The 2019 Data Breach Investigations Report by Verizon found that 86% of cyberattacks in manufacturing are targeted — 53% of attacks are initiated to achieve financial gain and 47% of attacks aim to achieve industrial espionage.
If breached, company data can be ransomed by hackers for a hefty fee, sold to competitors or used to target other suppliers and partners.
Do you remember WannaCry? In 2018, this computer virus plagued thousands of businesses across more than 70 countries, including manufacturing firms like Boeing and Honda. With systems down, companies were forced to halt production and allocate time and money toward damage repair. The bottom line: a lower profit margin.
And, with the installation of back doors — undetectable entry points created by the virus within the network — companies today are still unsure whether their customers’ and business’s confidential data are truly safe from a second wave of attack.
Cybersecurity concerns linked to connected devices
According to a study by Capgemini, “manufacturers predict 47% of all their products will be smart, connected and capable of generating product-as-a-service revenue by 2020”. Benefits include better inventory tracking, reduced errors, predictive maintenance, asset management, enhanced employee and customer experiences, and fraud prevention.
While this is an exciting development for the digital factory and businesses pursuing Industry 4.0, with greater connectivity comes greater risk.
Connected devices are vulnerable to third-party hackers and can become easy network entry points for viruses to cause further damage. IMB’s Cost of a Data Breach Report found that the average cost of a breach to medium and large businesses was $3.92 million in 2019. But aside from the financial risk, and perhaps even worse, the loss of control of computer systems that run heavy machinery could prove dangerous to workers.
Is it worth the gamble? About 93% of executives seem to think so, according to a 2019 survey by PWC. But 41% of business decision-makers state in the Insight 2020 Technology Report: IT Trends for Midmarket and Small Business that ensuring security of data in dispersed environments is still a top concern. In order to continue embracing technological advancements to keep up with the competition, increase production, reduce risk and cut costs, manufacturers need to learn how to create adaptive solutions that secure logistics, supply chains, machinery and other aspects of operations.
Finding the right balance is possible — you just need to know what to look for.
Types of cyberattacks in manufacturing
Phishing: These emails or documents may seem like they’re coming from a reliable source, but they’re true intent is to collect confidential information from employees. In 2018, Chubb Index found that 50% of manufacturing losses were a result of targeted spear phishing.
Supply chain attacks: In today’s connected landscape, data is commonly shared at every phase of the operational process. Complex chains involve data exchanges between suppliers, partners and vendors, which may lead to network vulnerability.
Malware: Nearly 75% of manufacturers operate legacy systems that are unable to support protocols designed to combat modern cyberthreats. Legacy technology is more likely to be susceptible to malware — malicious software such as viruses, trojans or worms.
Alerts: Anytime a new communication path is established, or an existing communication path is altered, there should be an alarm system in place to notify your company’s security team.
Devices and apps: Your teams are encouraged to collaborate throughout the design and production phases. Ensure they can do so securely by hardening devices and monitoring company tools for performance, core functionality and security. Updating your anti-virus software regularly will help deter threats from catching your systems off-guard and unprotected. And encrypting data on apps and software used to input customer data and design models will prevent confidential files from being easily stolen or replicated.
Firewalls: A Security Information and Event Management (SIEM) solution coupled with an Intrusion Detection System/Intrusion Prevention System (IDS/IPS) will leverage firewalls to overlook the entire network for irregularities.
Action plan: Having an incident response plan in place can help prevent threat escalation. This plan will most likely include detection, classification, investigation, diagnosis, resolution and recovery.
Buddy up: You may consider leveraging the expertise and resources of a partner. This partner may be able to provide a cybersecurity assessment with guidance tailored to your business’s specific needs.
Is blockchain an option?
A blockchain is Distributed Ledger Technology (DLT) that brings transparency, security and efficiency to processes and information sharing. Manufacturing Industry Specialist for Digital Innovation at Insight, Kim Knickle, states that top uses for blockchain in manufacturing are: information sharing and management of digital assets, as well as asset or inventory tracking and provenance.
In these instances, blockchain ensures teammates are able to access the latest, most accurate digital records, product manuals and authorizations necessary to execute processes, such as additive manufacturing. It can also be useful in tracking the location and owner associated with a digital file.
Don’t forget to meet compliance expectations.
Certain regulations have been created by the U.S. government in an effort to improve information security. Failure to comply may result in a costly breach, as well as additional legal fines. Examples of cybersecurity regulations and frameworks that may impact manufacturing businesses include:
- ISO 27000 Family: Used to assess a business’s cybersecurity practice and improve it through security controls
- ISO 31000 Family: Used to govern principles of implementation and risk management
- CIS Controls: Protects organizational assets and data collected through the Internet of Things (IoT) from known cyberattack vectors
- PCI-DSS: Reduces fraud and should be used by companies taking project order payments via credit card
Training should also be an ongoing process.
In any business, your security strategy is only as strong as your weakest link — or uneducated employee. This means training everyone from floor workers and supervisors to administrators and Chief Executive Officers (CEOs) about the risks of an online threat. This could include lessons about reporting suspicious emails, using proper authentication methods to login to company devices, only accessing company-approved websites, shutting off mobile devices when they’re left unattended and more.
Success will come more easily to businesses that create a culture that champions production cybersecurity. Therefore, training should be conducted both during onboarding and regularly throughout employment.