Manufacturing companies currently exist in a period of rapid change deemed the Fourth Industrial Revolution. Driven by technological innovation, this era represents unparalleled productivity and potential that includes not only multi-million dollar international industry leaders but also small and medium-sized businesses. This is because many implicated technologies do not require a significant financial investment.
While this offers many opportunities for manufacturers, their partners, and consumers to benefit from new technologies, it also comes with significant cybersecurity risks. Manufacturing is already a prime target for cybercriminals. In 2022, the manufacturing sector had the most cyberattacks (25%), followed by finance and insurance (19%).
The increasing adoption of robotics, IoT (Internet of Things) technology, and automation creates many opportunities for hackers in a sector that has not prioritized cybersecurity in the past. Whereas machinery was sometimes air-gapped in traditional manufacturing scenarios, isolated processes are becoming impossible with modern technology.
As manufacturing continues to evolve, cybersecurity will become even more complex. This post examines cyber risks affecting the manufacturing industry and offers some considerations so that manufacturing companies are not blindsided by the IT infrastructure and cybersecurity requirements of Industry 4.0.
Manufacturing Innovations Increasing Cyber Risk
New technologies are leading to the creation of smart factories, in which digitization and interconnected devices benefit productivity, flexibility, awareness, and efficiency. However, digitization and interconnectedness massively increase attack surfaces.
For the most part, cyber threats are broad and can affect the entire industry. Some technologies are prone to certain potential vulnerabilities, but it’s more useful to consider that new technologies enhancing the manufacturing sector may also increase attack surfaces, providing more endpoints via which hackers can access systems.
The primary drivers of manufacturing advances include the following technologies. Each is associated with overlapping and severe cyber risks, listed in the section after.
Artificial Intelligence (AI) and Machine Learning (ML)
ML, a subset of AI, is a major driver of change in manufacturing. ML involves using computer algorithms that can be trained to improve themselves. With numerous applications, this technology leads to more productivity and efficiency, faster product development, and better quality control, among other benefits.
ML is particularly useful in inventory and supply chain management, in which areas it can learn to predict demand and understand typical business patterns. It can also aid productivity and reduce downtime by anticipating repair and maintenance needs.
However, the recent advancements in AI technology also increase its risk of use by cybercriminals. While AI can boost productivity and manage manufacturing processes, it also represents a new method cybercriminals can use to attack the industry.
Big Data Analytics
Big data refers to data sets too large for traditional processing software. Modern, customer-driven businesses are familiar with the advantages of accurate data to create customer profiles and make more accurate decisions.
In manufacturing, big data analytics is often used in conjunction with Industrial Internet of Things (IIoT) devices and ML for producing real-time responses to environmental data. More data, however, makes organizations likelier targets for cybercriminals, i.e., increasing the potential impact of a data breach.
Internet of Things (IoT) / Industrial Internet of Things (IIoT)
Increasingly, manufacturing companies are using physical devices with sensors and software (wearable tech) to communicate information about the physical world and make changes on the fly. Industrial applications include IIoT endpoints used as industrial control system (ICS) devices since many can contain an actuation component.
According to some estimates, there will be more than 80 billion connected IoT devices by 2025. Three-quarters of those are predicted to be used in IIoT. The danger here is that each additional IIoT device is another endpoint and another potential vulnerability. Increased connectivity among devices can facilitate a cyber attack leading to data theft and business disruption.
Proper security measures must be in place for every wearable. Without proper authentication, hackers could easily use IoT devices to steal personal data, conduct phishing attacks, spy on business processes, and achieve unauthorized access to networks.
5G
The 5th generation wireless network is software-based, making it much faster and more flexible than its predecessor, 4G. Cellular calling is not the focus of 5G. Rather, bandwidth can be shared dynamically for multiple uses.
Its massive speed increase and various applications facilitate manufacturing’s use of new technologies, not least of all IIoT devices that demand enhanced connectivity to function as intended. The speed and wider use of 5G connectivity increase the cyber risk for businesses, particularly those in manufacturing.
Robotics
While robotics is not new technology essentially — fully automated robots have been used in computer manufacturing for years and still seeing advances and increased adoption in recent years.
The automotive industry already relies heavily on robotic process automation. There, robots do the work of 50% of the workforce required to make automobiles and trucks and will continue its investment.
Relying on this technology, though, means that a cybercriminal can use malware to disrupt industrial processes. The affected business may then have to shut down or revert to manual processes, both of which could lead to significant financial losses, business disruption, and even the end of the company.
