Cybersecurity Risks In the Age of Smart Manufacturing

October 3, 2018

In the March edition of Cybersecurity CEO, Herjavec Group Founder & CEO, Robert Herjavec, predicted that manufacturing is the new healthcare. Cyber criminals are increasingly targeting the manufacturing and supply chain industries since malware like Cryptolocker have proven to do real damage historically and upwards of 40% of manufacturing security professionals don’t have a formal security strategy.

Typically, organizations in the financial and healthcare sectors rely on information technology (IT) environments, while organizations in the manufacturing and industrial sectors leverage both operational technology (OT) and IT environments. The former refers to the hardware and software used to control industrial processes and infrastructure. Unlike IT environments, OT networks have the capability of directly implementing changes and controlling the actions of physical devices, processes, and events in an enterprise. 

The influx of cyber attacks in the manufacturing and industrial sectors has only worsened with the introduction of “Industry 4.0”, also referred to as “smart manufacturing”. This includes the use of IoT (Internet of Things) devices to aid with better automation processes to keep reliability, safety, and security top of mind. 

As more organizations continue to adopt Industry 4.0, they must also strengthen their security practices to reflect the reliance on the digital sphere. This has proven easier said than done — 59% of respondents to a 2017 Ponemon Institute survey believe there is more risk in the OT than the IT environment with only 35% of professionals believing that the cybersecurity readiness for their organization’s OT is high.

So, what are the most common security flaws for OT networks?

• Poor cyber hygiene practices (lack of security training for employees, poor password etiquette, limited patching practices)
• Lack of network segmentation
• Lack of proper Identity practices, allowing for unrestricted and unnecessary access to OT systems
• Interconnectivity of OT systems in unsecure IT networks
• Lack of access restriction to and from OT systems, allowing for insecure remote connectivity to take place

Given this list, organizations must have security top of mind for two reasons:

1. OT systems integrate very well with IT environments, which have a tendency to be attacked regularly
2. There is an increased prevalence in the use of IoT devices in OT systems. As a result of the increased interconnectivity between OT, IT, and IoT, cyber criminals have a widened attack surface. OT systems can easily be manipulated and compromised through IT and IoT devices. 

We appreciate that enterprises globally are strengthening their security practices. But as Gartner demonstrates, businesses are being outpaced by emerging threats. Gartner predicts that by the end of 2020, only 50% of OT service providers will create key partnerships with IT-centric providers for IoT offerings. This may not only result in financial loss and loss of business continuity, but also in loss of human life. 

“As a cybersecurity professional, I often think of the risk to human life caused by a security event or a breach. Industrial control risk has increased in recent years because of our level of interconnectivity,” Robert Herjavec says. 

Organizations need to prioritize security planning when starting any process — in other words, they must be able to build their operational plans with a security-first approach and embrace cybersecurity as part of their design and operations. If the organization does not have a strong enough internal IT team that can handle the complexity of their environment, they should engage a third-party Cybersecurity Operations & Services Provider, equipped to support their assessment, technology implementation, identity services, managed services and incident response needs.

Of course, much of the path to embracing cybersecurity for OT environments relies on having support from C-level executives who are focused on the long-term positive impact of security rather than its short-term cost. 

Technology, true to its nature, doesn’t look back. It is entirely unrealistic to expect the manufacturing and industrial sector to not evolve and adapt in this hyperconnected world. However, as technology evolves, so do the threats. Every day, there is a new breed of ransomware or malware strain that can penetrate your organization’s defences more quickly and effectively, all while remaining unseen. 

Herjavec Group urges organizations looking to mitigate cyber attacks to ask themselves some basic questions: Have we developed a cyber risk management program internally? Are we having conversations about how we identify emerging risks, where responsibility lies for developing cyber policy and maintaining security roadmaps? Are we mapping the outcomes of those discussions back to our risk profile? Are the basic cyber hygiene elements in check? When is the last time we performed a security assessment or patched our systems? Do we have a regular cadence of reviews and audits? What is our level of visibility and detection? Are we logging key assets to a Security Incident and Event Management system (SIEM) and are we alerted when unusual activity occurs? Do we have an incident response plan in place? Have we fully vetted our crown jewels and are we clear on who the key contacts are that would participate in the various phases of an incident being escalated? Are we prepared for an emergency? Have we educated our team? Despite all of the connected technology at play in a manufacturing environment, people are still the weakest link. Do we have a cybersecurity awareness program in place? When is the last time we trained our team or performed a social engineering test to measure the effectiveness of that training? What does good look like amongst our industry peers and what can we learn in terms of emerging threats, new technology or best practices that will help us advance our security postures?

While this content is geared specifically towards the manufacturing and industrial sectors, the questions that business leaders need to ask themselves are consistent regardless of industry. Had we inserted legal, education or retail services into the introduction, would you have been surprised? Likely not.

As Robert often says, “The Time Is Now!”. Time to make cybersecurity a priority as you develop policies and design processes going forward. Your team needs to be aware when anomalous activity occurs. It’s not enough to focus on innovation & efficiency, particularly in OT environments. In the age of smart manufacturing, security must be recognized as a business pillar.