Cyber threats are increasingly prevalent in this sector resulting from a rising digitization of manufacturing processes and complex networks which introduce a growing number of potential security vulnerabilities. A 2017 manufacturing report found that 53% of the companies surveyed had experienced a cybersecurity breach. The report also noted that the manufacturing sector is dramatically under-investing in the best practices of cybersecurity. The sector knows it too - A 2019 survey of the transportation manufacturing sector found that 64% of companies acknowledged they are not doing enough to secure their IoT systems from cyberattacks. Manufacturing companies know they are not safe - and the consequences could be catastrophic for their operations and customers.
Manufacturers are a frequent target of hacking attacks. According to a report from the U.S. Department for Homeland Security, manufacturing is the second highest sector target of cyberattacks behind the energy sector. To maintain operational integrity, manufacturers seek to achieve three key objectives:
A Kaspersky Lab Survey of IT managers published in Virus News found that “21% of manufacturers suffered a loss of intellectual property (IP) within the past year.” The most cited reason was malware, although software vulnerabilities and stolen mobile devices were also cited as causes.
A survey among IT and operational technology professionals revealed that 7 out of 10 were worried about physical damage to computers and industrial systems that could result in extensive repairs or even casualties.
According to the New York Times, manufacturers remain slow in recognizing cybersecurity risks. Boeing, one of the leading aerospace companies was cyber attacked by the ‘WannaCry’ computer virus in 2018. Boeing noted that some of its manufacturing equipment to build its 787 Dreamliner and 777 wide-body jets were crippled from the cyberattack.
In the transportation sector, car manufacturer General Motors (GM) has released plans to mitigate cyber risk. Jeff Massimilla, GM’s Vice President of Global Cybersecurity, noted that their top priority is to insulate manufacturing from disruptions and stoppage.
Manufacturing operations rarely consider cyber threats but in recent years, a rapid increase in malware designed to target industrial control systems such as brute force attacks on Supervisory Control and Data Acquisition (SCADA) systems is forcing them to pay attention.
With an advanced persistent threat, or APT, a system intrusion occurs gradually where a hacker is able to access a system through a phishing email containing malware. Some of the results of such sophisticated attacks could include compromised IP, jeopardized personal identifiable information (PII), liability, legal expenses, and potential reputation damage. The damage from an APT could cost hundreds of millions of dollars. Since cybersecurity has typically been considered an issue for the corporate office, as it has not been recognized as a possible cause of business interruption or down time - the risk for the manufacturing sector is high.
Cybersecurity automation platforms and tools can assist with gathering data for monitoring and analysis, keeping track of hardware and software assets, and ensuring that virtual and physical assets remain patched and current. This automation assists in conducting vulnerability assessments to recognize any new risks, to improve visibility that would result in reducing downtime. As reported by Deloitte, companies need to remain vigilant about cybersecurity automation and analytics due to its potential importance.
Supply chain threats within the manufacturing sector involve attackers focusing on the supply chain's weakest points to obtain access to a larger business partner with more valuable data.
Company CISOs have reported that "understanding their supply chain and its vulnerabilities is an even greater challenge in manufacturing than in other industries where greater central IT security control is exercised."
Supply chain threats are not just damaging to the manufacturing process but could jeopardize an organization's business relationships. As cybersecurity threats experienced domestically by U.S. manufacturers are already high, the global digitized and networked supply chains are creating environments that are increasingly challenging to secure.
Manufacturing companies which are fully connected and integrated with their affiliated and partner factories make them a potentially vulnerable and appealing target. Key areas of concern include:
Intellectual Property Data. Intellectual property is a key competitive advantage for many manufacturing firms. Unfortunately, 21% of US manufacturers have suffered from intellectual property loss with 90% percent of this stolen information considered to be secret or proprietary. Based on a recent report from the Verizon Data Breach Investigations, insiders were involved in 60% of all cyber breach cases.
Industrial Control System (ICS) An Industrial Control System refers to a complex network of control systems, which monitors, controls and measures manufacturing processes and infrastructure. According to the Manufacturing Foresight Alliance, the complexity of manufacturing control systems makes them a vulnerable target for cyber-attacks.
The highly integrated nature of many manufacturing system—including operational technology, industrial control systems, interconnected data, network, communications, and software—creates vulnerabilities that offer numerous entry points for attackers.
