Cloud technology and the use of IoT devices are transforming the manufacturing sector. Always faced with the challenge of innovating to become more efficient and improve quality, manufacturers have seen the benefits of new technology and are rapidly embracing them. However, the pace of change is raising concerns about exposure to cybercrime. As specialists in developing process, manufacturers need to embed cybersecurity into their deployments of these new technologies, otherwise they risk significant threats to their operations.
In contrast to the financial sector, which has formally recognized cybersecurity as an operating and business risk, the manufacturing sector has been slow to fully appreciate the significance of the threat. This is illustrated by a 2019 Sikich report on the manufacturing and distribution industry. While 74% of larger companies reported being “extremely or very confident” in their cybersecurity measures, the number reporting actual implementation of fundamental cybersecurity activities like security audits, staffing, and testing fell sharply. And, most telling, some 50% of companies reported suffering a data breach, despite their confidence in their cybersecurity. This divide suggests a disconnect between the executive suite and day-to-day operations.
Some of this lack of clarity may be related to regulation. Again, to draw a comparison to financial sector which is highly regulated and audited on enterprise risk and IT general controls, industry oversight of this kind is not nearly as common in the manufacturing sector when it comes to cybersecurity. Changes are slowly coming with respect to IIoT (the Industrial Internet of Things) device regulation and forward-thinking business partners are now incorporating cybersecurity requirements into contractual agreements, but many important elements of cyber risk management are left to the discretion of the individual manufacturer.
The report went on to paint a stark contrast between the maturity of cybersecurity programs at larger vs. smaller manufacturing concerns. From recruitment to training, from testing to audit, smaller industries reported being dramatically less equipped and prepared for cybersecurity incidents. Since smaller companies may be quicker or more nimble in their adoption of new technology – and they are reportedly the least equipped to react to the cybersecurity threats that the new tech is introducing – this is a particularly alarming.
Aggravating the situation is the lack of skilled resources.
All industries are facing challenges in attracting and retaining top cybersecurity professionals, but the manufacturing sector is often not the first choice for technical people, who are gravitating more and more to financial and consulting firms. Due to the specialized or proprietary nature of some of their equipment and operations, manufacturers’ digital systems can also provide unique cybersecurity exposures, making it even more challenging to find resources.
This bring us back to the advent of new technologies. Companies large and small are aggressively exploring cloud technology to bring efficient to supply chain management, procurement, data storage, and customer relationship management. And IIoT devices are becoming indispensable tools in managing and monitoring operations, quality/environmental controls, inventory management, and more. But without appropriate understanding of the risks and exposures these new technologies bring, opportunities are being presented for cyber criminals to take advantage.
And clearly, since half the companies surveyed suffered breaches, cyber criminals are interested. The manufacturing sector has quietly become the number two vertical (second only to education) under cyberattack, according to a 2019 cybercrime report from Malwarebytes. Cyber attackers understand that companies in the manufacturing sector can hold a great deal of confidential information and proprietary processes, so a successful attack to exfiltrate information could prove valuable for competitors. And, because of the imperative to keep business running at all times in order to remain competitive and viable as producers or supply chain partners, ransomware attacks can be very effective weapons to extort money. Manufacturers, depending on their scope or specialty, may also find themselves as the target of nation-state actors looking disrupt production or distribution. If well-financed and sophisticated attackers are targeting your operations, it is essential that cybersecurity is considered more than a “nice to have”.
Manufacturing concerns are complex and getting more complicated with the advent of new technologies. The importance of securing the computing systems that oversee these new technologies is clear. Manufacturers are experts in design and operational processes, but may not have the same depth of knowledge in digital technology security. And with in-house cybersecurity personnel difficult to recruit and even harder to retain, it would be wise to at least consider enlisting the help of external professionals. Assistance can start with a vulnerability management process: understanding the threats; documenting and prioritizing security remediation; assisting with the patching/replacement of existing, dated systems; developing a workable plan to stay on top of system security to avoid disasters. Partners can help strategize the roll-out of new technology, whether it’s cloud tech or new IIoT devices. And just as importantly, guidance can be provided on employee awareness training: all personnel need to consider themselves the front line of security in the face of cyberthreats, and they must be adequately and regularly trained. Testing and audit must be conducted on the cybersecurity programs to ensure that the controls are effective, and the training messages are sinking in.
Because phishing attacks Identity and access management (IAM) control is essential in the manufacturing sector to ensure that only authorized personnel can access information and control operations. Modern IAM can help lock down systems and resources, and ensure that appropriate tracking, reporting, and alerting takes place to help manufacturing facilities to stay secure and minimize the severity of attacks or breaches if they do occur. Enterprise-wise systems can inventory, profile, and help control/restrict access by personnel and machine alike, helping to ensure that processes run smoothly and securely.
The risks are too great not to work.
And just as manufacturers look for products and processes to differentiate them from the competitors, developing a leading cybersecurity program can help them stand apart from the crowd and give added confidence to customers and business partners alike. The time to act is now.
Since manufacturers must control access for many different users, they specifically need to prioritize the management of privileged access – which if compromised can give cyber attackers the ability to take over critical infrastructure like Industrial Control Systems (ICS) and Manufacturing Execution Systems (MES), and to modify or delete confidential information and proprietary processes. Privileged Access Management (PAM) enables manufacturing organizations to implement security layers to mitigate risk and limit the damage an attacker can do should the network be compromised.
For more information, read the 5 Top Reasons to Prioritize Privileged Access Security Today and learn where privileged access exists, their crucial role and how securing privileged access protects the enterprise.