Paying Ransom: Why Manufacturers Shell Out to Cybercriminals

Lower cybersecurity awareness coupled with vulnerable OT gear makes manufacturers tempting targets, but zero trust can blunt attackers’ advantages.

Ben Corll, CISO Americas, Zscaler

December 20, 2022

5 Min Read
A factory in the distance with smoke coming out of the chimney stacks
Source: Kay Roxby via Alamy Photo

Everyone in information security knows ransomware actors target different industries for different reasons. Some are seen as flush with cash. Some have obvious reasons for needing to resume operations ASAP. Others are just widely recognized as poorly protected.

But did you know that manufacturers pay the highest ransoms of any vertical?

A recent report spelled it out in stark detail. Across all industries, the average ransom paid is a hefty $812,360. Yet for manufacturing, that average skyrockets to a stunning $2,036,189 — about two and a half times the average.

Attackers prefer easy, weak targets as a rule. So what is it about manufacturing that qualifies such organizations as easy or weak?

First, it’s worth asking whether manufacturers are targeted more often, or if they just happen to fall victim more frequently due to inherent factors like outdated tech or lack of cybersecurity awareness. The next interesting question is why they tend to shell out sums so egregiously above what organizations in other verticals do.

As a chief information security officer (CISO) with years of experience leading cybersecurity operations for a global manufacturer, I have some immediate explanations in mind. Here are some of the factors that inevitably contribute:

  • Manufacturers typically have slim profit margins and rely on steady productivity to compensate.

  • Manufacturers know they won’t make much profit on any one iteration of manufactured goods, so high volume is necessary to hit business targets over time. But high volume requires regular output, uninterrupted by slowdowns or complete outages.

  • While organizations in industries with fatter margins might be able to tolerate an extended outage, manufacturers typically can’t. The result is exceptional pressure on manufacturers to pay ransoms and pay them quickly. That’s why attackers, conscious of all this context and the leverage it gives them, may feel emboldened to charge higher ransoms than they would in other industries.

Manufacturing Suffers From Low Cybersecurity Awareness

Many factory workers don’t routinely use IT gear like desktop computers, laptops, or tablets. Some may not even have corporate-issued email addresses. Additionally, very few have received extensive training on current cyber threats, and as such, wouldn’t know how to recognize, react, or, report them to their IT team once they’re spotted.

Think of the most standard, low-hanging fruit of cybersecurity awareness training: the phishing simulation. Even if email addresses are provided (far from a given, especially in manufacturing facilities in the developing world), it’s simply unreasonable to expect employees to develop an understanding of the attack chain that may lead from a phishing email to a compromise by a ransomware actor.

These factors increase an organization’s total attack surface. They make the manufacturer more apparent to attackers and more likely to fall prey to attacks if they appear.

Manufacturing Data Can Be Extraordinarily Valuable

Imagine that a drywall manufacturer has a unique proprietary method for creating drywall that dries quickly and can be rapidly shipped on demand, yielding a competitive advantage. This type of intellectual property, once compromised, can easily be held for an exceptionally high ransom, because the entire business model would be in jeopardy if it were to leave the company.

Similar concerns can apply to data involved in market timing. Suppose a clothing manufacturer planned to release a new line in the spring based on a combination of colors its market research found would be in high demand. The company may have orchestrated its entire spring-season marketing and supply chain ordering on that basis. Attackers could hold such information for a substantial ransom, because if it were given to competitors, those competitors may get to market first with a competing product, raking in all the expected benefits.

Operational technology (OT) used by manufacturers typically involves many assets (pumps, generators, turbines, etc.) that are on the IT infrastructure — and thus accessible to attackers — yet difficult to patch or secure. Sometimes, even if an asset can be secured, only its manufacturer can secure it without voiding the asset’s warranty.

Being outdated and insecure doesn’t always make them less valuable to the organization, however. Many times, these are legacy systems are required for a basic function, with no adequate substitute available, so the organization continues using them. Attackers often take advantage in such cases to maximize their leverage in charging ransoms.

Suppose an attacker is interested in compromising a Fortune 500 bank. If that bank is a client of a manufacturer whose security is less sophisticated than the bank’s, attackers could use the manufacturer as a stepping stone.

Additionally, manufacturing organizations often simply don’t realize how many third parties (partners, clients, suppliers) can access their networks and data. They may grant network privileges too easily, and in many cases, those privileges give unrestricted access instead of being limited to just the assets required for business purposes.

Better Security Is Available Today

I know from experience that manufacturers can significantly reduce their attack surface by adopting zero-trust principles. In turn, this makes it less likely that attackers opportunistically probing the open Internet for weaknesses will discover the organization.

If the organization is discovered, zero trust eliminates an adversary’s ability to move laterally across a network, where they could discover the sort of valuable data that would give them leverage over their target.

Adopting a zero trust approach helps an organization to:

  • Rigorously validate the identity of all participants in a network transaction

  • Obscure from the public Internet the true IP addresses of all assets at any manufacturing facility (or combination of them) via a buffering service

  • Segment the network and support application microtunneling, limiting any possible access by attackers

  • Apply identical policies to public clouds and remote workers, with the ability to scale automatically over time as the network topology changes

These and other techniques, once implemented, can help manufacturers reduce the risk of a breach, lessen their exposure should a breach occur, and minimize the business impact of any successful attack. Best of all, they will help manufacturers hang on to more of their hard-earned profits.

Read more Partner Perspectives from Zscaler

About the Author

Ben Corll

CISO Americas, Zscaler

Ben is a 25-year veteran in the cybersecurity industry with a passion to protect enterprise organizations. He has spent his career establishing security programs for companies of all types and sizes and has held just about every technical security role, from antivirus, firewall, SIEM, and DLP management, to security architect and CISO roles.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights