Dawn Cappelli has seen just about everything when it comes to cybercrimes. She knows that smaller businesses along the manufacturing supply chain make a grave mistake if they think they aren’t targets.
“The first thing that small and medium-sized businesses need to understand is that in the past, they probably thought that this would never happen to them. ‘Why would anyone attack a company like us? We don’t really have to worry about security,’” says Cappelli, who retired in February as the cyber information security officer (CISO) at Rockwell Automation, a global provider of industrial automation services and products. “But these ransomware groups are very well-organized criminal networks, and they are attacking whoever they can get.”
In fact, she adds, companies running manufacturing environments are one of the most targeted by ransomware groups. They have figured out that recovery is more difficult than in IT environments and that the companies are more likely to pay the ransom. “The ransom that they demand is based on what they think the company can afford to pay,” Cappelli says, adding that the criminal networks are so sophisticated these days that they run like regular businesses, with their own help desks. “This is not just some kid in his parents’ basement anymore.”
The lessons for businesses in the flexible packaging industry are the same for any business, Cappelli and others say. However, manufacturers not only have to protect IT systems, which are the traditional target of cybercriminals, but also may see threats to their operational technology (OT) systems. The most common methods used to compromise a company are phishing emails and unpatched computer systems. That means companies must continually educate employees on being alert for phishing attempts and ensure that operating systems and third-party applications routinely auto-update with patches.
“IT people do IT backups all the time,” Cappelli says. “With OT, it is a lot more complicated. Do you have all of the PLCs [programmable logic controllers] backed up? Are they regularly backed up? Do you know where the backups are? I have found with many customers of Rockwell that people will say that they are backed up and the backups are on that computer under Joe’s desk. But is the computer under Joe’s desk backed up?”
NAM Cyber Cover
Those and other cybersecurity trends have led the Flexible Packaging Association (FPA) to offer its members an insurance program that was developed by the National Association of Manufacturers (NAM). NAM Cyber Cover, a cyber risk mitigation and insurance package, is designed to protect small and medium-sized manufacturers from attacks. FPA kicked off its informational campaign in March during its 2022 Annual Meeting in Florida.
NAM has been working with AHT Insurance and Coalition, a California-based cyber insurance company, to spread the word about how NAM Cyber Cover can mitigate risks on the front end so that any attacks are either thwarted or the severity is lessened, says AHT Insurance Partner George J. Forrester, who gave a presentation to FPA members at the March meeting. Forrester leads the manufacturing practice at AHT and was a primary developer of NAM Cyber Cover.
In 2021, the average ransomware demand was $570,000. And 65% of companies across all industries were targets of phishing emails in 2020, Forrester says. Manufacturing is one of the most targeted industries for cyberattacks, behind financial services and health care, he says. “We hear about the big attacks, but the small ones are the ones you don’t hear about,” Forrester says. “And they are constant. I know guys around the forensics space who are on the phones daily—yet 50% of the industrial community is still not buying cyber insurance.”
As part of NAM Cyber Cover’s services, Coalition begins with a cyber risk assessment that identifies vulnerabilities and ranks the risks from critical to low. The process requires four pieces of information: the company name, its website URL, estimated annual revenues, and the number of employees. That free assessment alone can go a long way toward helping companies, says Forrester and Paul Hartgen, NAM’s vice president of member and business services. The report also ranks companies among Coalition policyholders to give owners and managers an idea of where they stand when it comes to threats.
“If I can get every small manufacturer across the country to do a cyber risk assessment and take action on those things, we will be moving the ball so far down the field it would be awesome,” Hartgen says. “Not only is it a great policy, but it is also an effective policy because Coalition mitigates as much risk as possible upfront, so they know what they are insuring.”
