The Lingering Impact of Cyber Risks on Manufacturing Sector
Published on : Saturday 09-07-2022
Cyber-related risks for manufacturers are likely to broaden with increasing digitisation, cautions Titli Chatterjee.
The value of manufacturing takes on an added dimension with the sector going through a transformation in the post Covid-19 world. On the other hand, as the man-to-machine interaction continues to be shaped by increasingly advanced technologies, manufacturers have been blowing hot and cold with the cyber-related risks. The sector is a significant target of cyber-criminals and can result in the theft of sensitive data, disruption of access to systems or operational technology. Research indicates that production time was distinctly impacted, followed by loss of personally identifiable customer information.
Moreover, cyber-related risks for manufacturers are likely to broaden with increasing digitisation. Not so long after the SolarWinds attack, the REvil (Ransomware Evil) has been identified by US intelligence agencies as responsible for the attack of one of America’s largest beef producers, JBS. Such attacks on manufacturers across the industry are becoming common and the growing reliance on digital technologies has amplified the risk. This situation calls for a greater understanding of the cybersecurity implications of the sector.
Seldom does a week go by that there is no cybersecurity incident covered across sectors. While the growing threats are troubling in themselves, this represents only the tip of the iceberg. One of the primary concerns is that many such cyber-attacks go unreported as incidents at the factory floor or individual businesses fail to notice them, also response time is much more compared to the occurrence of the event. Cybersecurity is not a separate technology that we are talking about; it is a foundational set of systems spanning technology, process and people for Industry 4.0 and beyond. A recent survey among 120 global cyber leaders from 20 countries identified that leadership support is critical to adopting cyber resilience within an organisation. Given that the technologies are constantly shifting and evolving at rapid pace, spurred by the internet of things, artificial intelligence and automation advancements combined with increasingly capable hacking resources available to the cyber criminals, there must be a synchronisation in the end-to-end manufacturing value chain consisting of all the stakeholders involved in the process. After months of struggle enterprises are now moving from restoration towards regrowth. While many perceive the Connected Factory, Connected Supply Chain, and the Digital Manufacturing as few of the imperatives of Smart Manufacturing, the divergence between traditional process and advanced manufacturing methods is based on the possibilities of current improvements on addressing critical challenges of cyber risks.
Manufacturing – The favourite threat target
1. The IT/OT Fuss – While the Enterprises are leveraging a wide array of technologies as they believe different applications are critical to build up a smart manufacturing environment and respond to the challenges; a major technology concern globally continues to be cybersecurity with the increasing security threats related to numerous IoT, IIoT devices and initiatives. Various research studies indicate that manufacturing and supply chain is one of the most targeted industries by ransomware perpetrators, and this is going to persist in the coming years too. This industry is often in a constant wave that is impacted by the economy, unprecedented natural disasters like the pandemic, funding issues and vendor management by the small and medium enterprises. It is difficult to invest in IT staffing and most of the enterprises are hesitant of moving from legacy set-ups. Hence, manufacturers are always pressed to focus their resources on operational efficiency at the expense of non-core functions of IT hazards and cybersecurity.
There is also a dire need to address the IT/OT Convergence, as many organisations have been bringing together their information technology (IT) and operational technology (IT) in conjunction with the business in a bid to improve operational efficiency and customer service. This has resulted in newer security challenges in areas of overlap including people, process and technology between the IT and OT ecosystems. The weakness in the cybersecurity posture of organisations occurs due to multiple deployment of technologies with minimal involvement from corporate IT departments or cybersecurity teams. Additionally, the wide usage of IoT devices in manufacturing is blurring the space between information and operational technology.
