Despite the constant news about the growing cyber threats in the manufacturing industry, many manufacturers are still falling short with cybersecurity planning and operating antiquated systems that leave them vulnerable to attack.
Rebecca Taylor, senior vice president of strategic partnerships at the National Center for Manufacturing Sciences, said in a presentation at the recent Automation Conference in Chicago that while 47 percent of manufacturers polled said no cybersecurity attacks have taken place, many companies keep attacks a secret or don’t even know they have been subjected to an attack. Some of the most common vulnerabilities manufacturers have are unsecured IoT devices, unpatched operating systems, denial of service, malware, coin-mining, ransomware and spear phishing.
Taylor noted today’s ICS (industrial control system) environment is difficult to secure because they have traditionally been protected from cyberattacks by physical isolation, an approach that no longer works. Many manufacturers are trying to integrate new technologies while still running part of their ISC systems on antiquated systems like Windows 98 or Windows 2000. A survey by Deloitte also found that only half of companies segment or isolate their ICS networks from their standard networks, a growing problem when deployments of IoT devices are on the rise.
In 2017, an attack by the NotPetya virus forced Merck to halt production. A Honda facility in Japan was also forced to shut down production last year after the WannaCry virus infected the network. While nearly half of survey respondents to the NCMS survey said they had no breaches, 18 percent admitted to a removable media breach, 12 percent said they had an “other” breach and 9 percent said they had a denial of service attack.
“Even with a hardened target, no organization is ever fully immune to attacks.”
Taylor said in a whitepaper at the organization’s website that small manufactures are especially at risk as they often ignore the topic because of a lack of time and in-house resources. As a result, many who rely heavily on technology for production do not have a cyber protection plan in place to protect their critical assets.
Deloitte Risk and Financial Advisory principals Rene Waslo and Tyler Lewis said in a sponsored post on The Wall Street Journal that today’s connected technologies can increase the risks manufacturers face. While technologies like IoT, analytics, robotics, artificial intelligence and other advanced technologies can bring great benefits, the “elevated threats” can’t be ignored, said Waslo and Lewis.
Manufacturers must implement integrated cybersecurity plans that cover the three essential areas of digital supply networks, smart factories and connected devices. An integrated approach should build in security from the start and protect sensitive data throughout the lifecycle with strong encryption, AI and machine learning solutions to create robust and responsive threat intelligence.
As these connected technologies will only become more complex and integrated in the future, Waslo and Lewis noted there is no “simple patch or fix.” Manufacturers must continually reassess their business continuity, disaster recovery and response plans. “Even with a hardened target, no organization is ever fully immune to attacks. Cyber resiliency begins with accepting the fact that someday the organization could fall victim and then carefully crafting a plan for readiness, response, and recovery. Clearly defined roles, war-gaming exercise, and post-even analysis can all help,” said Waslo and Lewis.