Cybersecurity risk is a clear and present danger to companies across all industries, including manufacturers, distributors and other industrial organizations. The business impact is real, and companies need to understand that when they find themselves in the crosshairs of cybercriminals, the dangers and damages can extend far beyond financial loss and easily add up to a litany of issues.
These damages can include:
- Theft of intellectual property
- Loss in productivity
- Harm to reputation
- Destruction of data
- Theft of personal employee data
- Disruption to business continuity
- Damage to physical facilities
- Liability or fines for noncompliance with data-privacy regulations
- Possible legal action by customers and employees whose personal information has been breached
- Employees suing for lost wages if the company cannot pay due to the breach
- Costs of remediating the damage itself
- Relationship damage and lost confidence within original equipment manufacturer (OEM) and supplier relationships
Companies are under pressure to become more efficient, increase quality, reduce expenses and drive productivity, so it is only natural to add technology to the mix. With more automation coming onto the scene and the Internet of Things (IoT) innovations becoming commonplace, more technology is being built into the very fabric of an organization’s day-to-day internal and field operations, as well as the very products they are producing.
While this has enabled manufacturers to operate at performance and revenue levels never achieved before, it has also increased the number of technology touch points within an organization. This significantly increases their susceptibility to cyberattacks, a risk that has historically been difficult for business leaders to quantify
With a number of cyberattacks across all industries, executives are being challenged to view cybersecurity awareness differently. Cybersecurity risk is business risk, not just technical risk, and nowhere is this truer than for manufacturing and industrial companies.
Cybercriminals like manufacturing and industrial companies because they have trade secrets, business plans and valuable intellectual property at their fingertips. Furthermore, manufacturing and industrial companies have historically made fewer technology and security investments and are generally less experienced and equipped to manage and secure internet-facing or internet-enabled technologies. The result is expanded access into the network by threat actors and increased business risk due to the critical nature of the production line, the proliferation of IoT, the prevalence of legacy technology and “technical debt” and reliance on vendors and supply chain partnerships.
Measuring Your Security Risk
Our team of IT professionals has identified 15 questions to help gauge your current security risk areas and assess your overall IT health. Most importantly, the results will provide tips to help you make actionable improvements now.
From data backups to your administrative protocols and password protection processes, this IT quiz will give you some quick wins to take back to your organization. Know how your security stacks up while learning best practices for optimum network stability, disaster recovery, and IT health.
No matter where you land on the risk scale, sometimes you just need a second opinion. One set of questions can certainly provide a nice overview, but there’s no substitute for a comprehensive security assessment.
Why Manufacturers Need a Proactive Cybersecurity Approach
True cybersecurity takes a comprehensive approach, but there are areas you can look at now to get on the right track to protecting your organization.
Business Disruption and Unplanned Downtime. The key to any manufacturing business is to keep the production line running. While automation certainly improves the production system, that technology is at risk of security breaches just like any other.
Many manufacturers are utilizing old technology to run their floor. Often, this technology is no longer being supported with security updates. In turn, these networks are an easy target for cybercriminals who already know their vulnerabilities. Malicious actors, or even insider threats, can bring down a business’s ability to generate revenue, produce product and operate efficiently. Isolating these computerized systems from the internet is one layer of control.
Internet of Things. The more devices that are connected through networking and internet protocol (IP) addressing, the more you have open to attack. A cyberattack called the Mirai Botnet allowed thousands of in-home and commercial cameras and IP-enabled devices to send terabytes of traffic at a single target, causing it to fail. These devices are a part of any industrial and manufacturing system that could easily be compromised. The control is visibility and a simple password change; most of these devices had default passwords that had not been changed, enabling them to be easily compromised. These issues will continue unless companies understand how to be secure in our increasingly connected world.
Legacy Technology and Technical Debt. Industrial systems and manufacturing equipment are investments that need to provide a payoff. The longer the assets run and produce, the better the return on the investment. However, the older those systems are, the more vulnerable they become to security risks. Older systems are at risk of getting compromised due to insecure software, unpatched vulnerabilities, misconfigured operating systems and a lack of upgrades.
The costs of technical debt can cripple a company over time, and it is much less expensive to continually update and upgrade systems rather than trying to play catch up years down the road when a piece of technology is no longer supported and must be replaced.
Vendors and Supply Chain Risk. A company’s technology systems are interconnected and rely on other systems, such as the internet, email, file storage, cloud applications, etc. This interconnectivity increases the risk that those third-party connections will cause a breach of some type. In order to control this risk, assess the risks that vendors, suppliers and contractors introduce to the company. This risk could cripple production and bring down the company. Vendors and supplier cybersecurity postures need to be formally assessed at least annually. Before selecting them for partnerships, ensure that they are not adversely impacting security.
