More than three-quarters of manufacturing organizations harbor unpatched high-severity vulnerabilities in their systems, a study of the sector found.

New telemetry from SecurityScorecard shows a year-over-year increase in high-severity vulns in those organizations.

In 2022, some "76% of manufacturing organizations, SecurityScorecard observed unpatched CVEs on IP addresses our platform attributes to those organizations," says Aleksandr Yampolskiy, co-founder and CEO of SecurityScorecard.

Nearly 40% of these organizations — which include metals, machinery, appliance, electrical equipment, and transportation manufacturing — suffered malware infections in 2022.

Almost half (48%) of critical manufacturing organizations received a ranking between "C" and "F" on SecurityScorecard's security ratings platform.

The platform includes ten groups of risk factors, including DNS health, IP reputation, Web application security, network security, leaked information, hacker chatter, endpoint security, and patching cadence.

The severity of cyberattacks against manufacturers is noteworthy, Yampolskiy says.

"Many of these incidents have involved ransomware where the threat actor, usually in the form of a criminal group, sets out to make money through extortion," he says. "While the ransomware problem is global, we’ve seen a rising number of attacks on critical infrastructure come from nation-state actors in pursuit of various geopolitical objectives."

Meanwhile, incident response investigations by teams at Dragos and IBM X-Force overwhelmingly showed that the hottest operations technology (OT) target is the manufacturing sector, and the main weapon attacking these organizations is now ransomware.

"Democratized" Cybersecurity

Sophisticated state-sponsored actors such as Russia target several different critical infrastructure organizations across the US, from healthcare to energy to telecommunications, Yampolskiy says.

The good news? "Globally, governments are already taking steps to strengthen cybersecurity," he notes.

Take the US Cyber Incident Reporting for Critical Infrastructure Act of 2022, requiring critical infrastructure to report certain cyber incidents to DHS's Cybersecurity and Infrastructure Security Agency (CISA).

Other agencies, such as the Federal Energy Regulatory Commission, the Securities and Exchange Commission, and the Treasury Department, are also in various stages of rulemaking for entities under their regulatory jurisdiction.

Yampolskiy says policymakers should continue working with industry to have a greater and continuous understanding of the security postures of the organizations and industries that directly impact essential services for citizens, or the US economy in general.

"A more democratized, integrated, and collaborative approach to cybersecurity resilience that provides continuous visibility of the global threat landscape and convenes public and private sectors is essential to protect the world's critical infrastructure" he says, further noting that better information-sharing between government and industry is key.