According to a 2016 McAfee Labs report, connected devices will grow by 200 billion by 2020.* It is also speculated that global spending on cybersecurity will top $1 trillion between 2017 and 2021, according to a Cybersecurity Ventures Report.* As an increasing number of connected devices come to market, protecting data and information is only becoming more of a complicated process. The newfound challenges brought on by digital innovation is quickly advancing as one of the biggest threats to national, corporate and personal security.
The manufacturing sector is one of the most at-risk industries as a growing reliance on automation and big data become increasingly widespread. Not only is manufacturing threatened when it comes to data protection, but also on a plant security and worker safety side as well.
In an interview with the Internet of Business, Dr. Larry John, Principal Analyst, ANSER discusses cybersecurity of smart manufacturing and what the industry should be better prepared for as digital transformation continues to move forward.
1. What are the biggest threats to cybersecurity when it comes to smart or advanced manufacturing?
Don’t think it can’t happen to you! From a national security standpoint, which is where I spend most of my time, the biggest threat is nation state adversaries who see a steadily expanding attack surface in Smart Manufacturing and IIoT and are highly motivated and extremely well equipped to exploit it. But no matter what product you are producing, there’s always someone who wants to gain access to manufacturers’ intellectual property to gain competitive advantage. Firms that fail to recognize that may also fail to emphasize cyber hygiene and proper management of privileged accounts. This combination opens the way to both insider and outsider threats using either direct or “stepping stone” attacks to gain access to critical data and processes.
2. Do you think the manufacturing sector has a decent or poor understanding of modern attacks as well as the limitations of security measures?
The direct answer is “it depends.” But I think the issue is less about their technical knowledge of attacks than the reality that the vast majority of attacks can be thwarted through good “cyber hygiene.” The manufacturing sector should not be expected to understand this threat in technical terms, and will need to rely on security specialists for help. What they do need to know is how to recognize the reliable security specialists from the pretenders.
3. In regards to cybersecurity, what are some of the biggest mistakes manufacturers are making today?
The biggest mistake is to assume “it won’t happen to me”, or “my hygiene and perimeter defenses will defeat the threat”. It is a mistake not to have plans to detect, respond and recover. So they fail to stress the need for cyber awareness and good cyber practices. Also, because they effectively consider system “uptime” to be more important than system security, they often don’t have good control over systems and accounts that have very high levels of privilege with respect to critical product and process data.
4. To more effectively secure data and networks, what could manufacturers be doing better?
To more effectively secure data, manufacturers should insist on systems, especially IoT devices, that have strong security features built in. The default should be to use those features to the max. Another need is a strong cybersecurity awareness program that educates the workforce about the existence of the threat and the importance of cybersecurity to the firm’s continued health. Also, make sure you’ve fully implemented at least the five critical security controls recommended by organizations like The Center for Internet Security. You’ve got to know everything that’s connected to your networks and disconnect anything that’s not authorized. The same goes the software that’s running on your systems—create and maintain an application whitelist and block everything that’s not on that list. Keep your hardware and software secure by standardizing configurations to the maximum extent practical and using only secure communications protocols to communicate between systems. Use high-quality tools to monitor your network at all times and periodically re-assess vulnerabilities, which will change as both software and attack methods evolve. Have a strong program that strictly limits the number and capabilities of privileged accounts, especially administrator privileges. Help in these areas may soon be available through the NIST Manufacturing Extension Partnership. Manufacturers would do well to encourage their local MEP center to include these services in their offerings to industry.
5. How can the industry act together to heighten IoT security in the manufacturing industry?
Industry can act together by backing security standards for IoT and behaving as smart customers who favor the products in the market that embrace those standards. Also, recognizing that they are all in the same boat, manufacturers would do well to share data about the attacks they are experiencing with each other and with the relevant government authorities. Actively participating in the relevant Information Sharing and Analysis Centers (ISACs) is a great way to do this. They should also make it clear to the companies that supply their Industrial Control Systems that building in reliable, easily updatable security capabilities that protect those systems and the data they create, store and use is important to manufacturers.
Dr. Larry John is a Principal Analyst with Analytic Services (ANSER), a not-for-profit public service research institute headquartered in Falls Church, VA. He has over 30 years’ experience structuring and executing complex analyses for decision makers at all levels of government. Dr. John was a key author on the original NDIA White Paper, a major contributor to the NIST Cyber Physical Systems Framework, and a founding member of the follow-on working group’s Integration Team.
A retired U.S. Air Force officer, he holds a Bachelor’s in International Relations from Penn State, a Master’s in Public Administration from Northern Michigan University, and a Ph.D. in Systems Engineering from Stevens Institute of Technology.