As details on a recent cybersecurity attack against Grand Rapids-based office furniture giant Steelcase Inc. begin to surface, local manufacturers of all industries and sizes may want to take notice.
The ransomware attack on Steelcase, which shut down its global operations for two weeks, was a stark reminder of the growing number and sophistication of cybersecurity threats facing all types of businesses — with manufacturing attracting a growing number of attacks, experts say.
While Steelcase declined to comment for this report, details of the attack are reverberating through the cybersecurity community.
The furniture manufacturer first reported the incident on Oct. 22 in a filing with the U.S. Securities and Exchange Commission. Steelcase followed with an additional filing last month indicating it had shut down global operations for two weeks and that business had resumed normal operations. The financial toll of the attack may reveal itself when the company reports its third quarter financials on Dec. 17.
A form of ransomware called Ryuk is believed to be the culprit of the attack. Ransomware is a type of malware that can infect a system and encrypt files to block access to them. The threat actor then demands a monetary ransom to restore access. Manufacturers are especially sensitive to these types of attacks because they can’t afford to halt production and rely on their systems to maintain continuity.
In the spring, Ryuk caused major disruptions to the city of Durham, N.C., and has also been cited in other high-profile cyber attacks.
“Over the last two years, I’ve had a few organizations reach out to us just to help with (ransomware) remediation — post-breach remediation — and Ryuk was involved in two of those. It’s nasty,” said NuWave Technology Partners LLC CEO Chad Paalman, who is a member of regional and national cybersecurity peer groups. “It gets on your network. Depending on the threat actor group behind it, the demands for ransom are pretty significant. If you don’t have clean backups, you’re forced to pay the ransom, or else.”
NuWave has locations in Grand Rapids, Kalamazoo and Lansing and also provides local support for businesses in Traverse City, St. Joseph, Jackson and Southfield. The company specializes in working with manufacturers, putting Paalman on the frontlines as the industry faces these sophisticated threats.
“I would hope (Steelcase) had enough network segmentation that it only impacted specific areas of the network, and that’s the level of detail I don’t have yet,” Paalman said. “When you go back to cases like the Target Corp. breach … (companies) don’t want to share that stuff. You may never hear the exact details.”
In late 2013, the Minneapolis-based retail giant faced a data breach involving millions of customers’ credit card information, leading the company to make widespread improvements to its cybersecurity platform.
A lesson for the industry
The Steelcase attack is far from an outlier as manufacturers of all sizes face the same types of cybersecurity threats.
In the “2020 State of Encrypted Attacks” report by San Jose, Calif.-based software company ZScaler Inc., health care and finance proved to be the most popular targets for encrypted attacks with manufacturing a not-so-distant third. The industry saw 1 billion encrypted attacks through September 2020, according to the report.
Ransomware is especially potent, and threat actors are upping the ante in terms of ransom. Coveware, a Connecticut-based firm that specializes in combating ransomware, reported that from Q2 to Q3 of 2019, the average ransomware payment increased 13 percent to $41,198 per attack.
In a Deloitte LLP-prepared report called “Cyber Risk in Advanced Manufacturing,” the global firm said manufacturing faces cyber risks of increased complexity as it adopts Industry 4.0 digital practices and solutions such as sensor technology, smart products and internet of things (IoT) strategies.
Many assume hackers are primarily after sensitive information, which might be true for heavily attacked industries such as health care and finance. However, manufacturers that don’t deal with much sensitive information should not feel complacent, experts say.
“We’re seeing a lot more ransomware type attacks,” said Jeff Stefan, attorney with Varnum LLP, who specializes in data privacy and advanced mobility. “They’re not necessarily focused on obtaining sensitive, personal information or financial information for identity theft. But I think there is — unfortunately, because it’s a terrible thing — a lucrative business surrounding locking up systems and demanding ransom in exchange because of how vital certain servers and these systems are to companies.”
Stefan said a robust defense against cyberattacks is a mix between the right technology but also organizational structure that focuses on cybersecurity. This means having one or multiple people — preferably higher ranking employees — who are accountable for cybersecurity.
Stefan also said cyber insurance programs are important for businesses, and the expenses that come with cybersecurity are no longer optional — they’re simply a cost of doing business.
Some industries are given federal standards to follow, but Stefan said those standards should be just part of the equation.
“Regulation with cybersecurity is very tricky,” Stefan said. “You have to strike the right balance between encouraging companies to implement the best practices and doing what they need to do organizationally as well as from a technological standpoint.
“There is a fine line between becoming too prescriptive where you don’t want companies that are spending a lot of money and resources just to comply with the law as opposed to diverting that money to what’s best suited to respond to threats.”
Manufacturers heed warnings
John Waack, director of information technology for Holland-based furniture manufacturer Trendway Corp., said the company has spent time over the last three years restructuring its cybersecurity posture from top to bottom.
Fellowes Brands acquired Trendway in the summer of 2019, and Waack said Trendway has been able to tap into the company’s cybersecurity resources, as well.
In the spirit of educated its employees, Waack and his staff implement a security awareness test and training tool called KnowBe4.
The program simulates phishing attacks on employees — traditionally urging or tricking users to click on an infected link — and customizes training based on how the worker responds to the message.
A few years ago, Waack and his team spotted a ransomware attack before it profoundly affected the company’s system. The event helped prompt the company to reassess its approach to cybersecurity.
“We did a pretty significant review of our system security, our backups, the frequency of our data backups, and things like that,” he said. “We’ve positioned ourselves to be as insulated as possible from a ransomware attack.”
“That’s easier for us than it is for Steelcase in quantities of data,” Waack added. “We’re talking about a couple terabytes of data here, versus Steelcase, which is probably in the petabyte range, a thousand times bigger.”