3-D Printing (Additive Manufacturing)
Creating 3D objects from CAD drawings has been particularly useful for prototyping in manufacturing. Across industries, it speeds up design and production. It has seen useful applications in aerospace, among other critical manufacturing sectors.
However, manufacturers need to be aware that 3D printing technology can be susceptible to design leaks and intellectual property theft. 3D printing often uses cloud computing for processing and storage, further increasing the cyber risk associated with this technology.
Virtual Reality (VR) and Augmented Reality (AR)
VR is the immersive experience in a digitally-rendered environment, whereas augmented reality refers to the layering of digital information over the physical world. The latter might take the form of supplementary information appearing in a pair of glasses or a headset.
Both will see increasing use cases for worker training and product development. VR could be particularly useful for training for work in hazardous conditions or for simulations of situations that would be tricky to achieve in reality, such as flight simulators.
Still, virtual reality and augmented reality devices increase attack surfaces. Without proper security measures, they provide an access point through which hackers could steal personally identifiable information and access credentials or cause damage to both software and hardware.
Top Cybersecurity Risks for Manufacturing Companies
Manufacturing already attracts attention from cybercriminals due to the combination of its many endpoints, legacy systems, long supply chain, and the wide-reaching impact of business disruption. Furthermore, Industry 4.0 is increasing the number of potentially vulnerable endpoints and the subsequent complexity of cybersecurity solutions at an alarming rate.
In 2022, 23% of manufacturing industry cyber attacks were via network and application anomalies, and 19% were system anomalies. More than a third (37%) were related to malware. Organizations must ensure that they have addressed these potential areas of weakness before increasing attack surfaces.
There follows some of the top risks and key considerations for manufacturing companies assessing their security postures.
Intellectual Property Theft
Intellectual property theft via cyber espionage can give rivals an unfair business or economic advantage, particularly if a nation-state sponsors the attack.
The theft of an innovative business process or product design can not only be detrimental to a company’s future as it weakens its position in the market, but it can signal the death of the company if it loses a significant competitive advantage.
Stolen intellectual property may be resold or used by the acquiring parties. Things get even more serious when we consider that intellectual property theft may occur in the defense sector. The theft and resale of military secrets can not only destabilize the economy but also risk human life.
One of the difficult issues related to intellectual property theft is that it is difficult to prove. Two firms may produce the same technology or product at about the same time, but without adequate cybersecurity practices, organizations don’t necessarily know they have been hacked. As with most kinds of cybercrime, prevention is more efficient and less costly than cure.
Nation-State Sponsored Attacks and Cyber Espionage
One particular concern for the manufacturing sector is attacks from nation-states. Taking down a manufacturing company can cause long-term and widespread disruption for a city or a country. Because these companies have many business partnerships and long supply chains, disrupting the right company at the right time can destabilize the economy.
Cyber espionage is a major issue for manufacturing, too. There is plenty of motivation for competing firms to sponsor cybercriminals to spy on manufacturing companies and steal proprietary data and intellectual property.
Stealing another company’s research and product designs can help a rival firm or country equal or surpass its competition without the investment of time and money. This can be devastating to the victim and can affect an entire country’s competitive advantage.
Companies may also seek to disrupt their rivals by launching incapacitating attacks on operational technology, such as Distributed Denial of Service (DDoS) attacks or ransomware attacks. Advanced ransomware attacks not only encrypt data but also include malware that specifically disrupts industrial processes.
Social Engineering Attacks
Social engineering and phishing attacks are a massive risk to manufacturing, particularly following the rapid and widespread adoption of remote working during the COVID-19 pandemic. This led to many workers using unvetted devices to connect to work networks and a lack of security standardization to protect those networks.
Subsequently, employees have been at increased risk of phishing attacks, in which bad actors aim to obtain personally identifiable information or other sensitive data via manipulation or trickery.
Cybercriminals can use this information to gain unauthorized access to manufacturing company networks. They could also use the information they learn to impersonate management and manipulate employees into revealing secrets or performing actions, such as making transactions.
Ransomware
Phishing is also a serious threat because it is a vector to ransomware, where threat actors encrypt business-critical data and demand money in return for the decryption key.
Cybercriminals can launch ransomware attacks without technical knowledge by purchasing Ransomware-as-a-Service (RaaS) on the dark web. They can attack at scale, paralyzing major industrial companies and affecting multiple supply chains.
Downtime is money in any business, but perhaps this is most strongly felt in manufacturing. A loss of production time can mean a massive loss of revenue for a manufacturing firm.
