The evolution of manufacturing processes has increased efficiencies and improved quality output. At the same time, advancing technologies opens the door for growing cyber risk for manufacturers. The result can be catastrophic, impacting operations, revenue and reputation.
Good Reason to Worry
The growing sense of concern about cyber security in manufacturing has sound basis. In a recent survey conducted by Deloitte and the Manufacturers Alliance for Productivity and Innovation (MAPI), nearly 50 percent of the respondents indicated they lack confidence that their assets are protected from external threats. Further evidence comes from roughly 40 percent having been affected by cyber incidents in the 12 months preceding the survey. Of those, 38 percent said the cyber breaches resulted in damages of more than $1 million.
According to the US National Center for Manufacturing Sciences, cyber attacks targeting manufacturing stem from several factors including:
- Fierce competition in a sector where intellectual property is at a premium
- Industrial control systems (ICS) are often left unguarded
- Lack of investment in cyber security due to a focus on productivity and efficiency
Criminal intent is the root of many cyber attacks. Activity includes extortion via ransomware, industrial espionage, and theft of data such as company account numbers and personal information. Social engineering and fraudulent money transfer are the most common claims seen today.
Vulnerability Cuts Across the Industry
Manufacturing is one of the top 3 most vulnerable industries to cyber-attacks, behind only healthcare and finance. Just over a third of all documented attacks in the second quarter of 2016 targeted the manufacturing industry, with manufacturers appearing in the top three targets in five of six geographic regions throughout 2016, according to the US National Center for Manufacturing Sciences.
Cyber crime can hit any sized manufacturer. Cyber attacks originate from both internal and external sources and can target any operation and system within the business.
Small and large manufacturers are at risk. In some cases, it may be easier to breach smaller manufacturers. The greatest percentage of threats includes phishing/pharming, social engineering, human error, lack of vendor management, and corrupt mobile device access and usage.
More Data Equals More Risk
Connectivity creates almost unlimited amounts of data. As consumers, connected devices run our homes, monitor our vehicles, measure our health and more. In manufacturing, connected devices perform functions once completed separately by humans. The Internet of Things (IoT), as the connectivity is known, can track inventory, manage logistics, measure productivity and provide real-time alerts to increase safety. From robotics to supply chain management, technological advancements and increased connectivity are driving transformative change while opening analytical opportunities.
According to the Deloitte survey, almost 50 percent of manufacturers have mobile apps associated with their connected products, and 76 percent use Wi-Fi to transmit data among their connected products. Fifty-two percent report that connected products can store or transmit confidential data, including Social Security and banking information.
It appears manufacturers are not adequately protected against the risk that connectivity presents. The same survey says that almost 40 percent of manufacturers do not incorporate IoT products within their broader incident response plans, potentially slowing their responses to cyberattacks and malware.
As industrial technology grows more sophisticated and information more robust, manufacturers are using cloud, fog and mobile to store and access data. To cyber thieves, this welcome news presents wider access and another vulnerable path for attack.
Protecting Systems, Data and People
Highly automated systems are the hallmark of advanced manufacturing. These shop floor control systems enhance productivity, operational efficiencies, environmental protection and employee safety.
Many manufacturers rely on air gap testing to assess their individual shop floor automation systems’ vulnerability to cyber attack. Air gap protection is one way manufacturers isolate control systems to minimize risk. Air gap isolates various systems and creates a physical barrier around each. For example, an air gap could be created around a control system, another around internet access and a third around enterprise networks. While strong in theory, each point of potential attack must be tested separately and often. Additionally, connectivity and digital manufacturing require more sophisticated testing methodologies.
Reducing cyber risk for data relies on protecting many different types of data, including intellectual property (IP), the most feared target of cyber attack. Protecting sensitive data by implementing preventive and detective solutions can enhance barriers from the inside out, allowing manufacturers to continue to build IP value.
Minimizing Devastating Impact
Every manufacturer knows that a slowdown or shut down for any reason can negatively impact the bottom line. A business interruption caused by breaches in cyber security can have the most serious effects of all. For example, a serious breach in a manufacturer’s Enterprise Resource Planning (ERP) system could impact shop floor operations, internal processes such as procurement, inventory control and payroll. Damaged equipment, environmental contamination and personal injuries could occur.
The cost of lost production alone could shutter a business forever.
Understanding vulnerability and taking steps to protect a manufacturing business are sound business practices. In the alert issued in October 2017, the Federal Bureau of Investigation (FBI) and the National Center for Manufacturing Sciences (NCMS) recommended that organizations using smart manufacturing systems consider the following cyber security practices, when integrating the technologies in their production environments:
- Implement Application Whitelisting – Can detect and help prevent attempted execution of malware uploaded by adversaries
- Ensure Proper Configuration/Patch Management – Safe importation and implementation of trusted patches can help keep systems secure
- Reduce Your Attack Surface Area – Isolate systems from untrusted networks, disable unused ports and services
- Build a Defendable Environment – Segment networks into logical enclaves and restrict machine-to-machine communication paths
- Manage Authentication – Implement multi-factor authentication where possible and follow least-privilege principles
- Implement Secure Remote Access – Limit remote accesses, consider monitor only access, and eliminate persistent remote connections
- Monitor and Respond – Perform system baselines and monitor for changes, develop detailed response and restoration plans
Find additional cyber security resources and current information at US-CERT and the National Institute of Standards and Technology (NIST).
A mid-size pallet recycling company with four plant locations and 300 employees had standard information stored on their network including engineering diagrams, payroll, account data and business documents. Standard firewall security was in place. However, when the company’s owner was working remotely, he opened an email from what he perceived as a recognizable address. Within a few seconds the screen went blank and the owner received a message that if he wanted access to the computer, he needed to pay a ransom. All the data on the computer was already corrupted causing major production and operational delays. Source: Industry Today.
Protecting Your Business
Partnering with a risk management expert can protect your business from many forms of risk and liability. Most manufacturers are clearly aware of the need for all types of coverage. What is often not as apparent is that protection from cyber risk requires specialized coverage, not usually included with standard policies.
When considering cyber coverage, a professional risk manager is a must. Policies can be called cyber insurance, privacy breach insurance, network security insurance. Cyber insurance has created a broad and chaotic market with widely different premiums and terms. With the proliferation of cyber coverages available, it is critical to understand unique limits and exclusions and select the policy that best meets your business needs.
In general, cyber coverages may include the following specialized terms:
- Third Party Intellectual Property breach of third party IP in your custody or control
- Data Breaches resulting in loss of personal information
- Third Party Damages if a virus or other attack causes damage to an external system
- Business Interruption if your business is breached and it impacts income
- Dependence Business Interruption if your business is dependent on another business which suffers a breach impacting your business
- Systems Failure if an unintentional, non-malicious attack occurs and hardware or software glitches cause your systems to be interrupted
- Dependent Systems Failure if your system is dependent on an external system which is unintentionally, non-maliciously attacked
- Cyber Extortion if hackers shut down systems and demand payment
Your risk manager partner can help you determine the best policy for your needs, and include appropriate limits of liability. Your risk management partner will also understand exclusions to coverage, coverage-enhancing or coverage-restricting definitions, provisions impacting selection of any outside investigators or attorneys, defense cost payment and any vendor acts and omissions of coverage. Experts who stay current in an ever-changing landscape best handle these complicated policies.
Our cyber risk professionals have the experience and proven success to help your business stay protected against the very real and growing threat of cyber attack.
Note: This communication is for informational purposes only. Although every reasonable effort is made to present current and accurate information, Oswald makes no guarantees of any kind and cannot be held liable for any outdated or incorrect information. View our communications policy.