The more that manufacturers deploy interconnected M4.0 technologies to gain competitive advantage, the more disruptive they expect cyber attacks to become in the year ahead, according to the latest Manufacturing Leadership Council survey.
By Paul Tate
First the worrying news: cybersecurity attacks are predicted to rise and become potentially more disruptive in 2019 as manufacturing companies continue to deploy increasingly intelligent, interconnected systems and sensors across their production operations.
Now the more hopeful news: there are welcome signs that manufacturing companies are becoming increasingly aware of potential cyber risks and are beginning to understand more about what they need to do to help protect themselves along their journey to Manufacturing 4.0 – including a stronger strategic focus on corporate protection policies, and the tactical adoption of standard platforms like the NIST Security Framework.
Those are just some of the highlights of the Manufacturing Leadership Council’s latest research survey on the state of cybersecurity in 21st century manufacturing.
A Business-Critical Issue
Clearly, manufacturing companies have become acutely aware over the last few years that cybersecurity issues are of critical importance to the future of their increasingly digitally-driven businesses. Over 90% of manufacturers responding to our latest survey say that cybersecurity concerns are now ranked as an “important” business issue, with two thirds (66%) acknowledging that those concerns are of “high importance” (Chart 1).
Most noticeable though, the impact that manufacturing leadership teams now fear most from cyber attacks is identified as “business disruption”, with 58% of respondents selecting this as the primary cybersecurity risk today (Chart 2). This is a marked increase from our last cybersecurity survey two years ago, when IP Theft was ranked as the top concern, and business disruption was noted by just over a third of respondents.
This suggests that over the two-year interim, many companies may have already taken some steps to protect their IP from theft more effectively at a technical level. But it also suggests that manufacturers increasingly realize that the ever-more complex nature of today’s cyber threats is now more likely to result in far broader disruption to the operations of the business than the simple appropriation of specific pieces of proprietary information.
Cyber Attacks to Rise in 2019
Whatever the focus of cyber attacks to come, most manufacturers expect to suffer from more of them in 2019, according to almost two thirds of this year’s survey respondents (64%). Worryingly, an additional quarter of respondents admit they have no idea what to expect over the next twelve months (Chart 3).
1 Over 90% of Manufacturers Rank Cybersecurity as an Important Business Issue
Q: Please indicate your company’s investment posture for the following IT-related technologies.
2 Business Disruption and IP Theft Seen as Biggest Operational Risks
Q: What is the most significant cybersecurity-related risk to your company’s manufacturing operations?
The impact from cyber attacks that manufacturing
leadership fears most is business disruption.
3 Over 60% Expect Cyber
Attacks to Increase in 2019
Q: Do you expect your company will experience more attacks in the year ahead than in the past year?
Among the top three methods of attack that now concern manufacturers most are malware (which includes malicious pieces of code such as trojans, worms, and viruses), phishing (which aims to intercept personal or corporate details often from email networks or intranets), and the more recent development of Ransomware, which aims to deny access to key systems or processes until a ‘ransom’ is paid by the company to unlock and regain control of its own assets (Chart 6).
Better Plant Floor Strategies Needed
Yet despite the fears of widespread business disruption for manufacturers from cyber threats, the rising complexity of potentially vulnerable interconnected industrial systems, and the increasing number of predicted attacks to come in the year ahead, still only around a third of responding companies currently have a formal plant floor cybersecurity strategy in place. In fact, almost half the respondents say they have no manufacturing-specific cybersecurity plan right now, or that they are still trying to create one (Chart 4).
What’s more, when asked to rank their level of confidence about the ability of their in-house expertise to deal with manufacturing-related cybersecurity issues, only a quarter say they have a reassuringly high level of confidence, and over a half say they have only a moderate level today (Chart 5). A fifth also admit that their level of confidence is actually pretty low.
4 Yet Most Manufacturers Still Have No Formal Plant Floor Strategy in Place
Q: How would you characterize your company’s approach to dealing with manufacturing cybersecurity?
5 Malware, Phishing, and Ransomware Most Feared Methods of Attack
Q: What level of confidence do you have that your company has the internal expertise to deal with manufacturing-related cybersecurity issues?
6 Malware, Phishing, and Ransomware Most Feared Methods of Attack
Q: What methods of cyber-attack are most
concerning to your company?
Key Areas of Vulnerability
Many manufacturing companies have a complex mix of multiple technologies in place today as they seek to increase operational efficiencies, respond faster to market and technological changes, and make better business decisions. The levels of cyber vulnerability for each of these technologies inevitably differ. In our latest survey, respondents identified a number of technologies and devices that they believe are most vulnerable to cyber attack today, including laptops, email and web servers, and mobile devices such as cell phones and tablets (Chart 7).
Interestingly, while Industrial IoT Systems are still regarded as vulnerable to a medium degree by over half the respondents, they are not seen as the primary targets for attack. Perhaps again this is a reflection that rising awareness of cyber vulnerabilities in an M4.0 world over the last few years has spurred many manufacturers to build in better protection mechanisms for these new systems as they are being deployed.
