Industry Challenges

Cybersecurity threats to packaging companies

As part of Inside Drinks’ focus this issue on the challenge presented by cyberattacks to packaging producers, Luke Christou sets the scene with a look at the current state of affairs and how the packaging industry is working to ward off attacks.


y 2025, cybercrime is predicted to cost global businesses US$10.5 trillion per year, according to Cybersecurity Ventures, with packaging among those industries most at risk. According to IBM’s ‘X-Force Threat Intelligence Index’, manufacturing was the second most targeted sector in 2020, up from eighth a year earlier.

The threat packaging faces was highlighted last year as two industry leaders fell victim to cyberattacks. In January, WestRock, the second-largest packaging company in the US, suffered a ransomware attack that affected operational systems and impacted production. The incident, combined with disruption caused by severe weather, hit revenue by $189m, with the group having to spend around $20m on recovering its compromised systems.

Then, in May, Ardagh Group suffered a similar attack. While production was able to continue, shipping delays saw the glass & metal packaging leader suffer losses totalling $34m.

“Like all manufacturing sectors, the packaging industry is a particularly soft target for cyberattacks,” says GRC International Group’s systems & security engineer, Adam Seamons.

Despite this, data shows the packaging industry is taking this threat seriously: According to GlobalData, mentions of the term ‘cybersecurity’ in company filings saw a sharp increase in 2021, doubling between Q4 2020 and Q1 2021. As of the second quarter of last year, 0.16% of all sentences in packaging industry filings referenced cybersecurity.

With the threat landscape ever-evolving, though, what is the industry most likely to face in 2022 and how can businesses best protect themselves?

Ransomware 2.0

According to Sophos’ ‘The State of Ransomware in Manufacturing & Production 2021’ report, 36% of manufacturing and production organisations suffered a ransomware attack last year; just under half of these attacks were successful.

“Ransomware is a huge threat to all organisations and the packing sector is no different,” Seamons says. “I have seen first-hand how ransomware has stopped production for weeks, as a small IT team can become easily overwhelmed, scrambling to get their traceability system up and running.”

Over the course of this year, ransomware will continue to be a leading threat, driven in part by businesses’ increasing willingness to meet the demands of cybercriminals. According to GlobalData’s ‘Thematic Research: Cybersecurity’ report, 15% of organisations have paid a ransom to regain access to encrypted data that was crucial to business function.

As cybercriminals evolve their strategies, however, paying the ransom may not be enough for businesses to minimise the damage. Commonly, new ransomware variants are designed to extract data from a compromised system before encrypting it, providing attackers with extra leverage to extort their victims.

“Attacks have gone up in sophistication, with attacks being carried out on the brand reputation of the victim through naming and shaming,” says GlobalData’s principal analyst for thematic research, David Bicknell. “Alternative means are being used to monetise an attack by auctioning exfiltrated data on both the dark and clear webs.”

Naming and shaming or the release of sensitive data to the public can come at a huge cost, with victims suffering from a loss of reputation, trust and subsequently business. Likewise, the sale of stolen data - such as user credentials and intelligence regarding network and systems topology and design - can enable secondary attacks against the organisation, Bicknell says.

Robust cyber defences

While ransomware is tipped to be a sizable threat again in 2022, firms cannot focus on protecting against these attacks alone, according to Coalfire’s UK MD, Andy Barratt: “Successful defence requires vigilance and the ability to respond to a variety of attack styles.”

The packaging industry is particularly vulnerable, given its heavy reliance on connected industrial control systems (ICS), embedded computers, PCLs and SCADA systems throughout the production line and their critical importance to business function.

As well as ransomware, manufacturing businesses could also be targeted by equipment sabotage, GlobalData’s Themes 2022 report suggests, which could prove costly.

“Disruption to systems such as stock control and material allocation can bring production to its knees,” says Seamons. “Consequently, this has an impact on product and batch traceability creating QA nightmares, delays, lost time and customer complaints. These things the industry can ill afford when just-in-time delivery is the norm.”

Yet, according to Deloitte’s ‘Cyber risk in advanced Manufacturing’ report, almost a third of companies have never performed an ICS specific cyber risk assessment.

Supply chain security

Aside from protecting internal systems, increasing connectivity with external supplier systems means businesses must also consider the cybersecurity defences utilised by third-party companies throughout the supply chain.

The European Union Agency for Cybersecurity recently warned of supply chain attacks - where compromised systems belonging to trusted suppliers are used as a gateway into an organisation. Such incidents are thought to have quadrupled in 2021 and are tipped to continue rising.

“Many companies rely on supplier system integration, and remote support for industrial machines and systems,” Seamons explains. “Organisations need to repeatedly ask themselves: Is there any way a supplier has left the door open to our network?”

AI: Enemy or ally?

According to IBM’s annual data breach costs report, the average cost of a data breach in 2021 rose to a high of $4.24m. However, the losses suffered are often far greater. Ardagh Group’s losses, for instance, were eight times larger than IBM’s average.

“In response to the attack, Ardagh has said it will add new protective tools to its cyber defences,” notes Bicknell. “That is just what other packaging companies should be doing - reviewing their technology roadmap to improve the effectiveness of their information security capabilities.”

With social engineering the most common attack vector used by cybercriminals, companies must find a way to educate employees and build cybersecurity hygiene throughout the organisation. However, businesses are also increasingly turning to artificial intelligence (AI) to predict and protect against attacks. According to GlobalData, AI reduces the time it takes to deal with cyber exploits, saving businesses 39,500 hours of labour annually and reducing the average cost of a breach by as much as 73%.

That said, while AI is supporting businesses in defending against cybercrime, it is also being exploited by cybercriminals. AI botnets - a large number of compromised devices used to launch ‘denial of service’ attacks - are already in use. There has also been a number of reports of deepfakes - images, video and audio manipulated using AI - being exploited by cybercriminals to convince businesses to hand over money.

“The payload – often ransomware and data theft – will always grab the headlines but less-well documented is the huge range of attack and vulnerability combinations, or ‘kill chains’, that hackers leverage to achieve these outcomes,” Barratt says.

Today’s businesses are tasked with defending what GlobalData describes as a “spaghetti-like array of assets”, including traditional infrastructure, ICS, IoT devices, cloud services and more. To do so, they must take steps to understand the landscape they are defending, improve cyber-hygiene throughout the supply chain, and be resilient, vigilant and thorough.

Not just in responding to threats, but also protecting against them.