Additional Avenues of Attack
Furthermore, manufacturing and industrial companies are impacted by at least three additional broad categories under which most types of cyberattacks, and threats occur:
- Espionage and IP Theft. In a globally competitive environment, some unscrupulous companies would rather steal what they need instead of investing the time, money, expertise, research and other layers of processes and resources into building something better. Cybercriminals see the possession of business plans, trade secrets and intellectual property as an extremely lucrative venture for resale, especially to nation-states. Many of the types of cyberattacks we hear about in the news seem to fit a typical pattern: criminals break into networks intending to steal credit cards or sensitive personal data such as Social Security numbers. Manufacturers may think they are less of a target because they don’t have high volumes of this type of data. But they often forget about the value of intellectual property.
“The trade secrets, their recipes and build lists, are key items at risk for manufacturers when it comes to cybersecurity,” said Dave Glennon, director of manufacturing and distribution for Eide Bailly. “That’s incredibly sensitive information.”
“Breaches often go undetected, and hackers can be patient when it comes to finding access to your IP,” said Todd Neilson, chief technology officer for cybersecurity firm Secuvant. Cybercriminals spend an average of 200 days in a system before they are detected.
“I can’t tell you how many times manufacturers find their plans for sale on a foreign black market, and often there’s nothing they can do about it,” said Neilson.
- Ransomware for Revenue. Ransomware is an example of cyberextortion. Ransomware attacks are usually undertaken by a trojan that is designed to look like a file that a user downloads or opens in an email attachment. Ransomware is usually designed to encrypt data and prevent a company’s access to the data until an anonymous payment is made to the hacker. Many times, even after payment, the encryption keys are not provided, and access to the data is not granted. Those who engage in ransomware are almost always seeking money.
- Pure Destruction and Harm. For some, the motive for exploiting is not financial, but rather to cause damage for political or emotional purposes. Stuxnet was discovered to be the world’s first “cybermissile” with the ability to control industrial processes that damaged a nuclear centrifuge fuel-refining plant in Iran. More recently, a confirmed case of a cyberattack against a manufacturer caused physical damage when hackers struck a steel mill in Germany. They were able to gain access to the network and disrupt control systems to such a degree that a blast furnace could not be properly shut down, resulting in massive damage.
Damaged Reputation and Trust: Knowing what to do when you have a breach is vital, but just as important is having a plan to deal with disaster recovery and business continuity. How would your customers react to the news if you had a breach? How do you keep your business from completely stalling? A comprehensive cybersecurity plan can help you address these areas.
The increase in types of cyberattacks has also prompted many companies to be proactive in addressing this in their supply chain.
“Many manufacturing clients are not just asking for you be secure, they are also asking you to prove it,” Neilson said.
Executives Have More Control Than They Think
In the face of these threats and expectations, many business leaders think they are powerless — but they are wrong. In fact, many of the root causes of breaches are within the C-Suite’s control. According to IBM's "Cost of a Data Breach" report:
- 25% of all breaches involved system glitches, including both IT and business process.
- 23% were human factor errors by negligent employees or contractors, which are also largely preventable.
- The other 52% involved a malicious or criminal attack, which tend to drive most of the hype in the press.
A strong case can be made for a top-down cyberhygiene program, which, if executed correctly by executives, can reduce up to 70% of cybersecurity risk. The following areas provide executives a great starting point.
Cybersecurity Isn’t Just an IT Issue
This top-down approach can break the common thought pattern of “Cybersecurity is an issue for IT to deal with.” While it’s certainly true your IT team is on the frontlines of the safety of your systems, it should be an organizational-wide initiative. Cybersecurity demands a risk-based approach that identifies many ways a breach could impact your manufacturing entity. After all, one cybersecurity breach can affect the entire organization by disrupting availability, efficiencies, compliance and more.
Cybersecurity awareness is everyone’s business. Here’s how you can build a culture of security in your organization.
Cyber Risk is Business Risk
Raising cybersecurity awareness if fundamental to the success of your organization, and cybersecurity awareness is not a one-time project. Security maturity is achieved through effective, ongoing and evolving program management. Cybersecurity risks are evolving as fast as technologies evolve, and as such, companies need to take a different approach to cybersecurity.
Those at the top of the corporate ladder should take a more active role in combating cybersecurity as a risk to business survival. This type of leadership is the only way a healthy, holistic and effective strategy can be created.
Even if you think you’re secure, the fact is that your company is at risk. It’s not a matter of if, but when an attack will happen. We can assess your security environment no matter where you are in your security maturity.