Manufacturing and distribution is an industry built on momentum, but what happens when maintaining the necessary speed puts you at risk of grinding to a halt completely?
Manufacturing can often be a business of thin margins and shifting priorities. An area that often gets pushed down on the priority list is updating technology, mostly because systems are functioning properly so there appears to be no reason to update them.
The result of this decision is an alarming number of manufacturing companies using old technology on their floors. This makes them a prime target for hackers and a huge cyber risk.
Here’s how to implement a culture of security in your manufacturing practice.
The Cyber Risk in a Technology Debt
Keep technology at the bottom of the priority list too long, and you end up with a “technology debt.” A technology debt occurs when systems are way behind on necessary security patches and updates, or worse, not supported at all.
“Manufacturing is behind the times when it comes to IT in general,” said Todd Neilson, Chief Technology Officer for cybersecurity and risk management firm Secuvant. “It’s not uncommon to see a Windows XP or Windows Server 2003 machine being used because it works. Security updates for XP ended in 2014 and in 2015 for Windows Server 2003.”
Technology that is no longer being supported with security patches are a magnet for cyberthieves, Neilson said, because hackers generally hit the lowest risk targets first.
How Cyber Thieves Work
Many manufacturers may think that because this technology is often tied to machines on the floor, the threat is minimal. But as long as those machines are connected to a network, the threat is too big to ignore, said Anders Erickson, director of cybersecurity for Eide Bailly.
“Many manufacturers are unaware of just how much cyber risk they are carrying,” Erickson said. “Cyberthieves don’t announce their presence. They may sit in your system for months just monitoring to see what kind of sensitive information they can get. For example, they may wait to see how your organization handles wire transfers, who approves and who is in the chain. Then they’ll wait for the right time to act, get what they want and move on.”
There are several types of cyber attacks. Thieves will take anything with perceived value—IP data, customer data, credit card numbers. Some may even enact ransomware schemes or down floor machinery simply because they can. A recent study found that 54 percent of data breaches in industrial environments are caused by a malicious attack.
Think Broadly about Your Cyber Risk
You may think updating your technology is the solution, but that’s only a part of the puzzle in today’s cybersecurity landscape. Protecting your organization from a breach is more than just setting up a firewall. Cyberthieves are sophisticated, and it takes a comprehensive approach to cybersecurity awareness to ensure you are protected.
“You have to take a risk-based approach,” said Erickson. “Ensure you have the security policies and controls that focus on the greatest risk to your unique way of doing business.”
While more and more manufacturers are understanding this, there are still many who are behind in this critical area. In fact one survey found, 40 percent of manufacturing cybersecurity professionals said they do not have a formal cybersecurity strategy nor do they follow standardized information security policy practices.
“That’s very typical,” said Neilson. “We find a majority of the businesses we talk to say they have a cybersecurity strategy, but they don’t understand what that strategy should actually encompass. They may think they are doing well because they have a firewall and anti-virus protection, or even people who are watching to react when they get hit. That’s not a strategy. They don’t consider things like disaster recovery, business continuity or crisis planning and incident response as portions of their cybersecurity strategy.
Everyone is struggling to put the controls in place to address current threats. You have to continually move forward with different options and controls to keep pace with today’s threats.”
Three Ways Manufacturers Can Improve Their Cybersecurity Awareness
For some, the first hurdle may simply be not knowing where to start. True cybersecurity awareness takes a comprehensive approach, but there are areas you can look at now to get on the right track to protecting your organization.
- Update Your Technology
A large number of manufacturers are using technology that is out of date and extremely vulnerable to attacks. Staying current on your technology, and helping your OT teams and IT teams work together will increase your cybersecurity by leaps and bounds.
- Utilize a Cybersecurity Framework
There are already cybersecurity frameworks that can provide a good basis for how to protect your organization, such as ISO/IEC 27001. They can offer best practices and save you time when you don’t have the resources to devote more fully to cybersecurity.
- Choose the Right Vendors and Cyber Professionals
Defense in depth is always a good strategy, but it’s important your cybersecurity team understands a risk-based approach is the best way to achieve comprehensive cybersecurity for your organization. They can help you choose the right tools for your unique circumstances.
Protect Your Manufacturing Entity from Cyber Risk
Ensure your technology and security are top areas of discussion within your organization. Each time you update a system or process, consider the implications that process will have. Also, ask for help. There are several trained cybersecurity firms who can help you ensure your technology debt won’t cause problems at your manufacturing entity.
Even if you think you’re protected, it’s always good to double check. We’ve developed a guide to help you weather the cybersecurity storm.