Connected Devices and Industrial Control Systems Expose Manufacturers to Cyber Threats

While supply chain managers have been focused on mitigating risk from hackers for some time now, Fortune 500 companies remain skeptical about who's winning the race.

Nearly half of surveyed manufacturing executives lack confidence their assets are protected from external threats, according to a new study from Deloitte and the Manufacturers Alliance for Productivity and Innovation (MAPI) on “Cyber Risk in Advanced Manufacturing.”

Study results indicate nearly 40 percent of surveyed manufacturing companies were affected by cyber incidents in the past 12 months, and 38 percent of those impacted indicated cyber breaches resulted in damages in excess of $1 million.

As reported in SCMR earlier this year, cyber security has been an ongoing concern of the National Retail Federation as well.

“Manufacturers are innovating at an unprecedented rate, integrating cutting-edge technologies in products, automating the shop floor, connecting supply chains, and increasingly investing in valuable intellectual property,” said Trina Huelsman, vice chairman, Deloitte & Touche LLP and US industrial products and services leader. “While these advancements should position them for future growth, the industry is also likely to experience an acceleration in the velocity and sophistication of associated cyber threats. Cyber risk and innovation are closely linked, and through our study, we have identified leading practices manufacturers can implement to address these emerging risks and make their companies more secure, vigilant and resilient.”

Motives and means of attack
Surveyed manufacturers noted the top motives of cyberattacks to be financial theft, intellectual property theft, and targeted attacks on senior executives for financial gain or access to company strategies or investments. These manufacturers reported that in the past 12 months, the highest number of incidents originated within the organization (46 percent), while 39 percent came from external sources and 15 percent originated from vendors and business partners. Top threats arising from within the organization include phishing/pharming (32 percent), direct abuse of information technology systems (25 percent), errors/omissions (26 percent), and use of mobile devices (24 percent).

Intellectual property – the No. 1 risk to manufacturers
Intellectual property can constitute more than 80 percent of a company's value according to Ocean Tomo's “2015 annual study of intangible asset market value,” In the study, 36 percent of manufacturing executives said that intellectual property tops the list of data protection concerns, followed by consumer data (32 percent) and accidental disclosure of personal information (29 percent). In addition, significant and increasing concern exists around more sophisticated state-sponsored attacks on intellectual property. Preventive and detective data protection strategies can help companies to secure their data from the inside out and capture the value of their investments in intellectual property.

“Cyber risk is a critical part of every manufacturing environment and demands attention from every employee, contractor, and business with whom a company interacts,” said Stephen Gold, president and CEO, MAPI. “The most effective approach will rely on more than the CIO or CISO by also engaging the board and C-suite. Company leadership needs to understand their comprehensive cyber risk profile to appropriately allocate resources to mitigate risk.”

Cyber risk on the shop floor
Industrial control systems operate highly automated manufacturing processes where employee safety, environmental protection, and operational efficiency are of paramount importance. Yet, 50 percent of surveyed companies indicate they perform vulnerability testing for industrial control systems less than once a month and 31 percent have never done an assessment. These are essential tools for identifying and mitigating cyber risks on the shop floor and clarifying organizational responsibilities between IT and operational technology employees. By implementing technologies to provide automated 24/7 cyber threat monitoring, manufacturers can become more vigilant in protecting critical manufacturing operations.

“To date, many companies have attempted to isolate the networks associated with their industrial control systems with an air gap, essentially a physical barrier between the industrial control systems networks, enterprise networks and the internet,” said Sean Peasley, partner, Deloitte & Touche LLP and cyber risk services consumer and industrial products leader. “However, if they haven't actually tested the accessibility of these systems, they can miss hidden access points that could be vulnerable to attack. An air gap strategy is also contrary to industry trends in digital manufacturing, which are designed to generate cost-savings, automation and efficiency benefits.”

Connected products, exponential risks
Increasing reliance on technology-enabled connected products brings a new set of risks to manufacturers. Among executives surveyed, 45 percent said their organization uses mobile applications and 35 percent cited sensor controls. However, 40 percent of respondents said they have not yet incorporated connected products into the company's cyber incident response plan. Planning ahead before a breach occurs — so the entire organization is prepared to respond and quickly neutralize threats — can help companies become more resilient. Leading companies design security into connected products and integrate them into the cyber program from the start. This is important because 76 percent of companies surveyed transmit product data using Wi-Fi, and 52 percent reported that their connected products store and/or transmit confidential data, including Social Security and banking information.

“Through the cyber risk in advanced manufacturing study, we identified both potential vulnerabilities and some great leading practices that manufacturers can leverage to deter attack and prevent loss of critical information and assets,” said Gold.

SC
MR