Cyber security is high generally on IT priority list for most companies, but trends in manufacturing are creating additional areas of risk that need to be more aggressively mitigated.
That was the conclusion of a recent survey and report from MAPI, the Manufacturing Alliance, in partnership with the consultants at Deloitte.
In addition to risk associated with intellectual property (IT), two important trends are adding to cyber risks for manufacturers:
Supply Chain Digest Says... |
|
|
• So-called industry 4.0 digital manufacturing opportunities and increased interconnectivity of the industrial ecosystem, offering bad guys a wider target to hack.
• Rapid adoption of sensor technology, smart products, and Internet of Things (IoT) strategies, which now create cyber risks for manufacturers outside the four walls of the enterprise or shop floor.
The report and its conclusions are based on 35 interviews with corporate manufacturing or IT executives and survey results from 225 respondents.
Highlights of the survey data include:
• 48% of manufacturing respondents say funding for cyber security is lacking.
• One-third of manufacturers indicate their cybersecurity budgets have either remained flat or decreased over the past three years despite the growing concern posed by cyber risk.
• Manufacturing executives indicate that four of the top ten cyber threats facing their organizations are directly attributable to internal employees. These threats include: phishing/pharming, direct abuse of IT systems, errors/omissions, and use of mobile devices.
• Chief Information Security Officer (CISO) reporting structures vary significantly within manufacturing organizations, as 30% of executives indicate their company's CISO reports directly to the Chief Executive Officer (CEO) while a further 31% report to the Chief Information Officer (CIO), leaving nearly 40% of CISOs reporting to someone else in the organization.
• In 42% of surveyed advanced manufacturing companies, the responsibility for IP protection falls to someone other than the CISO (20%) or the CIO (33%). In fact, 20% of executives indicate IP protection falls under the head of R&D while a further 22% of executives said this responsibility falls to the head of manufacturing.
• Almost one-third of manufacturers have not performed any cyber risk assessments specifically focused on the Industrial Control System (ISC) operating on their shop floors, resulting in a potentially significant risk to their operations. Further, nearly two-thirds of companies that have performed an ICS cyber risk assessment used internal resources, potentially introducing organizational bias into the assessment process.
• Half of all advanced manufacturing companies address shop floor related security vulnerabilities through "network segmentation." Further, 43% of manufacturing executives said they isolate their facilities from outside networks (i.e., "air-gapping"). However, although air-gapping is a common approach to ISC security, when companies actually take the next step to test that strategy, they often find it is a fallacy.
(Article Continued Below)
|
CATEGORY SPONSOR: SOFTEON |
|
|
|
|
• Half of the manufacturing executives surveyed indicate their companies perform targeted vulnerability or penetration tests on their ICS less than one time per month.
• Nearly 40% of manufacturers do not incorporate connected or "smart" products within the company's broader incident response plan, signaling a need for a more holistic approach to cyber risk in this area.
The report also found that many manufacturers are just beginning to assess cyber risks related to key third parties in their broader supply chain networks, such as subcontractors, suppliers, logistics service providers, and other critical business partners.
10 Steps Manufacturers Should Consider to Reduce the Threat
The report offers 10 steps manufacturers can take to reduce their cyber vulnerabilities:
1. Set the tone: The CISO cannot be an army of one. He or she needs to be appropriately supported by the leadership team and management to accomplish key cyber risk objectives for the company.
2. Assess risk broadly: Perform a cyber risk assessment that includes the enterprise, ICS and connected products. If the company has already done one in the last six months, review the scope to confirm it was inclusive of advanced manufacturing cyber risks such as IP protection, ICS, connected products and third-party risks related to industrial ecosystem relationships.
3. Socialize the risk profile: Share the results of the enterprise cyber risk assessment, and recommended strategy and roadmap with executive leadership and the board. Engage in dialogue as a team relative to the business impact of key cyber risks, and discuss how to prioritize resource allocation for the effort.
4. Build security: Evaluate top business investments in emerging manufacturing technologies, IoT, and connected products and confirm whether those projects are harmonized with the cyber risk program.
5. Remember data is an asset: It is important to change the mindset in manufacturing from a transactional mindset to the fact certain data alone may be an asset. This will necessitate a tighter connection between business value associated with data and the strategies used to protect it.
6. Assess third-party risk: Inventory mission critical industrial ecosystem relationships and evaluate strategies to address the third-party cyber risks that may coincide with these relationships.
7. Be vigilant with monitoring: Manufacturers must be rigorous in evaluating, developing, and implementing their cyber threat monitoring capabilities to determine whether and how quickly a breach in key areas of the company would be detected.
8. Always be prepared: Increase organizational resiliency by focusing on incident and breach preparedness through table top or war gaming simulations.
9. Clarify organizational responsibilities: Be crystal clear with the executive leadership team on the organizational ownership responsibilities for key components of the cyber risk program, and make sure there is a clear leader on the team with responsibilities to bring it all together.
10. Drive increased awareness: Last but certainly not least, get employees on board. Ensure they are appropriately aware of their responsibilities to help mitigate cyber risks related to phishing or social engineering, protecting IP and sensitive data, and appropriate escalation paths to report unusual activity or other areas of concern.
The report also interestingly notes some areas of tension and risk between traditional corporate IT and those responsible for "operating technology" such as an ICS in manufacturing. It notes for example that "The organizational mandates between these groups may be perceived as being at odds, with OT often wanting to keep production running at all costs, while IT may need "down time" to deploy upgrades, patches or other cyber remediation activities."
The report then adds that "Starting at the shop floor, IT and OT need to collaborate to strike a balance between managing a company's uptime, productivity and profitability and a company's known critical cyber vulnerabilities."
The report cites an interesting anecdote from one of the in-person interviews, where a manufacturing executive told the following story: "We were building a facility in China five years ago, and they acquired local equipment, cameras to show leadership back at headquarters live progress of construction. They put the live feed on the Internet, but did not realize this rendered it/us as a target. It was hacked. It was brutal."
The Bottom Line from SCDigest: Changing technology such as Industry 4.0 and IoT clearly open up new sources of cyber security risks for manufacturers. The sort tight grips the manufacturing side of the house has often had with its operational technology likely needs to be rethought in terms of measures to maintain security in this new world, while who in the organization owns cyber security for connected products appears to be a fluid situation for many firms at present. While a bit long for our tastes, this report outlines a number of steps manufacturers can take to reduce their certainly high vulnerabilities.
The full report is available from the MAPI web site: Cyber Risk in Advanced Manufacturing
What are your perspectives on the cyber threats for manufacturers? How vulnerable are ICSs or smart products? Let us know your thoughts at the Feedback section below.
Your Comments/Feedback
|