With its connected equipment, innovative software, and increased reliance on artificial intelligence (AI), machine learning (ML), and the Industrial Internet of Things (IIoT), the manufacturing industry offers cyber criminals many opportunities to hack systems and processes.
In the past, manufacturers tabled cybersecurity for future discussions; however, the industry remains vulnerable to cyberattacks. On average, a single data breach can cost businesses $3.7 million — and experts predict that global cybercrime damages could reach $6 trillion annually by 2021.
Cyberattack Risks Within the Manufacturing Industry
Verizon’s 13th annual Data Breach Investigation Report identified some pretty stark discoveries about cyberattacks within the manufacturing sector:
- 73%: Number of attacks motivated by financial reasons
- 75%: Number of incidents stemming from external forces
- 25% Number of incidents stemming from inside sources
The biggest manufacturing industry cyberattacks between 2007 and 2018 involved global companies like OXO International, Visser Precision, Hanesbrands, Inc., DuPont, FACC AG, Norsk Hydro, Renault-Nissan, and Mondelez. The total cost to these companies topped an estimated $11+ billion in damages.
Human Capital and Talent
A recent Deloitte survey found that of the top ten cyberthreats common within the manufacturing industry, internal employees drive four of them: direct abuse of IT systems, mobile device use, omissions/errors, and phishing/farming.
Mid-size companies often struggle to attract and retain cybersecurity professionals, creating a challenge for developing — and maintaining — adequate measures to prevent cybercriminals from gaining access and causing damage.
Operational Technology (OT) Security
OT and IT technology have become inextricably linked within the manufacturing industry. OT represents the industrial and SCADA software, machinery, plant equipment, and systems manufacturers use to monitor and control their processes and operations.
In a recent survey conducted by TrapX Security in conjunction with Enterprise Strategy Group, 53% of manufacturing cyber and IT professionals indicated their OT technology had vulnerabilities to cyberattacks. As IT and OT environments converge, the tools that manufacturing companies use to safeguard OT assets — the same as those used for protecting IT assets — become less effective.
While OT and IT integrations are becoming accepted best practice, fewer manufacturing companies have IT teams with dedicated OT specialists. With security teams spread thinner as they try to protect more, OT infrastructures are becoming more vulnerable to some type of cyberattack.
Industrial Control Systems (ICS)
The Deloitte survey also learned that only about two thirds of manufacturers have performed cyber risk assessments that focus specifically on their shops’ ICS. The majority of those companies also rely on internal assessments of potential threats — a situation that could introduce intentional or unintentional bias into those assessments.
Of the companies surveyed, half of their executives said they perform ICS penetration or targeted vulnerability tests less than monthly. Many companies also don’t develop, implement, or document ICS-specific policies or SOP.
IIoT’s incredible growth will continue to expand possible areas for attack, especially with the growing interconnection among information technology environments. Cyber threats to Supervisory Control and Data Acquisition (SCADA) and other electronic systems create serious risk of bringing manufacturing to a halt, altering manufacturing processes to introduce potentially dangerous or product destroying defects, disrupting fulfillment and supply chains, or developing unsafe operational environments for workers. Industry 2.0 sets new requirements for safe and effective operation.
Addressing Legacy Systems Vulnerabilities
Because operational technology often involves older, non-updated or upgraded legacy ICS solutions, manufacturers may find themselves with significant security weaknesses. The challenge many companies face, however, is the difficulty of embedding cyber solutions within existing operational technology.
But determining where to start is an issue. Many manufacturers know they’ve got outdated systems controlling integral elements of their operations. As those assets grow older and even more outdated, they become a greater liability.
The New Jersey Manufacturing Extension Program (NJMEP) and the national MEP recommend that manufacturers engage an independent technology gap assessment and cyber posture analysis to discover any current potential and unmitigated risks.
Taking Action: Key Takeaways
With more and more manufacturers embracing digitization — or Industry 2.0 — the sector will remain a high-value target for cybercriminals. Manufacturers face myriad challenges on how to best maintain production output levels while upgrading legacy systems, creating and implementing effective cyber strategies, and finding the professionals equipped to manage these cyber risks.
To start, the leadership of manufacturing companies can:
- Set the tone by giving cybersecurity a seat at the table and prioritizing necessary discussions that identify and define key cyber risk objectives and plan for addressing and mitigating that risk.
- Conduct a broad cyber risk assessment of all manufacturing cyber risks, including connected products, ICS, enterprise and legacy products, IP protection, and third-party risks associated with industrial environment relationships.
- Communicate with and educate the entire workforce about the risk profile, any assessments, key cyber risks, risk tolerance and posture, and potential for business impact. Guide them to understand their own responsibilities with mitigating risks related to phishing and IP/sensitive data, for example.
- Build in security by evaluating and confirming whether business investments in IoT, IIoT, manufacturing technologies, connected products align with the company’s defined cyber risk management strategies.
- Assess third-party risk associated with relationships they have with outside vendors.
As manufacturing leadership recognizes the critical importance of operational technology governance, risk mitigation, compliance with Industry 2.0 best practices, ISOx, SOC2, CMMC, and other compliance mandates, where do they turn?
They can start by looking for external vendors that specialize in industrial information (cyber) security and compliance. CREA United member Scott Kuperman, Director of TeamLogicIT, can help. His team is well-equipped to integrate best technologies, efficient processes, and the safest, effective security measures that protect manufacturing companies from internal and external cyberattacks and keep them operating at peak efficiency.