Many manufacturing firms are using third-party vendors, which expose manufacturers to additional cyber risks. The dynamic and integrated business relationship between a company and a third-party vendor exposes the company to vulnerabilities as a company requires third party software to interconnect proprietary systems. According to MIT, it is difficult for pharmaceutical and biotechnology manufacturing operations to implement consistent security protocols with so many third parties accessing company data.
Employees who are not continuously trained on cybersecurity risks are more likely to put their employer and company data at risk. According to a TechRepublic article, an unqualified employee, especially one who lacks knowledge in cyber security practices, increases the risk of successful cyberattacks.
The Alliance for Manufacturing Foresight recommends workforce training programs on cyber security education for all manufacturing companies' employees, which provides essential information and guides on best practices mitigating human error and risk factors.
According to the US National Center for Manufacturing Sciences, in 2017, data breaches in the manufacturing sector accounted for about 33 percent of all the reported data breaches in the US.
One recent attack on a major global pharmaceutical company from ransomware dubbed 'NotPetya', that led to a disruption of its worldwide operations, including manufacturing, research, and sales operations. Drug production was halted and the company was unable to fulfill orders for certain products in certain markets. They reported that the breach impacted 2017 sales by $260 million and was likely to have an impact of $200 million on 2018 revenues.
The company has implemented, after the fact and the damage is done, a variety of costly cybersecurity measures to further enhance its systems to prevent similar attacks in the future and initiated an enterprise-wide effort to enhance the company's resiliency against future cyber attacks.
The National Institute of Standards and Technology (NIST) has offered two core standard frameworks that directly apply to manufacturing firms:
The Cybersecurity Framework provides a voluntary, risk-based approach for managing cybersecurity activities and cyber risk to manufacturing systems. The Manufacturing Profile is meant to complement, but not replace, current cybersecurity standards and industry guidelines that the manufacturer is embracing.
NISTIR 8259 is intended to help Internet of Things (IoT) device manufacturers understand the cybersecurity risks their customers face, so IoT devices can provide cybersecurity features that make them minimally securable by the people or organizations who use them.
NISTIR 8259 defines a core set of cybersecurity features that manufacturers may voluntarily adopt for IoT devices they produce: "The core baseline addresses general cybersecurity risks faced by a generic customer." This approach helps to lower the cybersecurity-related requirements for IoT device customers, which reduces "the prevalence and severity of IoT device compromises and the attacks performed" using compromised IoT devices.
The US manufacturing sector is the fifth-largest employer in the US, with 11.6 million employees in 2018. Electronics, pharmaceutical, and transportation manufacturers are slowly adopting measures to successfully comply with cybersecurity standards for both IoT devices and as an overall business framework. Sector reports and news sources reveal that while the larger companies in each above sector of manufacturing are taking some steps, a lot of work still needs to be done.
A growing number of CEOs recognize the emergence of data breaches and cyber attacks as the greatest risk manufacturing companies face. That is the purpose behind the development of CyCloud - CyLogic’s flagship offering. We deliver a higher level of security than any public cloud provider. Our team would be happy to discuss how to mitigate the complex challenges the manufacturing sector faces.
The US manufacturing sector produces 16.6% percent of the world's goods and is considered the second largest in the world. These goods manufactured comprise about 50% of the US exports and drive 11.6% of the US economic output, according to the Bureau of Economic Analysis.
FedRAMP - The Gold Standard of Cloud Security
Security has always been about identifying who or what can be trusted accessing data, and what they can do with that access
The last few years have seen a series of high-profile breaches against large institutions, particularly in the banking industry. Many firms have been accused of being stuck in a “90’s” cybersecurity mentality believing that on premise networks, strong firewalls, and anti-virus software were sufficient to ward off most cyber-attacks.
READ more >
Financial Institutions are Vulnerable to Cybersecurity Threats
The Banking and Financial Services Industry is targeted by cybersecurity attackers 300 times more frequently than other industries. Financial firms are spending on average $3,000 per employee on cyber security reflecting a three fold increase in the last four years to combat the surge of state level attacks on their data. Cybercriminals and state sponsored attacks targeting banks are becoming increasingly sophisticated, stealing sensitive customer data for a variety of fraudulent activities.
READ more >
Cybersecurity Challenges in The Aerospace and Defense Industry
Many sectors in a modern economy are perceived to be critical to our nation’s economic well being. The aerospace and defense sector is uniquely positioned as it is crucial not only to the economy but also to national security. A cybersecurity breach in this sector could cause direct financial damage, weaken our national defense and competitive position and put lives at risk.
READ more >