More companies are taking a disciplined approach to dealing with the growing threat of cyber attacks, a new MLC survey finds.
The message has been received.
After years of mounting warnings about the risks of being hacked or worse and now faced with a sharply rising number of cyber attacks in the industry, manufacturers have taken concrete steps to fortify their defenses and protect themselves against what is widely assumed will be an even larger threat in the years ahead.
More manufacturers than ever before have put in place formal cybersecurity plans in their companies to deal with threats and attacks. They are significantly increasing their levels of confidence that they have the internal expertise in place to deal with cybersecurity issues. And a majority of companies now have dedicated cybersecurity budgets, including provisions for cyber insurance, and are providing cyber awareness and technical training to their employees.
These are some of the most important findings of the Manufacturing Leadership Council’s new survey on cybersecurity. More than 160 companies expressed their views on cybersecurity strategy in their organizations, whether they have been attacked and what the nature of those attacks were, what measures they have adopted to defend themselves, and how the growing problem of cybersecurity may be affecting their adoption of Manufacturing 4.0 and their transition to the digital model of manufacturing.
Formal Planning Takes Off
A sea change in how seriously manufacturers consider the cyber threat has occurred at the strategy level. Just four years ago, according to MLC’s 2018 cyber survey, barely one-third of manufacturers had devised and adopted formal cybersecurity plans that encompassed their plant floors. Today, the new MLC survey shows that nearly 62% have put such plans in place (Chart 1).
The more serious attitude is directly related to the perceived consequences of cyber attacks. When asked how important cybersecurity is as a business issue, 83% of survey respondents said it is of high importance, compared with 66% saying so in 2018. Moreover, 64% said this year that business disruption is the most significant cybersecurity-related risk to their companies, compared with 58% in 2018. Interestingly, very few fear equipment or product damage from cyber attacks and only 18% this year are worried about the theft of proprietary information (Charts 2,3).
The advent of connected business ecosystems will test current cyber strategies.
Bolstered by the greater focus on formal planning and now regular awareness and technical training for employees on cybersecurity, a growing number of manufacturers feel confident that they have the internal expertise to deal with manufacturing-related cyber issues. This year, nearly 40% of survey respondents said they had a high level of confidence about their internal expertise, compared with 25% saying so in 2018. Another 46% assessed their confidence levels as moderate this year (Chart 4).
More Attacks Expected
Even as better cybersecurity strategies are put in place and confidence in internal capabilities to deal with threats and attacks grows, an overwhelmingly large number of manufacturers expect more attacks in the year ahead, a perception that is no doubt driving much of the greater emphasis on defensive measures.
This year, nearly 79% of survey respondents said they expected more attacks in the next year, compared with 64% expressing that feeling in 2018 about 2019 (Chart 8). The three most cited reasons for this expectation are more criminal activity; greater connectivity in their operations, particularly with Internet of Things technologies; and more cyber terrorism (Chart 9). Of least concern: insider- or supply chain-originated attacks. Phishing, malware, and ransomware are the most prevalent methods of cyber attack cited by respondents overall.
When asked to assess the cyber battlefield and its most important points of vulnerability, survey respondents painted an interesting picture of where conflict is most likely to play out.
Mobile devices, e-mail servers, and laptop computers were cited by respondents as having the highest level of cyber vulnerability – not plant floor equipment or plant floor control systems. Looked at from a business function or activity perspective, a similar dynamic – vulnerabilities caused by external connections – was revealed in the survey data. Social media networks, partner and distribution networks, and supply chain networks were the most cited points of vulnerability – not plant floor networks, design and innovation networks, or field service operations. In addition, respondents said their best protected systems are their ERP and MES systems.
More manufacturers than ever have adopted formal cybersecurity plans.
What these findings suggest is that, as manufacturers go about forging so-called business ecosystems of partners, suppliers, and customers that are increasingly digitally connected, they will have to extend existing cyber strategies and tactics or even create new ones to protect these networks in the future. This is perhaps the next frontier in cybersecurity.
