Skip to main content

Request SaaS Deployment

Contact Sales


7 Key Measures of an Insider Threat Program for the Manufacturing Industry


The increasing digitalization and interconnectivity of the manufacturing industry has fundamentally changed how this sector operates. With automation, remote diagnostics, and connections to the internet, manufacturers have faced a growing number of cybersecurity challenges, including insider risks.

Insider threat prevention deserves special attention, as stealthy perpetrators bypass cybersecurity from a place of trust while stealing trade secrets, sabotaging the manufacturing process, and damaging equipment via remote access.

Read this blog post to find out about cybersecurity for the manufacturing industry, including the types of insiders the industry faces. The article showcases examples of insider attacks and outlines seven best features of an insider threat management program for manufacturing to protect your business.

The rise of insider threats in manufacturing

Manufacturing has recently become the most attacked industry, suffering from 23% of all cyber attacks across all industries.

For the first time in five years, manufacturing outpaced finance and insurance in the number of cyberattacks levied against these industries, extending global supply chain woes. — Quote from IBM’s X-Force Threat Intelligence Index 2022

Among all cyber threats, insiders require special attention as their activity is extremely difficult to detect. This explains the 44% increase in insider threat incidents over the past two years.

How to Detect and Prevent Industrial Espionage

What is the state of cybersecurity in manufacturing?

The statistics we mentioned support the need for constantly enhancing the cybersecurity of manufacturing infrastructure, especially considering the specifics of the industry.

Cybersecurity specifics of the manufacturing industry

The target area for cybercriminals in the manufacturing industry is extended due to the following factors:

Convergence of OT and IIoT. Also known as Industry 4.0, the Industrial Internet of Things (IIoT) involves the use of smart sensors, actuators, software, and other technologies to enhance manufacturing processes. Operational technology (OT), in turn, constitutes hardware and software for controlling and monitoring physical equipment, processes, and events at production facilities.

The convergence of IIoT, OT, and IT systems exposes manufacturing processes to the internet. This presents more attack possibilities to cybercriminals, since security measures and protocols in OT and IIoT are still poorly developed. Considering that the manufacturing industry will account for over 70% of all IoT connections by 2024, their cybersecurity must be a priority in the coming years.

Increased teleworking activities. Forty-seven percent of employees in the manufacturing and industrial engineering sectors work from home, which has mainly been a response to the COVID-19 pandemic.

Telecommuters are harder to control and monitor in terms of security. Remote workers may also connect to manufacturing IT systems from unprotected personal devices or via public networks.

Supply chain interactions. The supply chain is another source of cyber threats and insider activity. According to NIST, up to 80% of cyber attacks begin due to supply chain security issues.

Interconnectedness with partners, vendors, suppliers, and other third parties may compromise the security of other supply chain members and cause operational disruptions even if a single entity is affected. The COVID-19 pandemic has shown how vulnerable the manufacturing industry is to supply chain disruptions.

Insider Threat Statistics for 2022: Facts and Figures

To sum up, the expanded target area in the manufacturing industry results in:

Lack of visibility. It might be challenging to identify all devices and network connections taking part in the production process. This creates a problem of choosing the right cybersecurity controls and threat detection mechanisms.

More vulnerabilities. Lack of visibility and control leads to more assets being susceptible to cyber threats. Unprotected operational technology, IIoT devices, remote work connections, and numerous supply chain entities can be used as entry points by hackers and malicious insiders.

Heightened risks. All of the above results in a higher probability of cybersecurity events and other unwanted consequences for manufacturers. Consequences are also amplified — a single security incident may endanger valuable intellectual property and even human lives.

What are the risks?

To better understand what’s at stake, let’s take a closer look at the consequences of insider activity in manufacturing:

Major consequences of insider activity in the manufacturing industry

Operational disruptions. Malicious actors may sabotage production and cause major manufacturing process disruptions and system breakdowns.

Financial losses. Incidents caused by malicious insiders frequently go hand in hand with revenue loss and compliance fines. Interruptions of business operations may also result in additional fines for violating terms of service-level agreements with supply chain partners.

Reputational damage. Data breaches often lead to damage to a brand’s image and loss of reputation among partners, customers, and investors.

Harm to human health. Cybersecurity incidents at hazardous production facilities may cause equipment breakdowns that lead to injuries or even casualties. The famous Stuxnet attack on the uranium enrichment plant in Iran almost led to a nuclear catastrophe.

Critical data loss. Insiders who have access to sensitive data may perform fraud or data theft, or may damage important information.

