To deal effectively with increasing cyber attacks, manufacturers must develop a business-driven risk management strategy based on a holistic approach across the enterprise. By Torsten Welte
Having grown up during the Apollo era, I’m very excited to see all of the great progress being made by the space industry. I am constantly amazed at how many different entities need to come together to make a space mission successful. There’s the manufacturer that needs to build the spacecraft down to the exact specifications; the astronaut team that needs to train and work together pre, during, and post flight; and then there is the mission control center that manages the many complex aspects of the space flights.
This does not even begin to touch the surface in mapping out all the teams involved but it is clear that there are many different pieces that need to come together to ensure a safe flight. Working in a multifaceted environment such as space requires all parties to work towards one common goal of safely launching, exploring, and returning the space craft and its astronauts to Earth. This same idea of intentional unity is mission critical to the cybersecurity strategy of any manufacturing enterprise.
Let’s think of the IT department as the astronauts and business operations as the control center. The astronauts, the ones executing and doing the technical work, need the objectives, advice, collaboration, and overarching perspective from the control center to be as effective as possible. The common goal and prioritization of safety is a major piece of completing a successful space mission. With many lives on the line, the success and security of space missions is a group effort that must be addressed from all angles. Securing the manufacturing enterprise is no different; all parties, internally and externally, must be equally invested in the integrity of the company — all must support a secure mission.
For a manufacturing organization, cyberattacks can be very scary and overwhelming, especially since cyberattacks have increased by 176 percent over the past five years. Many manufacturing organizations have questioned, “How do we go about securing our enterprise and where do we even start?” Typically, this topic is pushed down to the IT organization as the effects are related to IT systems. The IT organization traditionally responds with suggestions that impact the business by restricting agility or innovations. Effective cyber resilience, however, requires a business-driven risk management strategy based on a holistic approach across the organization, as well as accounting for the connected ecosystem that values innovation. Before we look at the suggested approach, let’s better understand the different cyber threats and what has changed over the years.
The Evolution of Cyber Attacks
Cyberattacks encompass unauthorized access to manipulate, steal, or destroy data or systems. The press often reports on attacks that involve personal data that result in demands for ransom to be paid. These attacks range from hacking through firewalls and systems and through the use of viruses to manipulate data, sometimes perpetrated by employees. Money is not the only driver for these attacks. The theft of intellectual property (IP) is becoming increasingly prevalent. Average IP theft costs companies around $13.5 million with the potential to do damage upwards of $109 million. At the same time, there are many cases where attackers are simply looking for fame and bragging rights. Regardless of the motive, McKinsey reports that it is still taking companies about 100 days to detect a covert cybersecurity attack, which could be detrimental to any organization.
The Evolution of Manufacturing Processes
Today’s manufacturing organizations are utilizing more new technologies with fewer technical constraints to drive effectiveness and productivity like never before. We are increasingly seeing machines that generate data to improve the overall manufacturing process and quality of products. For example, the discussion around IoT focuses on the goal of capturing as much information from the shop floor as possible to reduce unplanned down times and improve the quality of final products. Real-time data gets generated by machines or sensors and is then transmitted through the shop floor network to the IT control systems. This creates a greater opportunity for cyberattacks as companies need to consider the entire data creation process and communication flow through their systems, while accounting for the multitude of technical elements and layers involved.
One of these layers involves interaction with external partners. Since many manufacturing processes touch external stakeholders’ systems, customer and supplier bases can be threatened by cyberattacks. Manufacturing companies must include the entire ecosystem in their evaluation and new cybersecurity strategy. Not only is the issue of security changing and expanding beyond the four walls of the corporation, but security also has to be embedded into business ecosystem processes. More specifically, security needs to be part of the design for solutions and not a stand-alone topic.
Artificial narrow intelligence is the science of training systems to emulate human tasks learning and automation.
With Industry 4.0 on the horizon and the need to digitize only increasing, sensors and the data they generate will become a staple technology on the shop floor. The benefits are immense, including but not limited to: improved maintenance processes, quality control, and hyper connectivity across the shop floor. With these technological advancements and process automation at the heart of digitalization, manufacturers must ensure that the hardware – sensors or machines – has the right security features to authenticate and communicate in a safe and encrypted environment with receiving systems. Another vulnerability can be open communication channels like the Bluetooth capabilities of machines and sensors that are allowing for hyper connectivity and mobility. Hackers often utilize these channels to manipulate data in transit.
These intelligent technologies require adequate, more diverse systems to manage the data across different computer systems. Additionally, it is not unusual for different departments of a company to select different software systems to support their hardware. The large variety of systems creates higher complexity for cyber resilience. The complexity ranges from acquiring the system technology knowledge to ensuring data consistency across all platforms. With many systems in place and a lack of consistency, security threats, like data manipulation, can occur at many points in the information flow.
Establishing resilience is going to be critical for all manufacturing companies, no matter the industry sector. It is not a question of if, but when? So how should a company approach building a cybersecurity strategy that still promotes continuous innovation, efficiency, and intelligence?
The Evolution of the Secure Manufacturing Enterprise
Just as coordinating a successful space mission requires a strong collaborative effort, the topic of cybersecurity needs to be approached holistically. This means it must be a topic being discussed at the C-level across all business units. It cannot be IT alone because managing the company’s risk, while balancing the overall company’s vision, is key.
