Six steps to achieve cyber resiliency in a digital world.
In 2021, manufacturing was ranked as the most targeted industry in the cybersecurity space as attackers sought to exploit unpatched software and capitalize on supply chain delays to pressure organizations into paying a ransom. This year has brought on more of the same — incidents like the February shutdown of Toyota’s factories from an attack on a Japanese supplier and the potential for more nation-state attacks on critical infrastructure amid the war in Ukraine are early examples.
Manufacturers being hit by a cyberattack is no longer a possibility — it’s a near certainty. Consider that nine in 10 manufacturers experienced at least one intrusion into their operational technology (OT) systems in 2020, and that ransomware attacks on industrial entities have increased by more than 500% since 2018.
This high-risk environment means manufacturing leaders need to focus not just on data security and compliance but also on cyber resilience: the ability to keep their business operating when the inevitable attack hits.
Cyber Risks in the M4.0 Era
Given the current geopolitical climate and supply chain vulnerabilities, it’s no surprise that more than half of manufacturing executives (53%) we polled in Q2 said they are increasing their focus on cybersecurity in response. That is good news. But even if supply chains were running smoothly and geopolitical tensions eased, this heightened attention would be critical.
Why? Because in an M4.0 world, there’s a collision happening between 1) the convergence of information technology (IT) and OT technologies and data sharing, the 2) adoption of cloud and remote-enabled technologies, and 3) the rapid evolution and adaptability of threat actors and techniques.
“47% of attacks on manufacturing were caused due to vulnerabilities that victim organizations had not remediated.”
Today’s attackers can penetrate a broader attack surface, exploit new software vulnerabilities, buy ready-made exploitation kits available on the Dark Web, and conduct increasingly sophisticated supply chain attacks. These attacks not only pose significant financial risks but major safety risks.
The manufacturing sector is overwhelmed with ongoing labor shortages, employee burnout, inflation, and high demand for products — in addition to rising cyberthreats. This combination means cybersecurity may be overlooked at the very moment organizations need to focus on it the most — and the consequences of not preparing are significant. Manufacturers reported an average cost of roughly $3 million per OT security incident in 2020 — and if the industry doesn’t get out in front of the problem now, regulators looking to protect critical infrastructure could potentially impose expensive and burdensome requirements.
The manufacturing industry is undergoing drastic changes with the pandemic accelerating the adoption of automation and other M4.0 technologies to keep pace with surging demand and disruption. In this landscape, it can be difficult for organizations to stay ahead of cyberthreats.
Some key challenges they face include:
Differences in preparedness between IT and OT teams
Manufacturers have had separate cultures for decades, primarily driven by conflicting priorities between corporate IT and the shop floor. While the corporate side is typically aware of cybersecurity risks, policies, and best practices, that is not always the case for frontline workers. Without the right security awareness campaigns and quality assurance processes in place, these workers might share the same username and password to log into OT systems, click on a phishing email, or use a USB drive without knowing where it came from.
Organizations looking to address this issue through security education must understand how these conflicting priorities can exacerbate communication breakdowns between the two groups. For instance, through the lens of the CIA triad, IT teams believe data confidentiality and integrity are the top cybersecurity priorities, while the OT team places availability as the top priority.
“If the links between IT and OT networks were cut, could your organization still operate and produce its products?”
Additionally, funding for IT teams is often prioritized over OT initiatives as the general perception is that OT environments are purpose-built and static in nature. However, when it comes to evolving attack methods and vulnerabilities, nothing is static and investments in OT security also need to be prioritized. This is further complicated by the constraints OT security teams face when trying to remediate issues when the OT devices themselves are unable to support traditional upgrades and patching procedures that their IT counterparts can rely on to mitigate risk. The result is often a desperate list of security controls and compensating controls between IT and OT environments, ultimately leading to inconsistent levels of protection across the organization. When it comes to true operational resiliency OT cannot be overlooked since the ability to generate revenue is typically dependent on the OT environment.
Change must start at the top. Yet for many executives, cybersecurity may not be their top priority when focused on finding new ways to automate the business, making products cheaper, or retaining critical workforce.
But while such investments may improve efficiency, they can also broaden the attack surface and create new security concerns: 47% of attacks on manufacturing were caused due to vulnerabilities that victim organizations had not remediated, either because the solution was not prioritized and funded, or was not supported by OT device vendors. This is starting to change. Leaders see the consequences of such attacks on revenue and the greater risks from heightened geopolitical and supply chain instability — though more work lies ahead.
A static mindset
The repetitive nature of manufacturing means that many in the sector may not see the need to evolve their cybersecurity strategies, as historically their focus has been on safety versus cybersecurity.
Making the connection between cybersecurity and safety requires a mindset shift: one that accepts the new M4.0 landscape and takes proper precautions to guard against new vulnerabilities while also employing principles of resiliency to ensure the business can continue to operate in the event of an attack.
How to Build Cyber Resiliency in Six Steps
Becoming cyber resilient will be challenging — but it is achievable. To help break it down, we’ve outlined six steps that manufacturing leaders can use to guide their approach.
