As you continue to upgrade and automate your systems beware there is a rising threat that could cost you your manufacturing business.
In recent months, the topic of cyber-attacks has found its way into many headlines and become a real threat to South African businesses. These attacks will only increase in frequency and sophistication as technology improves and businesses rely more heavily on it. The cost of cybercrime to businesses is estimated at USD6 trillion annually, according to Cybersecurity Market Report.
Manufacturing is one of the most frequently hacked industries, because of lacklustre investment in cybersecurity, the increasing use of technology and the wealth of this sector. Automotive manufacturing is the top target, which accounts for almost 30% of all cyberattacks in 2015, while chemical manufacturers were the second-favourite targets, according to IBM X-Force Research’s 2016 Cyber Security Intelligence Index.
Cyber-attacks have evolved from targeting computers, networks and smartphones, to people, cars, railways, planes and power grids. As industrial technology advances, manufacturers are increasingly using cloud, data analytics and mobile to improve connectivity and infrastructure. This is giving cyber criminals a larger attack surface to infiltrate.
Manufacturing businesses around the world are gearing up to this increasing threat by increasing their cyber security. The cost of which is estimated to reach USD 1 trillion globally over the next five years, according to a Cybersecurity Ventures report. Only 8% in the MPI Internet of Things Study, sponsored by BDO, said they are very confident in their ability to prevent an IT breach. But what are they really protecting themselves from?
What is cybercrime in the manufacturing industry?
In 2016, the USA experienced the largest Distributed Denial of Service (DDoS) attack. This cyber-attack not only took out technology titans such as Netflix, Twitter and Reddit, but it was the start of malware that could use the Internet of Things (IoT) devices. The same IoT that connects all your machinery together and to your central hub.
Related: 4 Methods to protect your manufacturing business from cyber attackers
In this case, devices such as internet-enabled DVR’s and fridges that had hardcoded default passwords were hacked in vast numbers. This is a vulnerable area, which is often neglected by cybersecurity. This gap in security allowed cyber criminals to use to create an opening for malware.
“The challenge we face is that many of these products are not designed with security in mind,” says Terence Greer-King, director of cybersecurity at Cisco. “Many consumers don’t realise that they are essentially deploying a tiny web-enabled server into their home that could potentially be infiltrated to cause harm.”
Internet of Things vulnerabilities
As you begin your upgrades and implementing Industry 4.0 strategies, you need to be aware of how essential cybersecurity is against protecting your manufacturing business and your end consumers against cyber infiltration.
“Trends such as the Industrial Internet of Things and Industry 4.0, are driving organizations to facilitate more connections between the physical process world and the Internet. This connectivity exposes the previously isolated operational environments to cyber threats,” says Barak Perelman, CEO, Indegy.
Although IoT and the use of seamlessly connected systems and machinery gives your manufacturing business a competitive advantage, by identifying inefficiencies, gaining business insights, if neglected can cause vulnerabilities.
“To reap the benefits of IT/OT integration and the industrial IoT, we continue to connect networks together, networks that operate at multiple levels of trust. We deploy firewalls and encryption thinking that if they are enough to keep us safe on IT networks, they must be sufficient for our OT networks. The challenge come in when you consider that every message might be an attack, whether plain text or encrypted, and the consequences of attacks on manufacturing networks are unacceptable,” says Andrew Ginter, vice president of industrial security at Waterfall Security Solutions.
For example, if a cybercriminal were to tamper with a pasteurisation unit, a manufacturer could produce food products that could make consumers sick. If you’re an automotive manufacturer and a hacker altered your automobile robots, this could cost you a fortune in recalls when the flaw was eventually uncovered. Consider the risk to your consumers who could essentially be putting their lives in your hands when you don’t protect everything from cyber-attack.
Intellectual property theft
21% of manufactures experience loss of intellectual property from cybercrime, according to the 2016 Manufacturing Report from Sikich. The report also reveals that there is a definite rise of attacks in the industry motivated by IP.
With the constant increasing of cybercrime against manufacturers, the FBI estimates that USD400 billion worth of IP leaves the USA annually. Could your business survive even a fraction of that loss year-on-year?
Within the global manufacturing sector there have been countless incidents, over every sector and subsector, of cyber criminals stealing a business’ IP or other confidential information for personal profit. For example ThyssenKrupp, a major supplier of steel to Germany’s automotive sector announced that some of their trade secrets were stolen through a cyberattack.
