and carry out malicious activities. To combat these threats, manufacturing organizations must prioritize fundamental security measures, including monitoring and controlling web access, employing advanced threat detection systems, and training individuals to identify common social-engineering tactics.
ReliaQuest research is dedicated to equipping organizations with the critical knowledge and strategies needed to anticipate and combat cyber risks. This commitment aligns with our mission to reduce visibility, reduce complexity, and manage risk, thereby significantly mitigating the impact of cyber threats on global security.
The information provided here is just an overview of the threats facing the manufacturing sector. To gain a comprehensive understanding and explore the full extent of the cyber threats this industry is facing, read our full report.