Our Sites

Tips for keeping manufacturing IT systems safe from cybercrime

A metal fabricating company doesn't need a large IT staff to protect it from cybercriminals

Cybersecurity grows in importance.

As cybercriminals get more sophisticated and relentless, manufacturing companies need to get more serious about protecting banking information and their own internal information technology systems. Urupong/iStock/Getty Images Plus

In March 2022, Wilson Tool Intl. in White Bear Lake, Minn., found itself locked out of its information technology (IT) systems. That included everything from the enterprise resource planning software to modeling software. Its information was being held for ransom.

The company pulled together, going back to manual processes in some cases, and responded to customer requests as efficiently as it could. Eventually, it righted itself, and with the payment of the ransom, it got back control of its software and servers. (For more on this cyberattack and the subsequent steps taken to get the business back online, read “Why manufacturers need to be prepared for a cyberattack.” )

But the point of this feature is not to recap the Wilson Tool story. It’s to remind metal fabricating companies that no one is safe from being a target. Upon looking to see how the cyberattack occurred, investigators found that Wilson Tool was delayed in patching an old email server. The cybercriminals, who are often the motivation behind software companies sending you reminders to set aside time for maintenance, found their entryway into the company’s IT systems through that crack in the email server. That’s all they needed. From there, they just waited to find out who had administration privileges and gathered the necessary intelligence to assume the supervisory role that used to belong to the system administrators.

The Wilson Tool IT staff knew it had to make the patches, but it just didn’t do it in a timely fashion. The matter of a few days ended up being all of the time that the cybercriminals needed.

There’s a reason for that. Cybercrime is a big and successful business model.

“You can operate out of a country that refuses to help law enforcement in the country that you’re attacking, so there’s no repercussions for your actions,” said Bryce Austin, founder of cybersecurity consultancy TCE Strategy, which worked with Wilson Tool after the incident. “This type of crime is so much easier than running drugs, human trafficking, racketeering, or the other horrible things that organized crime does. This is a much easier pathway, so they’re taking it.”

These are no fly-by-night operations either. These cybercriminals have a tried-and-true business model. Typically, it begins with a group that looks for weaknesses in an organization’s IT systems, which include dated and vulnerable servers or clueless employees who have mistakenly responded to a fake email and provided an opening of which the cybercriminal can take advantage. Once in, that group of internet ne’er-do-wells sell the access to a second tier of cybercriminals, ones who are more skilled at gaining “persistence” in the network, as Austin described it. They find a way to get their hooks into the IT infrastructure so they can take control and lock out the original administrators. These middlemen then sell the entire setup to cybercriminals who handle the exfiltration of information and the ransom. These gangs work in the darkness, but their names—such as Medusa or Conti—might be familiar even among the analog generation that still gets a newspaper.

A lot of people associate ransoming of IT systems as the main cybercrime, but that’s not the case, according to Austin. It’s wire fraud.

In this scenario, cybercriminals only need to gain access to an email account. They go through all the email records to find one associated with a bill and then send out emails, as that person, trying to convince people to send them money to a bank account that’s been set up for these nefarious reasons.

Does this sound like something that’s more likely to affect senior citizens who are easily confused? Think again.

Austin recounted the tale of a university professor who was duped by a party claiming to be the Massachusetts State Police. Over a phone call, the professor was convinced by the fake law enforcement representative that her bank accounts had been compromised and that she needed a new social security number, which can take a while. Focusing on the ongoing threat, the criminals convinced the professor to transfer her funds into bank accounts specially set up by the Massachusetts State Police. The professor, who was in her 30s, followed those instructions and ended up losing $200,000.

“Anyone can be a victim,” Austin said. “There are hawks circling overhead looking for the squirrels, so we want to be porcupines in the land of all of these squirrels. As a result, the cybercriminals will pick the easier target.”

What Can a Shop Do to Protect Itself?

