After healthcare, manufacturing is the second most targeted industry by hackers and cyber criminals.¹ The industry’s drive for innovation and increased reliance on automation and industrial internet of things (IIoT) has heightened its cyber risk. A breach or cyber incident can cause more than a mild disruption; it can pose a risk of defective products, physical damage and even loss of life.
Internal and external red team testing was done by a manufacturer’s security team and a competing cyber security firm. Both teams identified the same threats. Yet, executive leadership would not move forward with remediation, leaving the organization vulnerable. Why? The testing results were presented in a 1,000 page report. While the report accurately outlined a cyber security plan, it was unfamiliar to the CEO and CFO. Neither the internal team nor the outside cyber security firm hired were able to clearly communicate the nature of the cyber risk and what it means in business terms to the C-suite.
After meeting with our leadership, the company’s executive team hired us to conduct another round of red team testing. We did. Our technical specialists entered the network and rapidly moved throughout the environment, escalating to domain administrative privileges, and accessing their guest wireless network. We got our hands on sensitive information including product configurations, unreleased product design and launch plans, and physical blueprints for plants.
Even though we found additional vulnerabilities, we had one crucial skill the other team did not: the ability to clearly communicate cyber security risk from the business perspective. We bridged the gap between technology and business in the presentation of our findings. The company comprehended the impact of their vulnerabilities and began remediation to secure the organization.
- Successfully penetrated the guest wireless network, and uncovered vulnerabilities extending throughout the corporate network
- Demonstrated cyber risk and its business impact to the C-suite when other teams couldn’t, achieving remediation buy-in
- Maintained discretion with our work, securing leadership’s trust and confidence
1. Comeau, Zachary. “Manufacturing is second-most targeted industry for cyber attacks.” Worcester Business Journal, New England Media, July 24, 2018.