According to this year’s survey, factory and plant floor operations are not even seen as the most vulnerable functional areas of the company in this increasingly interconnected M4.0 world either. It’s when the networks they are linked to extend beyond the walls of the manufacturing organization itself that many believe pose the most significant threat. These include supply chains networks, social media networks, and partner and distribution networks (Chart 8).
Risk Mitigation Strategies
As manufacturing’s awareness of cyber threats increases, companies going beyond basic technical fixes and are also beginning to pursue other ways of trying to mitigate cyber risks as they pursue their M4.0 roadmaps.
One approach that is rising in popularity, according to almost half of the respondents, is to adopt an established set of cybersecurity standards and processes, such as the NIST Security Framework, to better protect both physical and digital assets. A third of responding companies have also connected with one the increasing number of Information Sharing and Analysis Centers (ISACs) now in operation to share information when an attack happens, or to explore ways of preventing them in the future. Only a few, under a fifth, have chosen to actively insure themselves against cyber risks so far (Chart 9).
7 Laptops, Email Servers, and Mobiles Ranked as Most Vulnerable Technologies
Q: How would you assess the vulnerability to attack of the following current and future technologies, systems, and devices in your company?
(Rank based on Low/Medium/High)
8 Supply Chain and External Networks Seen as Areas of Most Potential Threat
Q: How would you assess the vulnerability of your key business operations today? (Check one)
64% of respondents say cyber issues will become significantly more important to the progress of their M4.0 strategies over the next five years
9 Almost Half Have Adopted NIST Security Framework To Help Mitigate Cyber Risks
Q: Are you engaged in, or have adopted, any of the following approaches as a way to better protect your company or mitigate cyber risks?
Threats to M4.0 Adoption
Despite these more recent risk mitigation approaches, there is still little doubt that more manufacturers than ever regard cybersecurity as a critical issue for the future of their M4.0 transformation. 64% of respondents in this year’s survey predict that cyber issues will become “significantly more important” to the progress of their M4.0 strategies over the next five years (Chart 10). That compares to just over 50% in the MLC’s previous cyber survey two years ago.
Yet, there is again some indication that a number of manufacturers are beginning to recognise such threats are simply table stakes along an M4.0 journey. Only 45% now fear that cybersecurity concerns will actively hinder M4.0 adoption to some degree over the next five years (Chart 11), compared to 54% two years ago. And just over half now conclude that dealing with cybersecurity issues is a basic requirement and part of doing business in an M4.0 world, compared to only 37% in the previous survey.
The reality of cyber risk in an M4.0 world seems to be sinking in.
10 Cybersecurity To Become Significantly More Important to M4.0 Strategies Over Next Five Years
Q: Looking ahead 5 years, how important an issue do you think manufacturing cybersecurity will be as your company
pursues its journey to Manufacturing 4.0?
A More Strategic Focus
That doesn’t mean that manufacturing companies are getting complacent, or failing to pursue more effective ways of dealing with the cyber problem. The focus, however, is now moving up the corporate ladder.
Perhaps of all the differences that emerged from the cybersecurity survey this year, one of the most significant is the increase in the belief that more strategic, top-down approaches are needed to best deal with cyber risks in the future.
Two years ago, when asked what they thought would help most in improving manufacturing cybersecurity in an M4.0 world, respondents focused predominantly on technical fixes, with a substantial 41% selecting “better prevention and technology” as the most important solution.
That view has clearly changed. This year, the primary focus is on “corporate best practices and policies” as the top option at 28%, with prevention technology dropping down to only 21% (Chart 12)
As the digital revolution matures, so it seems are the attitudes of manufacturing companies and their leadership teams as they begin to understand that cyber issues are not going to be overcome by technologies or technologists alone, but need to be addressed on a far broader scale and become part of the culture of the organization, driven from the top down.
11 Almost Half Fear Cybersecurity Concerns Will Hinder M4.0 Adoption to Some Degree
Q: Over the next 5 years, how much of an obstacle will cybersecurity issues be to the speed and scope of adoption of Manufacturing 4.0 technologies and approaches?
12 Better Corporate Policies, IT/OT Collaboration, Employee Training, and Prevention Technologies Seen as Key to Future M4.0 Protection
as Strong in Next 5 Years
Q: What do you think will help the most in improving manufacturing cybersecurity in an M4.0 world?
More strategic, top-down
approaches will be needed to deal with cyber risks in the future.
From Dilemma to Digital Destiny?
Certainly, the dilemma for manufacturers is clear: without M4.0 technology deployment and digital transformation, companies are likely to lose money, lose their innovative edge, and lose competitive advantage. With M4.0 technology deployment, they have to accept that they will inevitably become more vulnerable to cyber attack and disruption in the years ahead.
Of course, every industrial revolution has its risks, and the digital industrial revolution is no different. If companies want to pursue their digital destiny by harnessing the transformational benefits that the interconnected journey to Manufacturing 4.0 offers, they will also have to find ever more effective ways to protect themselves and mitigate the chances of digital disruption in the future. Cyber risk, it seems, comes with the territory in an M4.0 world.
But as the old saying goes: nothing ventured, nothing gained. M