September 06, 2018
Manufacturing and distribution is an industry built on momentum, but what happens when maintaining the necessary speed puts you at risk of grinding to a halt completely?
Manufacturing can often be a business of thin margins and shifting priorities. An area that often gets pushed down on the priority list is updating technology, mostly because systems are functioning properly so there appears to be no reason to update them.
The result of this decision is that there is an alarming number of manufacturing companies using old technology on their floors that makes them a prime target for hackers.
What’s Your ‘Technology Debt’?
Keep technology at the bottom of the priority list too long, and you end up with a “technology debt”—systems that are way behind on necessary security patches and updates, or worse, not supported with those updates at all.
“Manufacturing is behind the times when it comes to IT in general,” said Todd Neilson, Chief Technology Officer for cybersecurity and risk management firm Secuvant. “It’s not uncommon to see a Windows XP or Windows Server 2003 machine being used because it works. Security updates for XP ended in 2014 and in 2015 for Windows Server 2003.”
Technology that is no longer being supported with security patches are a magnet for cyberthieves, Neilson said, because hackers generally hit the lowest risk targets first.
Watching and Waiting
Many manufacturers may think that because this technology is often tied to machines on the floor, the threat is minimal. But as long as those machines are connected to a network, the threat is too big to ignore, said Anders Erickson, director of cybersecurity for Eide Bailly.
“Many manufacturers are unaware of just how much cyber risk they are carrying,” Erickson said. “Cyberthieves don’t announce their presence. They may sit in your system for months just monitoring to see what kind of sensitive information they can get. For example, they may wait to see how your organization handles wire transfers, who approves and who is in the chain. Then they’ll wait for the right time to act, get what they want and move on.”
These thieves will take anything with perceived value—IP data, customer data, credit card numbers. Some may even enact ransomware schemes or down floor machinery simply because they can.
You may think updating your technology is the solution, but that’s only a part of the puzzle in today’s cybersecurity landscape. Protecting your organization from a breach is more than just setting up a firewall. Cyberthieves are sophisticated, and it takes a comprehensive approach to ensure you are protected.
“You have to take a risk-based approach,” said Erickson. “Ensure you have the security policies and controls that focus on the greatest risk to your unique way of doing business.”
While more and more manufacturers are understanding this, there are still many who are behind in this critical area. In one recent survey, 40 percent of manufacturing cybersecurity professionals said they do not have a formal cybersecurity strategy nor do they follow standardized information security policy practices.
“That’s very typical,” said Neilson. “We find a majority of the businesses we talk to say they have a cybersecurity strategy, but they don’t understand what that strategy should actually encompass. They may think they are doing well because they have a firewall and anti-virus protection, or even people who are watching to react when they get hit. That’s not a strategy. They don’t consider things like disaster recovery, business continuity or crisis planning and incident response as portions of their cybersecurity strategy.
Everyone is struggling to put the controls in place to address current threats. You have to continually move forward with different options and controls to keep pace with today’s threats.”