Supply Chain Attacks
A typical manufacturing firm has long supply chains. An attack that targets the supply chain can have a huge ripple effect, potentially damaging multiple operations. Not only do supply chains offer cybercriminals the potential to cause mass disruption, but they also provide hackers with many ways to get into the system or systems.
Manufacturing firms tend to have fragmented security, meaning hackers don’t expect a unified response to their attacks. Attacks can go unnoticed, followed by chaos and confusion, which leads to massive losses and damages.
The scale of a supply chain attack is enough to take down international brands and destabilize critical infrastructure. The SolarWinds cyber attack, for example, took down multiple organizations, including Microsoft and government agencies. As discovered in December 2020, the effects of the SolarWinds attack are ongoing, and it may be years before we can measure the financial fallout.
In 2021, the Colonial Pipeline attack shut down almost half the fuel supply east of the US. The hackers’ attack on JBS Foods affected one of the world’s largest meat providers. Supply chain attacks, therefore, can be particularly dangerous and offer other countries unearned economic advantages.
These latter disruptions were resolved by paying the attackers. Not only can ransomware demands be extremely costly, but fewer cyber insurance firms are covering payouts. Moreover, there is no way to know that anonymous criminals will restore the critical data they encrypted.
Of firms that have paid ransoms, relatively few received all their data. And there’s no guarantee that the same hackers haven’t left themselves a backdoor through which to access the system again in the future.
Integrating Information Technology and Operational Technology Security
The manufacturing industry is one of the fastest-changing parts of the global economy, which means there are dramatic changes in the amounts and ways that data is used, processed, stored, and accessed. As an existing target for cyber adversaries, manufacturing firms will benefit from doubling down as soon as possible to secure their systems.
Manufacturing is too big to have a single regulatory framework. However, standardization of certain cybersecurity requirements is inevitable.
2020 saw the introduction of the Cybersecurity Maturity Model Certification, developed by the US Department of Defense, and the IoT Cybersecurity Act, creating minimum standards for firms supplying government agencies. The main idea is that companies shouldn’t wait for regulation that legally applies to them but do all they can to improve their cybersecurity proactively.
The manufacturing sector can protect itself from downtime, loss of reputation, and the financial costs of cybercrime by following the best cybersecurity practices now. This will make them as secure as possible and provide a robust cybersecurity infrastructure on which to build future improvements and comply with future regulations.
One of the main issues of manufacturing businesses is their need to update their IT in line with their advancing operational technology. At the same time, manufacturing cybersecurity requires understanding the challenges of integrating two different approaches to security.
CIA vs. CAIC
Managing multiple technologies can lead to incompatibility and unnecessary complexity, not least of all when it comes to maintaining security across various systems. IT (information technology), therefore, needs to be involved to ensure new technology can be securely integrated with the existing IT infrastructure.
Security needs to include digital and physical assets, which means marrying two approaches and sets of priorities.
For IT security experts, CIA (confidentiality, integrity, and availability) is the typical underpinning guideline:
- Confidentiality — IT practices must protect sensitive data
- Integrity — Protected data needs to be up-to-date and intact to maintain its usefulness and compliance with applicable regulations
- Availability — IT cybersecurity aims to ensure that stakeholders can access and process data when necessary
Traditional operational technology (OT) security, on the other hand, adheres to CAIC — the following set of priorities:
- Control — For the operational technology security expert, control is paramount. In manufacturing processes, the organization must retain control of its machinery to keep production going and maintain the safety of the processes.
- Availability — Downtime carries a high cost and has the potential for massive disruption due to long supply chains
- Integrity — Inaccurate or incomplete data could risk the safety of those involved in the industrial processes or end users of the products
- Confidentiality — It’s only after the other factors are satisfied that the confidentiality of data is considered, the polar opposite of its priority in IT security.
A future in which informational technology (IT) and operational technology (OT) are combined needs to combine these two approaches to security. To do so, cybersecurity stakeholders, such as the chief information security officer (CISO), must be involved in operational decisions. Cybersecurity and operations need to be prioritized, integrated, and well-documented.
Key Security Vulnerabilities in Manufacturing
Business leaders must appreciate that new, advanced technologies lack adequate cybersecurity systems. Businesses are implementing new IT systems into existing infrastructure that doesn’t have the means to secure them.
While manufacturing businesses have cybersecurity, many early adopters of new technologies (including automotive, electronics, and mechanical and plant engineering) are unprepared for current threats. Many more are unprepared to deal with emerging cybersecurity threats associated with these new operational technologies.
