Last month, a report revealed the extent to which the manufacturing sector is at risk of cyberattack. So what can be done to improve the industry’s cybersecurity? Kate O’Flaherty reports.
A lethal cocktail of legacy systems, poor processes, and weak security is putting the manufacturing industry at unnecessary risk of cyber attack. Any assault on the sector, or on an individual company, could have wide-ranging consequences for factories, customers, partners, and the wider economy.
On top of the potential for the theft of valuable data via hostile state-sponsored attacks, industrial espionage, or opportunistic hacks, systems could be taken over and processes interfered with. The economic and employment effects could be damaging.
Who are the targets?
Last month, a survey published by industry organisation EEF revealed that nearly half of all UK manufacturers have been victims of a cybersecurity incident.
The EEF report highlighted the sector as one of the least protected, with 45 percent of respondents saying they do not have the right tools, processes, or technologies in place to mitigate against new cybersecurity risks. At the same time, manufacturing is now the third most targeted industry overall, behind government systems (including healthcare) and financial services, according to the report.
The findings come amid a number of UK and US government reports last month that Russia, and other nations that are hostile to Western interests, are targeting cyber assaults at businesses, including manufacturers and the energy sector.
The industry possesses attractive IP, given that it provides 10 percent of UK output and 70 percent of overall business research and development. In the US, manufacturing contributed 11.6 percent of 2017 GDP.
The figures also make the sector an attractive target in pure economic terms. With the extent of Russian interference on social platforms in recent years now apparent – multiple reports last year revealed attacks that were designed to sow political dissent on Facebook, Twitter, and Instagram, among others – the risk of state-sponsored attacks on industry cannot be ignored.
Manufacturers are a major target for state-sponsored espionage as well as for opportunistic hackers, says Tom Holloway, principal business resilience consultant at security provider, Sungard Availability Services. “Any advanced production process, from cars to mobile technology and warships – and almost any industrial process that anyone wants to shortcut – is a target,” he says.
Among the risks, manufacturing firms can fall victim to distributed denial of service (DDoS) style attacks, says Andrew Till, VP of marketing and technology at cloud provider Harman Connected Services. He warns: “Hackers concentrate on poor configuration. For example, they will attack a server. If they can attack one component and compromise it, they might find they are able to get into other systems.”
It’s not a difficult challenge for even an inexperienced hacker to access internet-connected systems in manufacturing when there are no security safeguards in place. However, many breaches succeed when an attacker gains physical access to a building and leaves a memory stick at the reception desk. Someone will invariably plug it in, according to Andrew Tüscher, director of the NDI specialist defence division at EEF.
Adding to complexity, many of the systems used in manufacturing are outdated, in technology terms, making them more susceptible to attack, says John Stevenson, product marketing manager at content security provider, Deep Secure. Others may not have been designed originally for internet connectivity, a problem that is a particular challenge in the healthcare sector.
“For example, many manufacturing systems – such as those used in the production of food, energy, and power – are controlled by workstations running obsolete or unsupported versions of Microsoft operating systems. Sometimes the people who put these in are no longer with the company, or the supplier themselves isn’t trading anymore,” he says.
The widespread use of outdated and unsupported versions of Windows was the core reason for the global impact of the WannaCry ransomware attack last year.
One of the biggest threats to the manufacturing industry lies in securing the industrial control systems (ICS) that underpin companies’ operations. “Manufacturers often find themselves on a back foot, as these systems have a lifecycle of up to 15 years and are unable to be patched effectively,” says Scott Walker, senior solutions engineer at security specialist, Bomgar.
In the past, the solution was to create an ‘air gap’, ensuring critical control systems weren’t connected to the internet. “While this was effective previously, layering new IoT solutions on top of legacy systems, or removing the air gap and connecting modern ICS networks to the wider enterprise and third parties, opens up vulnerabilities and new pathways for attack,” he says. “This can see threat actors increasingly targeting employees to obtain privileged credentials.”
To mitigate against this threat, Walker advises manufacturers to implement privileged identity and access management tools. “This enables you to secure your privileged credentials, implement granular access controls for third-party and internal users, and provide an auditable history of what was accessed during any session.”
Access to information
According to the EEF report, 41 percent of manufacturers do not have access to enough information to be able assess their true cyber risk. More worrying still, 12 percent admit they have no technical or managerial processes in place to even begin that process.
But some free resources are readily available. EEF’s Tüscher suggests that UK-based manufacturers should adhere to the government’s Cyber Essentials scheme “at a bare minimum”. He adds: “We also engage with white-hat hackers who pressure-test systems.”
Overall, he says: “The most important part of industrial security is using firewalls, having secure settings on devices and software, and access control and virus protection. You need to have the latest apps that you can possibly have, and patch them regularly.
“It’s running programmes in an isolated environment,” he adds. “Many companies have two systems, with one holding data that isn’t exposed to the outside world.”
In order for manufacturing firms to protect themselves, Luke Somerville, head of special investigations at cybersecurity provider, Forcepoint, advises a risk-adaptive approach. In other words, he explains:
“Look at what is happening on a day-to-day basis and build up a baseline understanding of how people, data, and things move and interact within your company. It’s then much easier to spot when something goes wrong.”
At the same time, Theresa Bui, director of IoT strategy at Cisco, says, “Manufacturers should make sure the IoT platform they use is able to detect suspicious behaviour, and also automate the remediation of any anomalies.”
The human factor
Another important factor to take into account is staff training and awareness. “It’s people. If an employee picks up a compromised memory stick and uses it, you’re busted,” Tüscher warns.
Till advises “going back to basics and having a security audit”. In addition, he points out, “You have to work with your partners who connect into your network. How do you know their end points haven’t been compromised?”
Sean Robinson, manager of software solutions at industrial automation specialist, Novotek, agrees. He says: “There are definitely things you can do; you don’t have to invest a lot. But the first step is getting someone to look at what you can change, focusing on your people and your systems.”
The EEF report warned that there is no one solution that fits all manufacturers. This can be a challenge in itself, Holloway concedes. “I don’t think a ‘one size fits all’ solution will work in manufacturing. Everyone has a different set up, so it depends what systems you have. But there are some common factors: defence requires an integrated security plan based on a cyber risk assessment that is up to date and effective.”
If equipment is over 10 years old, Holloway advises replacing that hardware and software. “You need to update to modern encryption protocols, as older ones will be easy to crack,” he says.
Internet of Business says
The threat landscape is widening thanks to the rise of the Internet of Things itself. Not only are a whole variety of devices, plants, and machines being put online that were perhaps never designed to be exposed to the internet, but other devices are also being rushed to market by inexpert providers that have little track record in enterprise-grade security.
Internet of Business is committed to providing solutions to security problems across different type of industry. Here are some of our recent reports in this critical area:
- Read more: IIoT security: How to secure the Internet of Threats, by IBM
- Read more: IoT Security: How to fight attacks on health, energy, and transport
- Read more: Gartner: IoT security spend hitting $1.5 billion – but strategy poor
- Read more: Security: BSI unveils new kitemark certification for IoT devices
- Read more: IoT security: Shadow devices pose growing threat to networks – report
- Read more: Security: Why you should worry about unsecured IoT devices – Mozilla
- Read more: Mining industry must strengthen IoT security, warns report