2. Ecosystem Vulnerability – Looking at the digital ecosystem, small and mid-size enterprises (SMEs) connected to an organisation’s network represent the maximum vulnerabilities. Growth in network connectivity is increasing the threat exposure and more exploitable by the hackers. Research indicates 52 percent of SMEs have experienced a cyber attack in the last year. Organisations with fewer than 500 employees had an average data breach cost of $2.98 million per incident in 2021. Manufacturers have not been successful in automating assets and data visibility along with threat reduction at scale. Around one in three industrial control systems (ICS) were exposed to threats in the first half of 2021. According to a recent survey, of the 33.8 percent of ICS machines that were targeted in 2021, malicious email attachments comprised 3 percent of the attacks, while internet-based threats dominated (18.2%) and removable media (5.2%). The ICS systems included Supervisory Control and Data Acquisition (SCADA), data gateways, data storage servers, human-machine interfaces (HMIs) along with computers used for industrial network administration.
The ability to anticipate and quickly recover from malicious disruptions and threats is another concern that manufacturers need to address. Enforcing cyber resilience for faster incident response processes will help to minimise the vulnerabilities. Accountability and visibility in the ecosystem are the significant aspects for a secured business, and manufacturers are trying to figure out the best possible approach to resolve the cyber challenges and prevent production downtime, along with other manufacturing complexities.
3. Progress towards a strategic model – To implement new or improved techniques and methods for manufacturing and adding the smarter essence to the system, enterprises must develop internal capabilities and address high-impact challenges. Manufacturing is premised on different emerging and enabling technologies, but a plethora of companies struggle with the actual implications. So, when these enterprises formulate the smarter manufacturing vision, they may be thrown off balance. Though these may seem up in the air, capturing these five strategic imperatives may help the manufacturers in understanding the ramification of building a secure and smart process.
Crisis is an accelerator for digitising the processes. Manufacturers should heed the call to increase rate of production, address bottlenecks, reduce downtime, and human errors in addition to cost savings. Though machines are not infallible digital initiatives and automation do create a safer environment and drive productivity. However, to build trust in intelligent solutions, governance is essential. It can help maintain a balance for increased machine dependency, monitor performance, mitigate issues, and encourage enterprises to adopt newer ways of working. Nonetheless, machines can only replicate high-levels and partial cognition and cannot excel in creative thinking like humans. This is where the workforce is encouraged in developing skills and innovation to address security challenges, while building a smart manufacturing system.
As the gap between business and security widens cyber leaders are seeking solutions or partnerships to resolve evolving threats, defend and adapt with a well-planned budget and attune to further deployments of frontier technologies. Also, having visibility to the extended network of the supply chains and third-party ecosystem is gradually becoming a mandate to the cybersecurity strategy framework. To bridge this gap between the business and the security team, the immediate call-to-action should somewhat look like below:
1. Prioritising the cyber in business decisions
a. The security focused executives should develop a deep understanding of critical business operations and interpret cyber risks into business impacts
b. Include cybersecurity and cyber resilience in business strategy, and
c. Include the security executives into the formulation of the corporate governance and compliance process.
2. Bringing in the leadership role
a. Collaborate with business executives and become a strategic partner, align security strategy accordingly
b. Ensure regular communication between cyber and operations teams and prepare a sufficient cybersecurity budget, and
c. Build cybersecurity as a strategic investment and a business enabler
3. Building the right talent pool
a. Addressing the talent shortage and the associated risks with unaligned resources
b. Drive growth by organising initiatives, workshops, trainings to upskill security staffs and other skilled resources, and
c. Focus on progression for cyber teams and accelerate onboarding of cyber talent
While we cannot entirely focus on how these advanced/frontier technologies will influence the plant or the factory floor, the challenges mentioned are something we need to address right away. At this stage of mass deployments and installation of technologies, it is imperative that enterprises better incorporate cyber resilience in the strategic framework or analytics process of cyber threats, enabling for prediction of disruptions and faster resolutions for potential cyber disasters.
Titli Chatterjee is Senior Lead, SME – Smart Manufacturing Practice, ISG (Information Services Group). She is closely working with the industry thought leaders, advisors, consultants and other stakeholders in formulating research practices for smart manufacturing, also focusing on other industry challenges/trends and highlighting how technology can be a game changer at the industrial front.