Those that seek out the insurance would then have access to patch managers that scan for out-of-date software and weaknesses, as well as 24/7 monitoring for new threats. A notification system alerts companies before anything can be damaged, Forrester says. If there is an attack that results in damages, the insurance covers losses up to the insurance limits that start at $1 million. Another key provision is that up to five vendors can be added to the protection, with the policyholder getting a monthly cyber hygiene report on each of them.
Attacks Through Vendors
Even companies that think they are well protected can be exposed to attacks through their vendors, Cappelli points out. The problem has gotten so bad that the White House issued an executive order last year to improve cybersecurity measures. The order will increase information sharing between the public and private sectors and require more stringent security controls, including vendors along the supply chain, especially those that have contracts with the federal government.
“When I was CISO at Rockwell, we repeatedly were getting notifications from companies that supplied Rockwell saying they were hit with ransomware and might not be able to get products to us for weeks,” Cappelli says.
“In security … you have to assume you are going to be attacked—that you are going to be compromised—and so you have to be prepared.”
—Dawn Cappelli, director of OT CERT, Dragos
An infamous example of a vendor-related cyberattack occurred in 2013 when thieves gained access to the credit and debit information of customers of the retailer Target. The cybercriminals obtained the records after getting access to Target’s network through their third-party HVAC vendor. “It is important from the supply chain perspective that we are all in this together,” Cappelli says. “If one company is compromised, it puts everyone at risk.”
Large companies usually have the money to hire experienced IT security teams and purchase security technologies, she notes. “The small and medium companies don’t necessarily have an IT team, much less a security team,” she says. That also means that smaller companies don’t have adequate training programs.
Cappelli is a member of the NAM Manufacturing Cybersecurity Advisory Council, which is a networking group dedicated to solving cybersecurity issues worldwide. She is familiar with the NAM Cyber Cover product and suggests that its various features, such as the cyber risk assessment, are good resources for businesses. “Cyber insurance is getting increasingly difficult to get because ransomware attacks have become so prevalent,” she says. “We all hear about the big ones— JBS foods and Colonial Pipeline—but they are happening every day to large, small, and medium companies all over the world, and most of them don’t want it to be in the press. Small companies that have been hit know that it could put your company out of business.”
Prevention and Preparation
“Prevention and preparation” are the keys, Cappelli says. “In security, we would always say that you have to assume you are going to be attacked—that you are going to be compromised—and so you have to be prepared.”
Larger companies often have the financial resources to secure both IT and OT operations. The mistake they make is not putting the two teams in the same room to talk, she says. Cappelli says IT security teams should work with their OT plant engineers and managers on a security strategy. “That is the No. 1 fundamental thing they need to do,” she says. “OT engineers are not trained as security experts. Or the CISO is given the responsibility to secure OT, but the IT team doesn’t understand OT.”
She also recommends that companies follow the National Institute of Standards and Technology (NIST) Cybersecurity Framework for OT. It provides a road map and ensures that companies are thorough in their approach.
For Cappelli, cybersecurity is a passion, which she is putting to use in her new role. After leaving Rockwell, Cappelli joined Dragos, a company focused on industrial cybersecurity. She is the director of OT CERT (Computer Emergency Readiness Team), which is a program focused on providing free resources for small and mid-sized companies with OT environments. OT CERT will help companies that don’t have the resources to protect their OT.
Dragos CEO Robert M. Lee was one of the sources in a “60 Minutes” segment on April 15 that discussed heightened concerns over cyberattacks from Russia as it wages its war against Ukraine. The worldwide economic sanctions could push Russia to launch massive and sophisticated cyberattacks in the U.S. and elsewhere, according to the “60 Minutes” report.
OT CERT is a way for Dragos to be a part of the solution, Cappelli says. “Our company’s mission is to safeguard civilization,” she says. “And as our company CEO says, we can’t safeguard civilization if we can only help the big companies that can afford to buy our products. If we truly want to safeguard civilization from these cyber threats, we have to help small and medium-sized companies, as well.”
Thomas A. Barstow is senior editor of FlexPack VOICE®