“Steel mills and other critical infrastructure components are now in the crosshairs of sophisticated and well organised hackers whose goals of malicious disruption are broad and varied,” says Andrea Carcano, founder and chief product officer of Nozomi Networks.
“Stepping up the detection of cyber-attacks of IP theft and, more importantly, the industrial control systems that operate critical infrastructure facilities from manufacturing to energy production will lead cyber-security priorities in 2017.”
Related: Security in the age of digital transformation
Are your employees causing the breaches?
Cyber criminals have increasingly been using social engineering techniques to gain access to your business and access IP. This means the chink in your manufacturing business’ armour could be your workers.
A clever hacker can easily use social media and personal email addresses to bypass typical network defences. They can then send your employee’s malware infected emails posing as a senior staff member.
You can reduce the risk of these types of attacks by educating your employees on basic cybersecurity and what to look out for when opening and responding to emails.
Why manufacturing is particularly vulnerable
More and more of your industrial control systems are being connected to smart devices, enterprise IT systems and the Internet to increase productivity and profitability, you are also increasing opportunities to expose your business to cyberattacks.
Cybercrime can cause the disruption of your manufacturing business along with the possibility of defective products, production downtime, and physical damage, the sale of faulty products. These possibilities bring reputational risk, and the threat to lives both in and outside your business.
At risk manufacturing infrastructure
There are numerous manufacturing businesses that are behind the times when it comes to their cybersecurity. The Sikich report reveals that only 33% of the surveyed manufacturers were performing yearly penetration testing within their IT departments.
The report also revealed that Industrial control systems (ICS) networks are receiving even less attention leaving them potentially unsecure. Because of these lac security measures, manufacturers are leaving themselves vulnerable at multiple points within their networks.
Absence of security measures in your ICS network
ICS also pose a serious threat to the profitability of your manufacturing business. Unlike an IT network, an operational network offers poor or non-existent visibility into ICS, particularly the industrial controllers, which automate industrial processes and manage industrial equipment.
Your industrial controllers, such as PLC’s, RTU’S AND DCS, are specifically industrial computers that only make logic-based decisions to control industrial systems. These systems exist in every industrial environment, and play a critical role in complex systems, for example, power generation, oil transportation, management of electrical and water utilities.
The challenge with ICS networks is that it doesn’t have basic security controls usually found in systems like authentication and encryption. This leaves the system vulnerable as the cybercriminal only needs to breach the network and they gain unfettered access to all controllers. Can you imagine the damage someone could cause with unfettered access to your systems configurations, logic and state?
To protect your ICS network you need to know who is accessing what, when, including access over the network and direct physical access to the device, otherwise it can’t be protected.
Related: The cost of cybercrime rockets
What are the risks to your manufacturing business?
You need to ensure your cyber programme develops along with the advances of your technological strategies. Considering how interconnected your supply chain is becoming, you should consider the cyber security of your product from inception to end user. “Businesses not only need to consider their own internal cyber risk posture, but also their suppliers, outsourcers, service providers, vendors, partners and customers as well, according to Deloitte’s report.
More than nine in ten manufacturers 92% cite cybersecurity concerns this year, up 44% from 2013. 91% also cite operational infrastructure risk, including information systems and implementation of new systems and maintenance, according to the 2016 BDO Manufacturing Riskfactor Report.
“All it takes is one weak link in the security chain for hackers to access and corrupt a product feature, an entire supply chain or a critical piece of infrastructure,” says Shahryar Shaghaghi, National Leader, Technology Advisory Services and Head of International BDO Cybersecurity.
He continues to say that the stakes are too high for your manufacturing business, there is no place for complacency or inattention. Your security can’t be considered an add-on to your products and systems. It’s essential that cybersecurity be built from design to distribution, and monitored with a high property level.
Consider the risk to your manufacturing business if one of your products has performance problems due to cyber infiltration, along with the repercussions from system breaches, vendor issues and equipment failures. 84% of manufacturers report product quality, contamination and recalls this year, up from 79 percent in 2015, according to BDO report. Can you really afford to recall large quantities of your products because you didn’t have strong enough cyber security?
“Awareness in the manufacturing environment is lower than in other industries because business leaders think that if they’re not a nuclear reactor then they won’t be a target,” said Yoni Shohet, CEO and co-founder of SCADAfence. “But recent events, like the attack on the German iron plant, have proven otherwise.”