Legacy Equipment
Cybersecurity challenges plague the manufacturing industry due to the use of legacy processes and equipment, much of which was never intended to be connected to the Internet. Such machines usually lack the security measures required for safe connectivity.
For some businesses, the cost of upgrading machinery is prohibitive. For those that find the cost of machine upgrades less daunting, there is still the problem of incompatibility issues and updates leading to potential instability. This situation causes some manufacturers to continue using legacy processes that become increasingly vulnerable to attack by hackers.
Brute force attacks on legacy hardware and software are easy for attackers. Hackers can also perform targeted attacks on known vulnerabilities in legacy equipment.
Fragmented Systems
Manufacturing systems are often sprawling compared to systems in other industries. They can often be fragmented across departments, making them challenging to manage and secure.
Lack of Basic Cybersecurity
The financial sector and healthcare have always had direct links with consumers and used the Internet to connect with them. Manufacturing, however, has not had the same experience of connecting with consumers and processing sensitive data online.
In many cases, internet connectivity throughout manufacturing operations is relatively new. Many operations lack basic cybersecurity practices, such as authentication, recognizing phishing attempts, safe web surfing practices, physical device management, network security, and more.
Cybersecurity for Critical Manufacturing Businesses
Critical manufacturing businesses are vital to the US economy, creating the infrastructure that many sectors rely on. A risk to manufacturing risks the supply chain of many industries.
Critical manufacturing operations include:
- Aerospace and defense
- Chemicals
- Electronics
- Food and beverage
- Industrial manufacturing
- Pharmaceuticals
- Transportation
While it may not deal with customer data to the extent of businesses in the financial sector, such as insurance, or the sensitive information of healthcare businesses, manufacturing data is critical to their operations and the many businesses and individuals that rely on them. Establishing and maintaining strong cybersecurity is paramount.
Developing Cybersecurity Controls for Manufacturing
According to IBM’s 2020 X-Force Threat Intelligence Index, there has been a 2000% increase in attackers targeting OT environments year on year.
Some of the most devastating attacks on manufacturing include:
- Mondelez International (2017) — disrupted by NotPetya ransomware, this was revealed to be a nation-state attack since they had links to Russia. The attack on the international food manufacturer damaged 1700 servers and 24,000 laptops, causing widespread disruption to its distribution processes and customers, and triggering many insurers to exclude nation-state cyber attacks.
- Renault-Nissan (2017) — Several operations of the car manufacturing giant were brought to a halt by WannaCry ransomware. While the massive attack affected organizations across 150 countries, Renault lost output from five sites around the world as it stopped production to deal with the attack.
- Norsk Hydro (2019) — The multinational aluminum renewable energy business was forced to close many plants following attacks with LockerGoga ransomware. The organization detected unusual activity at about midnight on 19th March 2019 and disconnected their worldwide network by 5 am. For more than a month, most of its 160 manufacturing locations operated manually.
These are just some of the biggest attacks on manufacturing, but they are by no means isolated incidents. Regardless of the size of organizations, cybersecurity best practices can prevent data breaches.
Following are the top cybersecurity activities that manufacturing companies should be using.
Cybersecurity Maturity Assessment
A good first step for building on or developing cybersecurity controls is to perform a cybersecurity maturity assessment. Determining the organization’s current systems, policies, and procedures gives it the grounding it needs to define its security posture and prioritize steps to remediate issues.
The cybersecurity maturity assessment should consider the business’s cybersecurity culture. Awareness and engagement with cybersecurity at all levels are key to protecting a business and its information from attacks.
Cybersecurity Risk Assessment
Regular cybersecurity risk assessments are imperative for any organization, but especially for those in rapidly changing industries such as manufacturing.
A risk assessment is at its most accurate and, therefore, most useful the moment it is performed. With a rapidly-evolving cyber threat landscape, more frequent risk assessments will give stakeholders a more accurate view of the latest cyber threats and their potential impact.
The cybersecurity risk assessment will identify critical systems and assets, which are also subject to frequent change in Industry 4.0 ecosystem. Such assessments are essential before and after implementing new technologies.
Another way to assess risk is to use a security ratings service, such as UpGuard. These ratings change and update dynamically according to the organization’s security posture and security control effectiveness. Viewing these scores can help organizations gain an instant overview of their company’s biggest risks and begin their risk remediation prioritization processes.
Use a Cybersecurity Framework
Cybersecurity frameworks help establish road maps and basic security control guidelines that manufacturing companies can implement. Since there are no manufacturing sector-specific frameworks currently, organizations can use NIST, one of the most flexible cybersecurity frameworks. Manufacturers can use NIST security controls to build or enhance a firm’s operational security.
