Since the end of September, a spate of ransomware incidents has been recorded around the globe, primarily targeting large-scale manufacturing facilities that produce goods ranging from medical devices to vehicle components.
While information on the exact nature of the cyber attacks remains scarce, the incidents have reportedly crippled IT systems and in some cases, led to production stoppages of entire manufacturing plants. Among the affected companies in recent weeks include: Meridian Lightweight Technologies, Heartland Automotive, and Rheinmetall Automotive, all suppliers of car parts; Subaru, a Japanese car maker; and Demant Group, a Danish-based maker of hearing aids and audiometric equipment.
Automotive and medical device companies among the targets
The first of these incidents was detected on September 3 across business units of Demant Group, including its subsidiaries Oticon, Sonic Innovations, and Bernafon. With the IT infrastructure severely hampered at multiple sites across Denmark, France, Poland, and Mexico, digital ordering and communications came to a virtual standstill. Production lines, however, were kept running.
On September 24, another cyber incident was reported at Rheinmetall’s production facilities across North and South America. While not explicitly stated, the symptoms of the incident appeared consistent with a ransomware attack. Upon disclosure of the incident, the company revealed impacts extending from office functions to production facilities in Mexico (Celaya, GUA), Brazil (Nova Odessa, SP), and the United States (Pontiac, MI; Detroit, MI; and Marinette, WI).
Another unspecified cyber attack was discovered at the Strathroy, ON headquarters of Meridian Lightweight Technologies on September 27. While the extent of the impact on communications and production lines was not immediately known, it is the first such attack of its kind in the private sector in southwestern Ontario, Canada.
Subsequent incidents were then reported on October 1 at two neighboring automotive manufacturing facilities in Lafayette, IN that belong to Japanese car maker Subaru and one of its suppliers, Heartland Automotive. The incident caused production shift cancellations for at least two consecutive days on September 30 and October 1.
Ransomware attacks are on the rise, last longer and cost more
The recent cyber attacks highlight a few broader trends that have unfolded throughout 2019.
First, the number of attacks targeting large-scale manufacturing facilities has increased since the start of 2019. While most cyber attacks on manufacturing companies this year were previously recorded in March, September has been a new record – with more than 5 companies having experienced disruption from ransomware incidents. In total, more than 15 manufacturing companies ranging from chemicals to machinery to medical devices have recorded ransomware attacks in 2019. This is a sharp increase from 2018 when in total 8 manufacturing firms were affected.
Second, ransomware incidents are one of the costlier forms of cyber attacks, regardless of whether or not the ransom is paid in the end. One of the most prominent examples occurred in April this year when Norsk Hydro, a Norwegian aluminium producer, sustained a ransomware attack on its computer system. This resulted in production downtimes at certain business units for more than a week.
Preliminary assessments of the recently affected Demant Group suggested that the company would likely face financial costs of up to DKK 650 million (EUR 87 million; USD 95 million), of which DKK 50 million (EUR 6.7 million; USD 7.3 million) is directly attributable to the ransomware incident.
Similarly, Rheinmetall’s automotive division estimated that the attack would cost it EUR 3-4 million (USD 3.27-4.36 million) per week. While financial loss estimates from Subaru and Heartland Automotive have yet to surface, the disruption of their main assembly lines for at least two days indicate that the financial damage is likely to be significant too.
Last but not least, ransomware attacks on manufacturing facilities tend to last longer, with production lines potentially down for weeks or months before restored IT systems allow operations to fully resume.
Demant Group reported that it would likely take the company 5-6 weeks to restore all critical systems, while Rheinmetall Automotive expected to require 2-4 weeks to restore its systems at the five affected facilities.
These events stand in notable comparison with the Norsk Hydro LockerGoga ransomware incident of March 2019, in size as well as scope. This first large trans-national ransomware incident of the year was present on target systems for 2-3 weeks before striking on March 19, requiring 6 days to restore basic functions. The incident and its fallout cost up to USD 68.8 million (EUR 62.6 million) by June 6, 2019, due to delayed earnings reporting and production system restoration.
Damages to worsen with time
2019 has become noteworthy for production-related ransomware incidents, and the most recent incidents mentioned above are no exception. Of the reported incidents, the Meridian case stands out as an example of preparedness, because while damages have not yet been assessed, the immediate law enforcement response helped mitigate its impact.
While Rheinmetall and Demant had different timespans of disclosure between their initial incident occurrence and damage assessment, the sooner a firm cascades news of such an incident throughout its supply chain, the greater the chance of mitigating them before losses accumulate. Such conditions therefore mandate a transparent and facile line of communication between supply chain managers and IT professionals for monitoring, intercepting and mitigating cyber threats to one’s manufacturing supply chain.