“Manufacturing is one of the most heavily targeted industries for cyberattacks,” according to compudat.com in its blog, “Cyber Security 2019: Manufacturing at Risk.”
That’s certainly not good news! You may be wondering, Is my company at risk? Are we prepared for a cyberattack?
Unfortunately, many are not prepared, according to Gilad Peleg of manufacturing.net. “Industrial and manufacturing companies do not consider themselves a lucrative target for cyber criminals and thus, not surprisingly, have taken fairly minor measures to secure their systems,” wrote Peleg in his article, “Cybersecurity Risks For Manufacturing.” He cited a Kaspersky Labs report published in October 2018 which stated that “in the first half of 2017, manufacturing companies were the most susceptible to cyber threats: their computers accounted for about one third of all attacks.”
Why target manufacturing? Peleg explained, “Sophisticated attackers … are no longer interested in the immediate gain of stealing or extorting money, nor in stealing volumes of low-profit PID like user details and credit card numbers. Instead, they are now after intellectual property (IP). Stolen IP can be used for either purely commercial means (ex. copying a successful product) or to gain an advantage in negotiations and trading.”
He continued, “When hackers aim to disrupt or sabotage, the damage they can inflict on manufacturing facilities can be staggering … Companies in the manufacturing sector must realize that they can no longer ignore this very concrete threat. As a business that lives or dies on continuous operation, being knocked offline and shutting down production lines due to cyberattacks is an unacceptable risk.”
Enough with the bad news! How about some solutions?
The U.S. Department of Commerce can help. In May 2019, its National Institute of Standards and Technology updated the Cybersecurity Framework Manufacturing Profile, which according to its website, “can be used as a roadmap for reducing cybersecurity risk for manufacturers that is aligned with manufacturing sector goals and industry best practices.”
According to the Profile’s Executive Summary, the document gives manufacturers:
- A method to identify opportunities for improving the current cybersecurity posture of the manufacturing system
- An evaluation of their ability to operate the control environment at their acceptable risk level
- A standardized approach to preparing the cybersecurity plan for ongoing assurance of the manufacturing system’s security
The Executive Summary continued, “The Profile is built around the primary functional areas of the Cybersecurity Framework which enumerate the most basic functions of cybersecurity activities. The five primary functional areas are: Identify, Protect, Detect, Respond, and Recover.”
The Profile can help you address questions such as the ones suggested by compudat.com:
- What are your strategies and tactics to fighting cyber threats?
- Do you have a progressive cyber security program in place?
- Do you have a cyber security team?
- How frequently do you conduct operation-wide cyber security audits?
- Are you aware of all of your vulnerabilities – IoT connection points, employee risk potential, data protection shortfalls?
The responsibility of cyber security often falls on the manufacturer’s IT Department. Unfortunately, Peleg wrote, “The manufacturing sector is not known for having great IT resources (it certainly can’t compete with the financial sector or government for cybersecurity talent), so companies are not likely to have sufficient manpower to address these threats.”
Team 1 Plastics, a plastic injection molding company for the mobility industry, falls into the category of having limited IT resources. According to Joshua Nye, its IT Manager, “Being a small company, we don’t have a security team like a larger corporation would have. We rely on a variety of options that we blend into our security profile.” Nye listed a few: “Buying security products, holding contracts with vendors to assist us, attending security conferences and training, and of course, our own research to try and stay as up-to-date as we possibly can.”
He added, “We also keep everything patched and up-to-date. Security updates are out there for a reason; get them applied quickly.”
“Cyber security is a tough area,” said Nye. “You can lock down your data really tight. However, you might make it so secure that you cause inefficiencies for the employees performing their work. It’s a fine line between security and functionality, and that line could be different for each company. Finding the correct balance requires constant end-user education, showing them new ways, new techniques, reminding them why things are important, etc.”
A common area of vulnerability for all companies is cyberattacks through emails. A 2016 report by PhishMe found that 91% of cyberattacks start with a phishing email.
Like many companies, Team 1 Plastics has experienced its “fair share of phishing attacks.” Nye explained that the phishing emails try to catch the recipients off guard, trying to get them to react quickly without investigating the emails – hoping that the recipients will click on a link embedded in the emails, giving them access to their computers in an attempt to steal passwords or confidential information.
Nye gave an example of a phishing attack that he has often seen. “An attacker tries to make an email look like it is coming from someone high up in your company who needs gift cards for a customer or charity, and they need it right away. If the email appears to be from an important person in your organization, and they need something right now, it might motivate you to jump to action rather than taking a few minutes to analyze the situation and realize it is a fake request.”
“I often get asked why we continue to receive phishing emails when so many of them seem laughable and always seem to fail,” Nye said. “Unfortunately, it takes the attackers only a few minutes to send out thousands of emails; all they need to do is to find just one vulnerable recipient, and they get paid hundreds of dollars for very little work.”
To combat phishing email attacks, Nye said that Team 1 Plastics has focused during the last year on educating its Team Members. “We ran some simulated phishing attacks on our own users — not to shame anyone – but to inform and teach. Cyber security education can never end. When I come across new examples of phishing emails or different schemes of attack, I share them with our Team Members.”
Nye said that cyber security education benefits both the company and the Team Members. “Many of the lessons and techniques we share to keep Team 1 safe also help the Team Member keep his/her own personal information safe – things like 401-K accounts, banking accounts, or personal identity. It can be just as useful to them outside of work.”
He concluded, “Cyber security is a team effort, not just an IT effort. If you are not getting the buy-in from the rest of the company, the battle is already lost.”