The biggest challenge in achieving cybersecurity within the manufacturing sector for many organizations may have less to do with the actual cyber threats and vulnerabilities than the “cybersecurity-noise” rampant in this industry. By Anthony King
By now, most manufacturers have heard or read about all of the game-changing technologies, opportunities and challenges with our increasingly connected factories in the Manufacturing 4.0 world, but with each new day comes more news of cyber threats, data breaches, and regulatory changes, along with more products and services to help businesses deal with this new industrial frontier.
Unfortunately, this deluge of news or “cybersecurity-noise” has created more confusion than actual help for many businesses, and in some cases this constant wall of noise has become unhelpful to the point of paralysis, especially for small and medium-size manufacturing companies.
Achieving an acceptable level of cybersecurity for a clear majority of companies in the manufacturing sector is no longer an awareness issue. In fact, the opposite issue of information overload is now part of the problem. For this reason, it is imperative that the cyber security industry, technology vendors, and associated professionals begin to convey a single, concise message to businesses struggling with cybersecurity-noise paralysis.
That message must be that not every threat or vulnerability will impact the business, and without a formalized business risk management process, there’s little to no chance of achieving any level of sustained cybersecurity. The real irony is that this is widely known in the cybersecurity profession as well as most modern-day businesses. Unfortunately, it’s often overlooked, poorly done, or even worse in some businesses. Part of the reason for this is that some businesses assume that their business risks are the same as someone else’s or what they just heard or read.
Cybersecurity risks are products of three elements: threat, vulnerability, and impact. Classifying the risks this way avoids a myopic view of risk based on a business sector, vertical, specialty, or an obscurity factor. Knowing what matters most to your organization — your crown jewels (e.g., intellectual property, trade secrets, product/service) AND relationships (employees, suppliers/vendors, partners) — is a first and essential step to help filter the cyber noise and avoid its paralyzing grip. One of the first challenges of cybersecurity is knowing what’s cyber news or cyber noise, thus enabling your organization to know if it needs to respond, when to respond, and how to respond.
This is best done by ensuring your conversation/actions are guided by a formalized business risk management process. Engaged organizations exhibit a cybersecurity culture that understands the value of knowing their risks and are at the forefront of embracing the challenge of cybersecurity in manufacturing.
These organizations understand that M4.0 complexities in their factories of the future, along with their associated sub-systems, will add significant challenges to cybersecurity management. They are also acutely aware that for an attacker, their factories can be that winning lottery ticket, as it creates a host of new attack vectors and payday opportunities. Having a well-thought-out risk management plan will help organizations ruin a hacker’s day instead of the other way around, because the attacks will continue to increase for the foreseeable future.
Some have described 2017 as the year of the data breach because there were over 5,000 publicly disclosed data breaches resulting in nearly eight billion records exposed. And, according to Verizon’s 2018 Data Breach Investigations Report (DBIR), there’s no easing in sight, with the manufacturing sector specifically targeted.
“When we look at targeted versus opportunistic attacks, we see that breaches in this vertical are 86% targeted,” the Verizon report stated. “Since, overall, the vast majority of attacks are opportunistic in nature, this finding underlines the point that criminals go after certain Manufacturing entities with a very specific purpose in mind. The victim organization is chosen because they have trade secrets that are highly desirable to the attacker.” (See Chart)
Another manufacturing sector modality discussed in the Verizon report is that the manufacturing industry shows a greater percentage of state-affiliated threat-actors (53%) than it does organized crime (35%) attacking this industry. Likewise, their motivations appear to be very closely split between financial (53%) and espionage (47%).
Additionally, there were other data points specific to manufacturing worth mentioning, because they represent some of the more value-added areas for manufacturers to understand as they conduct their risk assessments:
58% of victims are categorized as small businesses
50% of breaches were carried out by organized criminal groups
48% of breaches featured hacking tactics
30% included malware tactics
68% of breaches took months or longer to discover
On the regulatory front, governments and regulatory bodies in the U.S. and Europe continue looking to increase cybersecurity focus across nearly all sectors. For example, New York State
M4.0 complexities will add significant challenges to cybersecurity management, underscoring the need for risk management plans.
introduced tough rules in March 2017 that set out specific cybersecurity and risk management requirements. This recognized need for more emphasis on risk management underscores both the unquestionable value of a formalized risk process as well as what new regulations will be used in determining regulatory penalties.
Remember, the goal of any business risk management program is to protect the company’s intellectual property, trade-secrets, reputation, and revenue streams. The business risk assessment activity is typically one of the least favorite undertakings in cybersecurity, but one of the most valuable steps that can’t be ignored or done half-heartedly, because running for cover seldom helps.
Effective cybersecurity can only be attained when it is understood to be an enterprise-wide and business eco-system challenge and responsibility.
Cybersecurity is everyone’s job. M