Data Security in Banking

What data is at risk in the manufacturing industry?

Manufacturers have an abundance of sensitive data from a variety of internal and external sources, manufacturing and production technologies, and an ecosystem of suppliers, vendors, partners, and customers.

That said, here are the data types that are most at risk in the manufacturing industry:

Data at risk in the manufacturing industry

Financial data. All financial information about a manufacturing company may become a point of interest for a company’s competitors. Financial data can help competitors make better deals with a company’s partners and customers.

Intellectual property (IP). IP theft is one of the biggest cybersecurity threats in the industry, and most data breaches in manufacturing relate to IP. A manufacturing company’s IP has many facets, including information on research and development, engineering, manufacturing operations, and trade secrets.

Customer and employee data. Insiders may help competitors steal business from a manufacturing company by selling them valuable customer profile and transaction data. Sensitive customer and employee data may also be compromised to undermine a company’s reputation and make the company pay extensive fines to authorities that regulate data privacy.

5 Industries Most at Risk of Data Breaches

What insiders are there in the manufacturing industry?

Now that we know what data must be protected the most, let’s try to figure out who it must be protected from in your organization. A manufacturing company may consider the following types of insiders:

Types of insiders in the manufacturing industry

Inadvertent insiders are employees who harm an organization by unintentional misuse of information, installation of unapproved applications, and negligence of recommended cybersecurity measures. This type of insiders constitutes 56% of all insider-related incidents according to the 2022 Cost of Insider Threats Global Report by the Ponemon Institute.

Malicious insiders are employees who use their authorized access to an organization’s assets to perform malicious activity for personal gain. These insiders are difficult to identify, as they act as regular employees and execute ordinary work tasks alongside malicious activity.

Inside agents are malicious insiders hired by external parties to perform industrial espionage on the company, exfiltrate data, or damage critical systems and information. Inside agents can be persuaded to cooperate with bribes or blackmail.

Third parties are partners, suppliers, vendors, or other supply chain entities with access to corporate IT infrastructure. They may compromise the company’s data or systems by neglecting security measures, misusing data, or intentionally performing malicious actions.

Disgruntled employees are former or departing employees who may want to take revenge on their employer by deleting data or causing harm to IT systems or manufacturing equipment.

What IT regulations must manufacturing companies comply with?

Governments and international cybersecurity organizations establish standards, laws, and regulations to protect organizations and their customers from cybersecurity incidents.

To secure sensitive data and avoid extensive fines for non-compliance, companies operating in the manufacturing industry comply with industry and local cybersecurity compliance requirements. The most common are the following:

Cybersecurity standards, laws, and regulations for the manufacturing industry

While it’s important to meet and constantly monitor the requirements of these standards, laws, and regulations, mere compliance is not enough. Ensuring the reliable cybersecurity of a manufacturing organization requires you to manage all security risks and employ corresponding cybersecurity solutions.

How to Pass an IT Compliance Audit

Now let’s consider a few cybersecurity incidents in the manufacturing industry that demonstrate how such incidents usually happen.

Data breaches in manufacturing: 4 real-life cases

Manufacturing businesses face substantial risks of data breaches and other consequences resulting from insider attacks. That said, here are four cases that perfectly illustrate the increasing danger behind insider threats in the manufacturing industry:

1. General Electric

In this notorious insider threat case, a General Electric (GE) engineer stole valuable proprietary information and trade secrets for eight years until he was detected. A malicious employee exfiltrated more than 8,000 confidential documents from GE’s systems. An FBI investigation detailed that the engineer exploited his trusted position to convince an IT administrator to allow him access to sensitive data, which the engineer emailed to a co-conspirator.

This engineer established a new business with the IP he stole, containing advanced computer models for calibrating power plant turbines. Once GE realized they were losing bids to a former employee, they reported the incident to the FBI, which led to the conviction of the engineer and his partner and an obligation to pay $1.4 million to GE.

2. KB Pivdenne

KB Pivdenne is a strategically important design bureau and the main enterprise of the Ukrainian space industry, ensuring the creation and operation of rocket and space technology. What happened there is an example of state-level espionage. Investigators claim that a KB Pivdenne engineer could have sent information about the development of Ukrainian missile systems to the Russian special services.

As a first category engineer, the malicious insider had access to classified state secrets. In the middle of the Russian-Ukrainian war, the engineer received a message from the Russian FSB offering cooperation. The very next day, the collaborator sent the requested information. According to investigators, the insider has been regularly sending KB Pivdenne’s developments to the FSB.

