Skip to main content
close search
site logo

How to mitigate cybersecurity threats in contract manufacturing

Companies face a variety of cyber risks, from fragmented security frameworks to exposed passwords.

Published Jan. 10, 2023
By
Contributor
Computer engineer working in factory with laptop computer
Contract manufacturers face unique cybersecurity threats that require careful vigilance. Thinkhubstudio via Getty Images

While cybersecurity threats are a common concern for major manufacturing companies, the same is true for smaller contract manufacturers. These companies are often at risk of fraud from hackers. 

The industry as a whole is vulnerable because of how connected it now is, said Charly Davis, head of industrials at cybersecurity firm NCC Group. That’s in part “because of the sudden entrance of many of the acritudes into that work of network IoT.”

Contractor manufactures may also possess or have access to IP that hackers want to sell or acquire at the behest of a nation state, which makes them a target to a range of bad actors.

Here’s are some of the major cybersecurity risks contract manufacturers commonly face, and what IT managers can do to stop potential threats before they start or neutralize issues that may squeak inside.

End users and clients as targets

From how Alexander Pettit Estell, an application engineer in IT for Dynamic Blending, sees it, the contract manufacturer’s biggest cybersecurity threats come from the vulnerabilities of the clients it works with. End users may not have the same kinds of robust cybersecurity practices in place as Dynamic Blending does, he said.

For that reason, Pettit Estell works with the company’s partners to educate them about phishing and how to recognize suspicious emails, which include launching faux cyber attacks and seeing who clicks on dangerous links. The company also works to help their end users recognize what Dynamic Blending would ask a client for – and what they would not, like demanding someone go out and buy a product or get a paper check.

“That probably wouldn’t happen, so we’re helping our end users built up tolls for what to look for,” he said.

This kind of education includes their clients too, and making them aware of what services the company uses, especially for paying vendors. “We’re not at the point that people are generally trying to break into our network and sit there and do a major cyberattack,” Pettit Estell said, but hackers may masquerade Dynamic Blending and to trick someone into sending a $5,000 to $6,000 payment to the wrong place.

More machines on the internet means more vulnerabilities

While trying to extend the life of equipment makes financial sense, it also means that older machines may contain more security flaws that can put an entire company at risk.

Some companies are “using a system that was never intended to be connected to the outside world,” Davis said. She’s currently working with a pharmaceutical chain that put sensors on refrigerators, which means they are now connected to the internet. Until the chain hardened their security posture, their connection was over a non-secured network, which presents a risk.

With contract manufacturing, these issues are exacerbated “because the profile tends to be fragmented systems across multiple different organizations. It’s very difficult to apply a single security framework,” she said.

The same is true for old equipment. Some manufacturing machinery is still using “old software, like fairly antiquated Windows systems that go out of production and are no longer patched,” said Misha Govshteyn, CEO of electronics MacroFab. They become attack vectors as well.

How to close the risk gaps

Basic cybersecurity hygiene goes a long way towards stopping attacks, especially against things like ransomware and malware that often try to find the easiest entry point in a system.

Hackers are “targeting manufacturing because the manufacturing sector makes common mistakes like admin password visibility and failure to recognize that credentials are available on the dark web,” Davis said. “They’re looking for financial gain and are not specifically fussy” about who they attack.  

Things like two factor authentication and requiring employees who work from home or offsite to have a VPN will thwart attacks. Contract manufacturers can also educate their workforce about the risks of using unsecured, public Wi-Fi networks, and potential threats from unfamiliar USB drives. Dynamic Blending took the extra step of locking functions of USBs so they don’t introduce threat into the system, or could be used to take IP or other critical information out of the system.

Govshteyn also recommends looking at the current state of file sharing, which can create “a Swiss cheese of open places that could take [a company] down,” especially since different clients tend to use their own preferred application.

Air gapping data – which creates barriers between contract manufacturers’ networks and their end users and clients – can help contain any security breaches and prevent them from spreading throughout the entire supply chain, Pettit Estell said. Critical “documents are air gapped on different hard drives, so those hard drives are generally encrypted with encryption keys” on both ends, he noted.

IT managers can also operate on a “zero trust” basis, in which the people who can reach certain parts of the company infrastructure are limited, and two authenticated peers need to sign off on critical actions.

Recommended Reading

Filed Under: Operations, Technology

Editors' picks

Company Announcements

View all | Post a press release
YMX Logistics and Orange EV Join Forces to Deliver Zero Emission Transportation Solutions to Y…
From YMX Logistics, LLC.
November 18, 2024

Want to share a company announcement with your peers?

Get started

Editors' picks
Latest in Operations
image/svg+xml
Industry Dive is an Informa business
© 2024 Industry Dive. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell