Manufacturing is already the golden goose as far as the cyber criminal is concerned, with the Verizon 2015 Data Breach Investigations Report rating it as the third most highly targeted industry. But the motivation behind these attacks – and the way they are performed – could be about to shift. Threats have typically sought to exploit weaknesses and to sniff out sensitive data but this is likely to change to a more disruptive pattern with attacks purposely seeking to target intellectual property and cause business downtime.
In a report called a ‘Guide to Cyber Risk: Managing The Impact of Increasing Interconnectivity’, Allianz Global Corporate & Specialty (AGCS) suggests the increased levels of connectivity across numerous sectors will drive a shift towards sabotage, extortion and the pursuit of business intelligence. In the manufacturing sector, this is likely to manifest itself in the form of disruption to legacy systems that are poorly protected but now IP-enabled, such as plant run using industrial control systems, and via the extended eco-system of suppliers.
Digital transformation is seeing manufacturers ride a wave of integration as they attempt to join up systems to keep pace with market developments. In it’s latest report ‘The Safety-Security Argument: Expanding Needs in a Connected Enterprise’, analyst house Frost & Sullivan refers to the need for end-to-end cyber security which will span IT and Operational Technology ecosystems leading to a ‘defence by design’ form of protection which will seek to anticipate and respond to threats using inbuilt solutions, leading manufacturing away from the ‘defence by default’ model used today. Put simply, locking down network systems is no longer enough.
Moreover, manufacturers are increasingly becoming privy to and responsible for a wealth of data. Protecting product designs, patents and business development plans is becoming increasingly onerous with innovations such as 3D printing making it easier to steal designs. While the emergence of the Internet of Things (IoT), or IP-enabled devices, now extends the culpability of the manufacturer still further, making them responsible for collecting and housing customer data appropriately (such as in the cloud) and protecting and patching the device should it become compromised, and even overseeing the decommissioning of data. Suddenly the manufacturer is responsible for data during the entire lifecycle of the product.
Consequently, manufacturers now need to increase the time and resource devoted to governance, risk management and compliance (GRC). Risks need to be assessed and even accepted with the steps taken to mitigate the impact of their realisation. This requires a top-down strategic approach to cyber security which must pervade the entire manufacturing eco system, from creation to disposal identifying and categorising assets, assigning appropriate levels of protection, and plugging gaps ensuring compliance audits of third parties.
This may sound straight-forward but often the supply chain is a convoluted structure in itself. The manufacturer needs to not only make the third party aware of their own processes but also needs to assess the security provisions of a supplier and ensure there are provisions in the contract to enable access for audits and mechanisms to enforce remedial actions.
The real game changer, however, is context-based threat intelligence. This can enable the manufacturer to create and adjust a bespoke risk register to address threats. People are vital to ensuring this is an iterative process, so do allocate responsibility to key individuals to ensure cross-departmental implementation and adherence to cyber security policy at a grass roots level.
Ensure regular reporting on risk reviews. While cyber security is now appearing on the board level radar, it’s often not privy to these reviews, so consider setting up reporting procedures which go all the way to the top. Finally, do involve the board in the process but do so from a business perspective: there’s nothing more alienating than a plethora of acronyms and risk ratios.
Tried and tested
Of course, if (although some would say when) a risk is realised, processes need to be in place that will make for a speedy response. But don’t wait for this to happen. Test the Incident Response plan using playbook scenarios and use this information to fine-tune the process. Time is of the essence; so the sooner you can detect and mitigate the threat the more likely you are to curtail its impact. How easy is it to isolate the issue? Can you maintain other systems and keep it as Business as Usual? In addition to technical steps which need to be taken by IT, an effective Incident Response plan should include provisions for who will be notified and how (the regulators, customers, suppliers etc) and include plans for PR and the legal teams who will need to handle the fallout.
Manufacturing is no longer an isolated enterprise. Strings of supply chains, converging systems, data collection and protection, and the need to protect the relationship with the customer through an ongoing duty of care have all conspired to make manufacturing a more complex system of interdependent processes. To date, the focus has been on time-to-market but the shift in focus, with attacks now centred on theft and disruption, make cyber security a prime concern.