Key Features of an Insider Threat Protection Program for the Military

3. Georgia-Pacific

Georgia-Pacific, a paper manufacturer, experienced yet another cybersecurity incident that is a good example of an insider-induced disruption of the manufacturing process. The company’s former system administrator wanted to get revenge after being fired and managed to cause $1.1 million worth of damage.

The employee retained access to the company’s systems and hacked into an industrial computer from home. Then the malicious ex-worker installed his own software and altered industrial control systems, leading to a series of operational disruptions and missed deadlines.

4. Tesla

In September 2020, a Nevada court charged a Russian national with conspiracy to deliberately damage a secured computer. The court affirms the perpetrator tried to hire an employee from Tesla Gigafactory Nevada. The threat actor and his associates presented the Tesla employee with $1 million to “transmit malware” onto Tesla’s network via email or USB drive to “exfiltrate data from the network.” Fortunately, Tesla detected the incident before any damages could occur.

However, that wasn’t the first time Tesla encountered an insider threat. In June 2018, CEO Elon Musk sent a company-wide email informing employees that one of the company’s staff members had “conducted quite extensive and damaging sabotage to [Tesla’s] operations.”

9 Best-Known Cybersecurity Incidents and What to Learn from Them

With state-sponsored cybercrime organizations inciting chaos at a global level, we may see additional attempts to infiltrate businesses. Consequently, it’s vital to perform background checks on recruits and ascertain an ample degree of internal security.

Read on to receive more cybersecurity advice on how to secure your manufacturing organization.

7 key measures of an insider threat program for the manufacturing sector

In one of our previous posts, we underlined the importance of an insider threat program. Companies in the manufacturing industry can also benefit from building such a program to identify, prevent, and minimize insider risks.

Consider the following features of an insider threat protection program for manufacturing:

7 key measures of an insider threat program in manufacturing

1. Identification of key assets

The pillar of an insider threat program is identifying assets the organization considers sensitive. Identifying your company’s key assets allows the organization to take suitable protective measures and precisely respond to threats.

Assets can be both physical and virtual, including financial data, customer and employee information, and intellectual property such as technology secrets, prototypes, and production processes.

Key assets are unique to each manufacturing company, and the following questions can help you determine which are critical to your organization:

Questions for identifying your company’s key assets

2. Risk assessment

An insider threat risk assessment can help you detect possible risks your assets are exposed to and get an accurate representation of a company’s cybersecurity state.

The risk assessment process generally consists of the following steps:

Steps of an insider threat risk assessment

After assessing the risks, consider promptly communicating the results to the company’s cybersecurity team and management. It’s also best to make these results available to all department heads, as this will help them minimize the number of unintentional insider incidents and increase employees’ risk awareness.

Consider reassessing the risks regularly, as cyber threats advance over time and cybersecurity requires constant development.

3. Insider threat risk minimization

Once the assessment stage concludes, manufacturing companies define the cybersecurity system’s weak points that bad actors could use to compromise their sensitive information.

The next step is completing the insider threat program with measures and cybersecurity solutions to prevent insider activity and data breaches when working with employees and contractors.

Here are the measures manufacturing companies can follow to lessen the risks of insider threat incidents:

  • Conduct a comprehensive background check for each employee and contractor
  • Manage and limit access to critical assets by applying the principle of least privilege
  • Verify user identities according to a zero trust approach by using multi-factor authentication
  • Revoke access for former employees and contractors after your collaboration ends
  • Ensure employees follow the company’s cybersecurity policies
…principles related to a zero trust approach — to include implementation of MFA and the principle of least privilege — have the potential to decrease organizations’ susceptibility to the top attack types… — a quote from IBM’s X-Force Threat Intelligence Index 2022

Two-Factor Authentication (2FA): Definition, Methods, and Tasks

4. Implementation of insider threat detection software

The most effective way to detect and prevent insider attacks is to monitor employees and log all data about users’ access and actions. Most insider threat protection solutions have user activity monitoring capabilities allowing them to detect early signs of insider activity.

When faced with a security incident, an insider threat detection system can provide your organization with information about who accessed critical assets and which actions a user executed.

Depending on which insider threat detection software a company uses, there may be different features available. To ensure reliable cybersecurity for your manufacturing company, an insider threat detection system should provide you with the following functionality:

  • Monitoring and logging to record all user activity data
  • Authentication and authorization capabilities to control and limit users’ access to critical data
  • Incident detection and response mechanisms
  • User and entity behavior analytics (UEBA)
  • Reporting and forensic investigation capabilities
  • Customizability to meet the manufacturing industry’s specific needs

5. Incident response planning

Make sure your cybersecurity team thinks through common insider attack scenarios and how they can act promptly in the face of a cyber threat. Develop an incident response plan (IRP) that is practical, realistic, and easy to implement.