This robust cybersecurity framework can help create a business’s defensive strategy, including the development of documented policies and procedures necessary to secure both information technology and operational technology.
Cybersecurity Training
Education remains one of the best ways to help organizations meet the challenges of protecting information. Cybersecurity training should begin for all new employees during the onboarding process and continue throughout their lifetime with the organization.
A workforce with a foundation in cybersecurity awareness and the legal and moral requirements to protect sensitive or critical information is more likely to spot unusual activity and report it or act on it, preventing data breaches or limiting damage.
Cybersecurity training should include education on how to recognize and react to phishing attempts, the use of strong passwords and multi-factor authentication, and physical security.
Strong Password Policies and Multi-Factor Authentication (MFA)
One of the benefits of strengthening passwords is that they can be implemented quickly with immediate benefits. Strong passwords that cannot be breached or easily guessed are one of the best first lines of defense against hackers.
Similarly, authentication protocols add an extra layer of defense to verify a user’s identity. While MFA is not infallible, it does provide much stronger network security than using a password alone, making it harder for hackers to achieve their goals.
Updates and Patches
Most patches are software updates that address security issues, largely fixing known vulnerabilities. Manufacturing is inundated with issues related to the use of legacy machinery. Applying patches whenever possible can limit those areas of weakness. Failing to update or patch systems or software to the latest version puts employees at risk of potential exploits and hacks.
Disaster Recovery and Resilience
It’s better to avoid a data breach than to deal with one in progress. That said, following cybersecurity best practices will lower a company’s risk of a data breach, but it doesn’t reduce risk to zero.
Responding promptly to a data breach helps to minimize its associated costs. Norsk Hydro’s response to its 2019 ransomware attack, for example, demonstrated great transparency. They informed all stakeholders quickly and kept them up-to-date with daily webchats, frequently responding to viewers’ questions.
The key to a prompt, effective response that saves reputation and minimizes costs is a written incident response plan. An incident response plan needs to include the names, contact details, roles, and responsibilities of everyone in the incident response team, as well as a clear description of steps to take in a variety of situations.
An incident response plan or disaster recovery plan for a manufacturer also needs to consider the fact that their data is now more distributed than years ago. Making the most of analytic capabilities could make data recovery more efficient and effective.
As in the case of Norsk Hydro, manufacturing companies should identify which systems can be quickly and safely disconnected from the Internet in the event of a cyber attack. And they will benefit from having developed manual processes to keep things going while the system is locked down.
Backups need to be tested regularly to ensure that an organization can restore mission-critical data, such as service contracts, product keys and licenses, and configuration information in the event of a data breach or another cyber incident.
Reconsider Connectivity
With IIoT, manufacturing organizations must prioritize rethinking their connectivity. Cybercriminals have many access points via IIoT devices. Once breached, hackers can move laterally through networks very quickly.
While the creation of such devices is unregulated, purchasers must perform due diligence regarding the security of these products. Many IoT devices lack the ability to support a firmware update or to apply a patch. Manufacturers must assess, mitigate, and remediate the risks of using connected devices.
If endpoints cannot be adequately protected, network segmentation can help keep sensitive data secure by keeping it isolated. Strict access control policies can reduce the risk of a data breach, especially in conjunction with zero-trust architecture. Furthermore, encryption can reduce the risk of a bad actor viewing or manipulating transmissions.
Supply Chain Risk Management
With especially long supply chains that can be global, it can be particularly difficult to monitor and manage associated risks. Manufacturing firms tend to work with many interconnected companies, which means many potentially vulnerable endpoints.
Hiring expert staff to monitor supply chains can help businesses identify risks, assess their likelihood and impact, and take steps to defend against supply chain attacks.
Continuous Monitoring
The WannaCry ransomware attack started on a Friday. It’s not unusual for cyber attackers to target businesses at the weekends and during the night when businesses tend to be at their least attentive and least able to deal with attacks.
Continuous monitoring takes care of this issue by providing a watch 24/7. Monitoring can spot attacks before they take hold or allow cybersecurity teams to respond quickly, limiting potential damage, preventing disruption, and minimizing downtime.
Artificial Intelligence
By leaning on artificial intelligence for cybersecurity, manufacturing companies can ensure a fast response to cyber threats, including threats that have yet to be encountered.
Through big data analytics and machine learning, AI cybersecurity can not only achieve real-time threat detection every moment of the year, but it can also automate responses.
