The changing face of automated manufacturing and the risks
As the manufacturing industry continues to adopt greater levels of technology and connectivity, a robust cybersecurity strategy is essential. Trends such as remote access and Industrial Internet of Things (IIoT) connectivity make manufacturing more efficient, but they also create new points of vulnerability that can be exploited.
There has been a marked increase in cyberattacks targeting manufacturers in the last year. For instance, in the first quarter of 2020 attacks targeting the manufacturing sector accounted for 11% of all cyber attacks that occurred across all industries, according to the Association of Packaging and Processing Technologies (PIMM) 2021 Cybersecurity: Assess your Risk report. By the second quarter of 2020, cyber attacks targeting manufacturers accounted for 33% of all incidents across all industries. This is a growing concern for manufacturers with an increasing number of companies reporting they have been victims of cyber attacks.
This increase in attacks is especially alarming considering there are real growing costs to manufacturers that experience a cyber attack. In 2020 the average cost of a cyber attack stood at around $3.85 million according to PIMM’s report, and that is before factoring in ancillary impacts such as lost opportunity and damaged customer loyalty. In addition to the physical pain, it often takes manufacturers a significant amount of time to identify and effectively contain a cyber attack. The average time to identify and effectively contain an attack stood at 280 days in 2020, the report noted.
Why attacks on manufacturers began
Cybersecurity consultancy Performanta’s CEO, Guy Golan, says: “Manufacturing systems were built to do few things exceptionally well. This could be chemical dosages in drugs, poisonous materials in paint, fluoride in water, smooth edges in children's toys, or a working steering wheel in a car, to name a few. Attacks on these systems will result in major financial losses but also, more worryingly, in lives lost.
“For years, manufacturers treated these automated systems as the holy grail. Few could touch them and very few could tweak them. The systems were great at doing what they were set up to do and touching them would pose a real risk. As a result, many of these systems are outdated.
“And then the first wave of digitisation and automation started. ERP systems exploded into the market with a slogan of making business more effective and gaining competitive advantage. With that in mind, there was a need to connect these stand-alone systems to a central internal repository. It was done with caution while still ensuring very few could touch the systems. However, soon after digitisation, consumer flexibility (like allowing them to choose a car’s specifications and colour) became available and then paramount for manufacturers to maintain a competitive edge. This forced manufacturers to connect everything to the internet, literally opening their systems up to the world.
“The result was the need to strengthen these systems from malware, external attacks, and internal abuse. A proliferation of cyber tools started to emerge and led to many hands dealing with demi-sacred systems that no one was ever supposed to touch. These actions exposed vulnerabilities that could be abused by anyone with malicious intent for some sort of gain, while also opening up to human error by users,” he adds.
Improving cybersecurity readiness
The PIMM says the first and most important step a manufacturer can take to improve their cybersecurity readiness is to gain a thorough understanding of their operation’s vulnerabilities and how these vulnerabilities can be exploited by bad actors.
Golan says: “Investment needs to be made to understand what a company protects, why its protecting it, who can access it, and how one accesses it. This needs to be determined and then monitored. Visibility is key. Ability to remediate quickly is a must.”
The main cyber threats manufacturers are facing are theft of their IP, cyber attacks (like phishing, pharming, ransomware, security breaches involving a third party (e.g. within the supply chain), human error and employee abuse of IT systems, as well as attacks which exploit mobile network vulnerabilities and public cloud.
Christina Kirichenko, Associate and Data Protection Law Expert at Pinsent Masons says: “All of these threats are mainly the result of underlying governance problems within the organisation. Therefore, governance and incident preparedness are the main challenges which businesses face alongside navigating the variety of regulations, recommendations and standards across different countries and industries,” she says.
Kirichenko adds that automated manufacturing requires expertise over several areas including network security, embedded systems, OT and IT security, interoperability and communication protocols, relevant regulations, guidance, recommendations and standards. “Building a cyber security team that can cover the entire range of skills required is an increasing challenge, especially due to fragmentation of and gaps in security standards across jurisdictions and industries (e.g. automotive or critical infrastructures). Some businesses have incomplete organisational policies and are reluctant to fund their cyber security governance and technical measures,” she says.
Supply chain issues
The complexity of the supply chain and new capabilities in smart manufacturing (predictive analysis, data-driven decision-making, automation) poses one of the biggest challenges in automated manufacturing security. Manufacturers are not isolated, they are dependent on and connected with the whole smart supply chain.
“The increased interdependence of supply chains results in enhanced cybersecurity risks and the chain is only as strong as it weakest link,” says Kirichenko. “Having effective control over the supply chain is essential for manufacturing processes, as not being able to track every component to its source further erodes confidence in a product’s security. With different stakeholders across the supply chain potentially subject to different national legislative frameworks, security incidents may occur at various tiers and stages. Security incidents within the supply chain may result in a propagation of errors and risks across the whole supply chain, which makes detecting the source of the problem very difficult,” she adds.
Overcoming threats
Pinsent Mason believes investment in cybersecurity should be considered a high priority issue which requires funding and commitment. It advises its customers that even if incidents occur, proper governance can help to reduce the risk of fault-based liability. It says manufacturers should factor their investment to include investing in people, governance (risk assessment, policies, procedures, training, testing), technical capabilities (devices, interoperability, promoting other technical measures) and incident preparedness.
“Raising awareness around cyber security, especially with top-level management, and cultivating talent and knowledge is worth the investment, businesses need to be thinking about this in the long-term,” says Kirichenko. “Businesses need to address the complexity and the risks involved in large supply chains. This requires holistic management of security across the chain and end-to-end security is a prerequisite for automated manufacturing. Businesses should regularly conduct risk assessments to identify potential cyber risks,” she adds.
The future
Cyber risks are increasing in manufacturing due to evolving technology and connectivity, and the attacks are becoming more sophisticated and severe. Therefore, manufacturing businesses need to make cyber security one of their priorities.
At a legislative level, regulators all over the world recognise the importance of cyber security as well as challenges around fragmentation of security standards across jurisdictions and industries. In the EU, there is a trend towards more unified security standards in the future, so EU countries may experience more and more regulation (both general and sectoral) around cyber security requirements and standards both on the manufacturing process and the product side. The EU cyber security strategy aims to stem the growing cyber security threats. The strategy is built on three main pillars: (i) resilience, technological sovereignty and leadership; (ii) building operational capacity to prevent, deter and respond, and (iii) advancing a global and open cyber space through increased cooperation. The European Commission wants to integrate cyber security into every element of the supply chain and increase the level of cyber resilience of critical sectors.
Golan concludes: “In essence, efficiencies and competitive edge will continue driving manufacturers to open up even more to the internet. Cyber is a business enabler and thus manufacturers will have to accommodate these changes while lowering the risks (old and new) and limiting the impact of cyberattacks if those were to occur.
“Investment needs to be made to understand what a company protects, why it’s protecting it, who can access it, and how one accesses it. This needs to be determined and then monitored.”