Study Finds Nearly Half of Critical Manufacturing Organizations at Significant Risk of Breach

Many companies must build cyber resilience and address an increased number of common vulnerabilities and exposures

Almost half of the world’s most important manufacturers have significant work to do in terms of improving cyber resilience and building defenses against cyberattacks, according to a new report.  

SecurityScorecard, a global cybersecurity ratings agency, says 48 percent of critical manufacturing organizations ranked “C,” “D,” or “F” on the agency’s security ratings platform.  

The report analyzes the current state of cyber resilience in the critical infrastructure sectors such as energy, chemical, healthcare, and manufacturing, as designated by the Cybersecurity and Infrastructure Security Agency (CISA). Organizations with an “A” security rating are 7.7 times less likely to sustain a breach than those with an “F” rating 

“Security ratings are a trusted barometer of cyber resilience, and the time is now for policymakers and organizations to make cyber risk measurement mandatory,” said Aleksandr Yampolskiy, co-founder and CEO of SecurityScorecard. “Cyberattacks in the last 10 years have gotten much worse, more complex, and increasingly have targeted critical infrastructure, thereby undermining the public’s trust in the cyber resilience of our global economy.”  

According to the World Economic Forum, only 19 percent of cyber leaders feel confident that their organizations are cyber resilient. SecurityScorecard recently joined the World Economic Forum Global Innovators Community, contributing to WEF’s Centre for Cybersecurity’s initiative to address systemic challenges, improve trust, and build cyber resilience.  

Patching Cadence Falling Amid Escalating Attack Frequency 

Cyber incidents affecting critical infrastructure—once rare—have become far more frequent in recent years. Data from the Federal Bureau of Investigation (FBI) showed that 14 of the 16 sectors considered critical infrastructure by the U.S. government experienced at least one ransomware attack in 2021. 

SecurityScorecard assessed these industries to measure their current state of cyber resilience. It found that critical manufacturing is highly vulnerable based on analysis of all organizations under that category in The Forbes Global 2,000 list. SecurityScorecard considers 10 factors when developing an organization’s security rating. Of those 10, patching cadence at critical manufacturers dropped from a from score of “B” in 2021 to a “C” in 2022. 

The decline in patching is likely due to an increased volume of common vulnerabilities and exposures (CVEs). Critical manufacturing experienced a 38 percent year-over-year increase in high-severity vulnerabilities. In 2022 alone, 76 percent of critical manufacturing organizations have high and medium-severity CVEs. 

Any one of these CVEs could be an open door to hackers and ransomware groups. The study says manufacturers experienced an increase in malware infections from 2021 to 2022. In 2022, 37 percent of critical manufacturing organizations had experienced malware infections. 

According to Yampolskiy , the average cost of a breach is $9.44 million for U.S. organizations.