In addition to all of the troubles of poor security, 68% of funds lost due to a cyberattack are unrecoverable; it should be of primary concern to the business to protect the bottom line. As part of security planning, management will need to evaluate the impact of potential cyber incidents against business objectives. This requires the prioritization of cybersecurity activities based on business needs, with the goal of protecting the crown jewels, while factoring in agile and innovative capabilities as well. Too often in today’s operational landscape, suggested IT measures limit the effectiveness of manufacturing operations. An example of this is IT requests for system downtimes which have to be balanced against delivery of key customer shipments. To defend the needs of the customer, a sense of value towards risk management and consideration of business priorities is required.
In order to make this a reality, management needs to have a clear understanding of current assets, prioritization of these assets (crown jewels), risk of being attacked, and the level of potential impact. Based on the risk profile, companies can utilize portfolio processes to establish a situational resilience level. Tools like the NIST Cybersecurity Framework can help launch the process and guide businesses through essential steps. As this effort requires changes at many levels, focus is essential and utilizing a check list ensures better communication among different teams.
The Evolution of Cybersecurity Expertise
This shift in company culture should certainly include an element of security expertise but cybersecurity experts are very scarce resources, as the war on talent ensues. Costs also contribute to the problem; not all manufacturers can afford these experts. As a result, collaboration and knowledge exchange with key software and technology partners is vital. Many software companies already have security experts that can provide guidance not only for security topics with their products but also regarding security standards and process improvements.
In addition to collaborating with technology and software suppliers, the procurement process of purchasing new hardware needs to include a validation of appropriate security support for the offerings. This ranges from questioning your software and hardware suppliers about their security processes, as well as their security governance processes. As we look to the future, large software companies are working on designing self-healing software algorithms using artificial intelligence and machine learning. An average phishing attacker will bypass an AI-based detection system just 0.3 percent of the time. But when attackers use artificial intelligence on their end, this 0.3 percent shoots up to 15 percent.
This further emphasizes the fact that cybersecurity is not simply a firewall attack anymore; attacks are much more intricate, especially with the use of more sophisticated technologies on both ends of the attack. Just 16% of companies believe traditional data-protection tools can manage security within their cloud platforms. Because of this, security needs to be top of mind and even part of the product development process by incorporating it into product design. Too often security is seen as a separate activity, or a mere afterthought; an example is the use of smoke tests after the design stage. In the digital world, cybersecurity must be built into the overall development approach. One solution is for developers to embed security elements into the code. Security is more and more embedded into functional capabilities such as validation of data access or encryption (in REST) for communication. This also drives the need for the dependency of security updates to functional updates. This becomes even more critical for software companies that host their solutions within the cloud. Cloud providers must ensure security across all layers, from infrastructure all the way to applications.
Many manufacturing companies and their executives are surprised by the level of protection offered by cloud-hosted solutions and products in the cloud. The threat levels are much higher and therefore renowned cloud-based solution providers have strong resources dedicated to ensuring the integrity of the organization. This not only provides better defenses against attacks, but also enhanced recovery processes for when attacks occur.
LNS Research states “By moving to the Cloud, security is usually enhanced rather than diminished as Cloud suppliers devote huge efforts to ensuring their underlying systems are as secure as possible and are constantly updated to react to potential threats. No individual manufacturer could devote such efforts…”
The Evolution of Company Culture
As the types of attacks constantly change, a resilient company must concentrate more on how to identify the attacks and how to put the necessary measures in place to address them. This requires a complete governance process, as well as a company culture that incorporates and prioritizes security in all aspects. Cybersecurity should be on the agenda of major executive meetings to collectively incorporate measures that describe potential risks and to track the progress that has been made to establish a resilient enterprise.
If we look at protecting and interacting with the ecosystem, it is the role of the executive team to support the cybersecurity discussion with suppliers, partners, and customers. IT should certainly guide the discussion, but many of the process and IT changes need to be discussed on a business level. Most of the suppliers, contractors, and partners do not have the expertise to address the topic—greater emphasizing the need to collaboratively approach building a security strategy that ensures integrity across the value chain.
The Evolution to the Intelligent Manufacturing Enterprise
Henry Ford said it best: “Coming together is a beginning, staying together is progress, and working together is success.” Just as the sophistication of space missions and their goals have evolved, manufacturing enterprises must evolve with the security challenges of the digitized world and they must do it as a collective unit. This means every piece of the ecosystem, from the bottom-up, plays a vital role in securing the enterprise and must be valued as such. No longer can IT operate as a siloed entity from the rest of the organization because business objectives should be balanced with IT priorities. The success of IT security is dependent on everyone.
It is interesting to think about how security can also become a key differentiator within your industry. For example, many aerospace and defense companies have established cybersecurity departments that now offer services to other companies. Lockheed Martin has been continuously developing its Cyber Technology Services group. Such a capability helps to satisfy many stakeholders, while easing the minds of many across the ecosystem.
If you would like to take “one giant leap” for your A&D business towards realizing the full value of intelligent technologies to secure your enterprise, take a look at Transform Aerospace and Defense or learn more about enabling your intelligent enterprise with Industry Clouds for Discrete Manufacturers. M