To better prevent attacks and mitigate the risks that arise when incidents inevitably occur, manufacturers must be able to identify potential threats and create a strategic roadmap that articulates key priorities and action items for the organization.
“We recommend deploying the NIST compliant architectures and standards to build baseline protection.”
Developing that roadmap means not only analyzing requisite documentation but also interviewing stakeholders from across the organization about various applications and connectivity. For instance, daily reports from these stakeholders on how much has been produced, what raw materials need to be ordered, and where defects exist can help leadership assess each area by risk and potential revenue impact should something happen. Armed with that data, organizations can architect security policies and procedures based on that risk (e.g., the company website may just need monitoring and firewalls, while more important systems like OT technologies may need to be isolated).
These interviews should help leaders recognize where attacks originated, whether it’s ransomware, email compromise, spear phishing, or others.
We recommend deploying the National Institute of Standards and Technology (NIST) compliant architectures and standards to build baseline protection. Manufacturers should then focus on properly segmenting IT and OT environments — if these environments lack proper segmentation, they are more easily compromised (e.g., from a cyberattack, network outage, etc.). This impacts everything from production orders and scheduling to raw material management and the delivery of supplies to and from the shop floor. The question becomes: If the links between IT and OT networks were cut, could your organization still operate and produce its products?
To start, manufacturers should concentrate on network security, segmentation, and isolation. Ensure defense-in-depth principles, an approach that uses multiple layers of security, are used to dissuade threat actors from accessing critical systems in the OT environment. Isolate your critical machines so they can run manually (and locally) in the event of an attack — not just from remote locations via the cloud. Also, make sure there are paper records on hand to provide raw material measurements in case of a shutdown.
Having standards, best practices, and architectures in place is only half the battle. Organizations also need to build out their proactive capabilities to monitor and detect unauthorized access attempts, data leakage, and other anomalous behavior.
Detection goes beyond network monitoring. The physical environment, the shop floor, where vendors and business partners have access to critical systems or data needs to be monitored as well. Access is the key and ensuring businesses can be trusted is vital to protecting critical data or intrusions.
“While the corporate side is typically aware of cybersecurity risks, policies, and best practices, that is not always the case for frontline workers.”
However, not all systems are equal in terms of risk and therefore not everything needs to be monitored like Ft. Knox. Understanding the key challenges above will help organizations right-size investments in security and detection capabilities. For example, the need for more rigorous detection capabilities may be elevated when a vendor upgrade is not feasible, but diminished where network isolation or compensating controls have been implemented.
Organizations should prepare for a cyberattack by running incident response exercises that gamify what security incidents could look like. The exercises should drive collaboration among key stakeholders and account for multiple eventualities. For example, what might happen if a given OT system is hit but the person who is responsible for that system is out of the country? This exercise should be combined with an OT isolation tabletop exercise that runs through how the organization can keep machines running should the network get hit.
Being resilient is not only about preventing an attack, but the ability to recover quickly in the event of an attack to maintain revenue-generating operations. This ability requires collaboration among numerous stakeholder groups and is dependent on a strategy that covers people, process, and technology.
Recovery processes need to be defined, documented, and most importantly practiced. Solutions need to be implemented so organizations are able to backup systems and restore capabilities, using a golden image, if necessary, with both data and configuration details included. Ultimately, people across IT, OT, Security, Compliance, Legal, and other business teams need to be trained on the recovery process and their role in supporting the effort towards achieving true resiliency.
“if the industry doesn’t get out in front of the problem now, regulators … could potentially impose expensive and burdensome requirements.”
None of the above is a one-and-done exercise, especially as cyber threats are continually evolving. Organizations need effective governance to help maintain efficiency of security functions over time, and they must test, measure, and update them accordingly. This is not simply a technology issue. Organizational change management is needed to create muscle memory for new processes and tools, as well as to ensure collaboration between different teams. For instance, a brief, easily accessible, and role-specific playbook for new hires can help.
Staying Out in Front
We’ve witnessed an exciting digital transformation in manufacturing over the last few years. That shift has helped the industry meet pandemic-driven challenges, whether it involves enhanced automation, robotics, diagnostic and forecasting tools, or other M4.0 technologies.
But with new technologies come new cyber risks and vulnerabilities. Add on increasingly sophisticated threat actors, mounting geopolitical and supply chain instability, and workforce shortages, and it’s no wonder the industry has a more urgent focus on cybersecurity.
With cyberattacks becoming just one more cost of doing business, manufacturers have an opportunity to take a more strategic approach and develop not just cybersecurity, but cyber resiliency. Protecting your organization from threats is no longer solely about data security and compliance – it’s about ensuring the business can keep running and enabling continued transformation in an M4.0 world.
About the authors:
David Chaddock is a Director, Technology, at West Monroe.
Sean Duffy is a Senior Principal, Technology, at West Monroe.
David McGraw is a Senior Manager, Consumer & Industrial Products, at West Monroe.
Randal Kenworthy is a Senior Partner, Consumer & Industrial Products, at West Monroe.