Manufacturers are starting to decode these signals. When asked in this year’s survey whether they have introduced or changed cybersecurity requirements for external partners and vendors with which they share data, 48% said that they had. In addition, 70% said the increase in remote working spurred by the pandemic has caused them to make adjustments to their cyber policies.
The Effects on M4.0
Based on their perception that cyber attacks will increase in the years ahead, more than half of survey respondents expressed concern that cybersecurity issues could affect the speed and scope of adoption of Manufacturing 4.0. Fourteen percent said cyber could be a major obstacle in the next five years, with another 40% describing it as “an issue of concern”. A significant percentage, 43%, consider cyber to be just part of doing business in an M4.0 world (Chart 13).
As they devise their defenses, manufacturers are relying more on internal mechanisms, such as corporate best practices and policies and closer collaboration between IT and OT teams, rather than law enforcement or government regulations (Chart 10).
Moreover, more are taking advantage of publicly available approaches, such as the NIST Security Framework, to underpin their strategies. This year, almost 58% of survey respondents said they have adopted the NIST framework, up from 48% in 2018. In addition, there has been a sharp rise in those subscribing to cyber insurance – 45% today, compared with only 18% in 2018 (Chart 12).
All in all, manufacturers have been moving on multiple fronts to combat the growing cyber problem. The challenge for industrial companies going forward will be to try to stay one step ahead as the number and sophistication of attacks increase even as they expand their digital networks outside the four walls of their business. M
Part 1: CYBERSECURITY STRATEGY AND ORGANIZATION
1. Strong Majority Now Have Formal Cyber Strategies
Q: How would you characterize your company’s approach to dealing with manufacturing cybersecurity?
2 Business Issue Concerns Rise
Q: How important is cybersecurity as a business issue to your company, in terms of securely interconnecting systems or exchanging operating data within, or across, your manufacturing sites and partner companies?
3 Business Disruption Still Leads Cyber Risks
Q: What is the most significant cybersecurity-related risk to your company’s manufacturing operations?
4 Internal Expertise Confidence Rises Sharply
Q: What level of confidence do you have that your company has the internal expertise to deal with manufacturing-related cybersecurity issues?
Part 2: MANUFACTURING CYBER ATTACKS AND EVALUATION
5 Nearly Half Have Suffered Cyber Attacks
Q: Have your company’s manufacturing sites ever been a target or a victim of a cyberattack?
6 Nearly Half Also Say that Attacks Have Increased in the Last Year
Q: Have attacks directed at your company’s plant systems and networks increased over the past year?
7 Frequency of Attacks is Significant
Q: How would you characterize the frequency of attacks?
8 More than Three-Quarters Expect More Attacks Ahead
Q: Do you expect your company to experience more attacks in the year ahead than in the past year?
9 Criminal Activity Cited as Top Reason for More Attacks
Q: If yes, what’s driving the increase?
Part 3: POLICIES TO DEAL WITH CYBER ATTACKS
10 Corporate Polices Seen as Best Defense
Q: What do you think will help the most in improving manufacturing cybersecurity in an M4.0 world?
11 Remote Work Has Forced Cyber Policy Changes
Q: Has an increase in remote work required any new changes or adjustments to your cyber policies?
12 NIST Framework is More Widely Adopted
Q: Are you engaged in, or have adopted, any of the following approaches as a way to better protect your company or mitigate cyber risks?
Part 4: THE FUTURE ORGANIZATION
13 Concerns Rise on Effect of Cyber on M4.0
Q: Over the next 5 years, how much of an obstacle will cybersecurity issues be to the speed and scope of adoption of Manufacturing 4.0 technologies and approaches?
About the author:
David R. Brousell is the Co-Founder, Vice President & Executive Director of the Manufacturing Leadership Council.
Survey development was led by David R. Brousell, with input from the MLC editorial team and the MLC’s Board of Governors.