Austin said he recognizes that the cybersecurity threats can seem overwhelming for a small to medium-sized business, but that’s just part of the risk of being a part of a digitally connected world. Companies can’t afford to forego the modern conveniences associated with the internet, so it needs to be smart about how it goes about its business.

Austin suggested that a third party, like his company, could be called upon to help a manufacturer, and it wouldn’t have to be a full-time relationship, likening it to keeping an attorney on retainer. A company might only need about 10 hours’ worth of the attorney’s time per month to look over certain legal situations. The same sort of arrangement can exist for a cybersecurity specialist.

In the meantime, here are some other steps that metal fabricating companies can take to secure their own IT systems.

Be Vigilant Against Phishing Scams. These emails sent to company addresses might notify parties of a problem with a financial account, ask for individuals to confirm some information, or try to entice someone to make a late payment. They might even look pretty close to an official organization that does business with the email recipient. If there is a question, it’s always safer to go to the official company website or mobile app.

A company should consistently remind email recipients to be careful what they click on in an email. A company also could choose to send out fake phishing emails to company accounts to see if people are as vigilant as they need to be.

Arrange for Multifactor Authentication on Email Accounts. This approach offers extra security by requiring two steps to log into an account. These extra credentials could include knowledge familiar to only the account holder, such as a PIN or the answer to a security question; a passcode sent by text, email, or an authenticator app; or a biological feature, such as a face or fingerprint. Multifactor authentication is one more layer of protection in case a cybercriminal gets access to a username and password for an account.

Invest in a Strong Antivirus Package. This is almost a no-brainer, especially in the sense that most people have some familiarity with these systems through at-home experiences. The difference in a commercial setting, however, is that people are joining the network all the time, particularly in the work-at-home environment that is much more common since the pandemic. “You have to demand that people use antivirus before they can hook up to your network,” Austin said, “or you might need to set up a network where you assume that certain machines don’t have any virus protection and you treat them in a much more suspicious manner.”

Consider Offline Backups of Data. The best insurance against a ransomware attack is having a backup of the data that has been stolen. “If you have a ransomware attack and those backups aren’t on your network but in a drawer somewhere, you have a get-out-of-jail-free card. Those offline backups are very hard to hack because they are on their own,” Austin said.

Provide Training to IT Staff. It’s not a secret that if a company even has an IT expert, that person might be someone who has shown talent in setting up a server room and coordinating the connections necessary to get the computer network up and running. Odds are that same person is not really well-versed in cybersecurity. According to Austin, it really is two different skill sets, like an automotive engineer that might specialize in motor performance and another with expertise in a vehicle’s crashworthiness. A company needs to ensure that anyone given the responsibility of being a domain administrator has enough cybersecurity knowledge to keep unwanted outside parties from infiltrating internal IT systems.

Commit to a Scanning or Patching Program. As previously discussed, a deficient piece of coding in a software package can be the door that welcomes unwanted parties into your IT system. Patches are sent out by the software developers to remedy these weaknesses and keep the cybercriminals out. At the very least, such a patching regimen should be done at least monthly. Companies also might want to commit to scanning for vulnerabilities, not just relying on software developers to stay on top of potential access points for outsiders. Austin said such scanning practices involve special software and requires someone that knows how to use it.

Manufacturers Beware!

In a world where there are few certainties, Austin said that companies can be certain that cybercriminality will continue to grow, both in resourcefulness and resiliency. The potential payoff is too great to ignore.

“I think there’s a lot more awareness than there was a few years about cybersecurity issues, and things are starting to move in a more positive direction for the manufacturing industry,” he said. “But the rate of change isn’t keeping up. The bad guys are innovating faster than the good guys.”

About the Author
The Fabricator

Dan Davis

Editor-in-Chief

2135 Point Blvd.

Elgin, IL 60123

815-227-8281

Dan Davis is editor-in-chief of The Fabricator, the industry's most widely circulated metal fabricating magazine, and its sister publications, The Tube & Pipe Journal and The Welder. He has been with the publications since April 2002.