3 main risks of cyber-attacks you need to be aware of
Apart from the above Shohet also points out what he considers the three main threats facing the manufacturing industry:
1. Operational downtime
Consider if your workers arrive at the beginning of the day, they clock in as usual, but now none of the machinery will work. They can’t login to any of the systems and everything that was in the production line is now damaged or unusable.
The cost of having to write-off multiple days of production, because you won’t solve the infiltration quickly, could cripple your business. Now add to that the fact that anything on your production line, and potentially machines have to also be written off. It could close your manufacturing business down.
2. Manipulating the end-product
Shohet references the Mars and Takata recalls, as examples of this type of risk. Both of these incidents happened as a result of manufacturing error. “If manufacturers miss these types of errors, when a hacker tries to cover their tracks, a malicious manipulation of the manufacturing process will be even harder to detect,” says Shohet.
3. Industrial espionage
The cost of losing intellectual property, industry secrets or being sabotaged by your competitor are all possibilities if you don’t have strong and advanced enough cyber security.
Related: IT security
How can you protect yourself against cyber-attacks?
39% of manufacturers interviewed experienced a cybersecurity breach in the past year. Nearly half of the executives acknowledging that they weren’t filly confident that their manufacturing business was protected from outside threats, according to Cyber Risks in Advanced Manufacturing, a report from the consulting firm Deloitte and the industry association Manufacturers Alliance for Productivity and Innovation (MAPI).
This report continues to state that your manufacturing business is specifically vulnerable to cyber-attacks because of the influx of new and emerging technologies, such as sensors, “smart” products, analytics, and the IoT. Your new technological advances are creating new and complex security risks that you as a manufacturers haven’t ever had to deal with.
Here are some of the studies suggestions for improving your cybersecurity:
- While deploying new and emerging technologies, your team should be creating risk management strategies for enterprise systems.
- Assemble a “cyber risk” team that takes security father than just employing a chief information security officer.
- Cultivate situational awareness and threat intelligence. This will help to identify potential cyber risks to your manufacturing business and how your people are actually making your organisation vulnerable.
- Have an aftermath action plan to help your business return to “business as usual,” as quickly as possible after the incident.
- Implement monitoring mechanisms for your high-risk networks, systems, and data. This will alert you to abnormal activity.
- Perform regular risk assessments on your enterprise systems, industrial control systems and connected products. You should bring in an outside expert to perform this assessment to ensure you receive objective advice and feedback that will incorporate the latest cybersecurity best practices.
- Keep your employees in the loop, and ensure they are aware of their responsibilities for helping to mitigate risks. Remind them to look out for phishing scams and other forms of social engineering, while protecting intellectual property and sensitive data. You should also have a clear and effective procedure in place should your team members wish to report unusual activity or other areas of concern.
Protecting your manufacturing IP
Ensuring the safety of your manufacturing IP is a challenging area, and there isn’t a blanket solution for the entire sector. Traditional security measures are necessary, but are no longer fully effective, which means you’ll need to make a fundamental shift in your cyber security method.
Deloitte recommends applying layered security controls, while considering the risks and threats both externally and internally to the organisation. This approach will assist you with understanding who would cyber-attack your business, and how they would go about do this.
Consider it like a counter-terrorism unit, planning for every eventuality, making note of every vulnerability and putting strategies in place to bolster those areas. Then starting again, constantly checking systems and networks for weaknesses and fixing them.
“The biggest mistake I see routinely is an overemphasis on vulnerabilities in cyber-risk assessments, rather than attacks. The thinking seems to be, “if we can eliminate all vulnerabilities, then we are completely secure.” This quickly evolves into, “quick, patch all the software.” There are many more vulnerabilities in most manufacturing networks than there are known bugs in software,” explains Andrew Ginter, vice president of industrial security at Waterfall Security Solutions.
He continues to say that you, as a manufacturer, need to introduce attack specialists into your risk assessments to test your cyber security against their expertise. “Show them the physical and cyber designs for your manufacturing systems, explain the worst physical consequences, and ask how they would attack your systems to bring about those consequences,” he advises.
“When attack specialists come up against firewalls, they call on their pivot-through-firewall tools. When attack specialists come up against unidirectional gateways, they throw out entire categories of attacks and tools that are no longer feasible through the gateways. To design credible defences, we need to understand what attack tools and techniques our enemies are using,” Ginter advises.