Consider including the following components in your IRP:

Key components of an incident response plan

You can refer to a Security Incident Handling Guide developed by NIST and use it as the foundation of an incident response program for your company.

How to Increase Employee Productivity with User Activity Monitoring?

6. Incident investigation

Planning your company’s procedures for investigating cybersecurity incidents is an important part of insider threat management.

Incident investigation typically consists of the following actions:

  • Collecting evidence and facts about the incident
  • Evaluating the harm the incident caused
  • Exporting digital evidence in a secured format for forensic activities
  • Reporting on the incident to superior officers and regulatory authorities

You should be able to identify the scope of the incident and its consequences once the investigation concludes. With the help of this data, you can then create a thorough remediation plan, including any adjustments to be made to your cybersecurity and insider threat program.

7. Insider threat awareness training for employees

Think of increasing your personnel’s knowledge of cybersecurity risks and alertness to insider threats by regularly conducting dedicated insider threat awareness training courses. The contents of a course will depend on the security risks, tools, and approaches of a particular manufacturing organization.

Efficient insider threat awareness training includes:

Contents of insider threat awareness training

The last step of insider threat awareness training is determining its effectiveness via interviews, tests, or insider attack simulations to observe how your employees respond.

How to Build an Insider Threat Program in 10 Steps

Fight insider risks in manufacturing with Ekran System

Ekran System is a full-cycle insider risk management software specifically designed to deter, detect, and disrupt insider threats. Ekran System has the required features of insider threat monitoring tools for manufacturing.

Image - Ekran System for insider risk management

Ekran System’s extensive feature set can help your manufacturing company secure its critical data and IT systems from insider threats by allowing you to:

  • Monitor activity of employees, privileged users, and third parties accessing your IT infrastructure, including connections of remote workers. Ekran system’s user activity monitoring (UAM) functionality allows you to watch live and recorded user sessions and notice signs of IP theft and other malicious activities.
  • Record activity of all users in your network. With Ekran System session recording software, you can look through video records via a user-friendly YouTube-like player. Recorded video sessions are coupled with useful metadata, allowing you to search by opened applications, visited websites, typed words, and more.
  • Manage access rights of users in your infrastructure. With Ekran System’s privileged access management (PAM), you can secure access to critical manufacturing data and systems by granularly managing rights of all privileged and regular users. Ekran System can also help you automate and secure password management in your company.
  • Verify user identities with the help of two-factor authentication (2FA), ensuring that unauthorized users won’t access sensitive data. Additionally, secondary authentication functionality in Ekran System can help you identify users of shared accounts, increasing their security and accountability.
  • Manage USB devices. You can use Ekran System’s USB device management functionality to monitor and control USB devices. You can also configure the system to automatically block all or specified devices inserted into a protected endpoint.
  • Detect and respond to incidents in a timely manner by configuring alerts based on multiple parameters such as visited websites, typed keystrokes, and executed commands. When an alert is triggered, your cybersecurity team gets notified about a suspicious event and can choose to stop the active application, block the user’s session, or send the user a warning message. The system can alternatively be set to respond automatically.

Incident response in Ekran System is additionally enhanced with an AI-based user and entity behavior analytics module. UEBA automatically detects and notifies about suspicious user activity that deviates from baseline behavior.

  • Investigate an incident if one has occured. A set of customizable reports in Ekran System allows for extracting information about user activity in various formats depending on the purpose. You can also export a recorded user session in full or in part in a standalone secured file format for investigation and forensic analysis.

In addition to preventing insider threats, Ekran System may help your organization ensure compliance with requirements of many cybersecurity standards, laws, and regulations such as the GDPR, NIST 800-53, SOX, PCI DSS, ISO/IEC 27001, and others.

To see how Ekran System helped one of our customers in the manufacturing sector, read the following case study:

Ginegar Secures Third-Party Access and User Activity with Ekran System [PDF]


The manufacturing industry was the most attacked industry in 2021, and manufacturing businesses worldwide are pleading for efficient cybersecurity protection. The expanded surface area of the modern production sector results in poor visibility, vulnerabilities, and increased risks.

To secure intellectual property and prevent the undesirable financial and reputational consequences of insider threats, consider including measures from this blog post in your company’s insider threat protection program.

Try Ekran System’s free 30-day trial now to see for yourself!



See how Ekran System can enhance your data protection from insider risks.