As assembly plants become more digitally connected to both suppliers and customers, the potential threat posed by cyberattacks will only get worse. Cyberthreats to manufacturers are real, and the consequences can be devastating.
Aside from locking up host computers or holding critical data hostage, hackers could, for example, simulate that a robot or conveyor is working properly when it is not. As a result, the machine could produce faulty products or have a catastrophic breakdown.
In the past, plant managers and manufacturing engineers only had to worry about occasional machine breakdowns or malfunctions. But, things are much different in today’s Industry 4.0 era. A cyberattack thousands of miles away can shut down an entire factory.
Toyota Motor Co. recently learned that firsthand. Earlier this year, it was forced to suspend operations at 28 production lines across 14 plants in Japan for at least a day after a key supplier, Kojima Industries, was hit with a ransomware attack. The incident affected one-third of the automaker’s global production capacity.
According to a recent study by IBM Corp., the average cost of a data breach in 2021 was $4.2 million, which was 10 percent higher than in 2019. This includes the expense of discovering and responding to the breach, the cost of downtime and lost revenue, and the long-term reputational damage to a business and its brand.
The study also revealed that manufacturing is now the world’s most attacked industry, ahead of finance and insurance. Manufacturers were targeted in 23 percent of cyberattacks in 2021. And, the number of vulnerabilities related to Internet of Things (IoT) devices increased by 16 percent.
Manufacturers are particularly vulnerable to ransomware attacks. Ransomware schemes often target manufacturers by disabling their operations technology and blackmailing victims into paying to restore the functionality of their systems. Manufacturers that cannot afford to have production halted by hacks often have no choice but to pay the hackers’ ransom.
Industrial ransomware attacks increased significantly in 2021, with criminal groups specifically identifying manufacturers as vulnerable and profitable targets. Last year, manufacturing accounted for 65 percent of industrial ransomware incidents, according to Dragos Inc., a cybersecurity provider. The top three manufacturing subsectors targeted were metal components (17 percent), automotive (8 percent) and plastics (6 percent).
Unfortunately, most manufacturers remain unprepared for ransomware attacks, warns Peter Vescuso, vice president of marketing at Dragos and a member of the Manufacturing Leadership Council, a division of the National Association of Manufacturers that focuses on digital transformation.
Vescuso claims that 90 percent of manufacturers have limited visibility into their operational technology (OT) systems and are ill prepared with poor network perimeters. In addition, 80 percent have external connectivity exposure in their OT systems and 60 percent use shared credentials that make it easier for ransomware groups to infiltrate systems.
Assembly Lines at Risk
Manufacturers in every industry are transitioning to cloud-based operating systems, digital production processes and wireless networks. While this is great for productivity, it gives cybercriminals more vantage points for attacks and leaves assembly lines vulnerable.
“More technology reliance equals more risk for cyberattack,” warns Eyal Benishti, CEO of Ironscales, a company that specializes in email security. “As more entry points and vulnerabilities enter the manufacturing process, it’s critical that manufacturers maintain constant, real-time visibility to these systems, implement effective cybersecurity measures for systems of all maturities and have a back-up plan in the event of a successful attack.”
“Digital transformation and the interconnectivity of industrial automation machines with IIoT are making assembly lines more vulnerable, because now more than ever it’s almost impossible to have a fully air-gapped network,” adds Quade Nettles, cybersecurity services product manager at Rockwell Automation.
“Machine learning, predictive maintenance [and other state-of-the-art technology] require some form of internet connectivity for the transfer of real-time data,” explains Nettles. “This opens a threat vector that, if not secured correctly, can be compromised by cyber adversaries.
“All industrial automation is vulnerable to cyberattacks,” Nettles points out. “Robots, conveyors and other types of equipment are controlled by [software] programs, codes and processes. If an adversary gains access to an organization’s network, they can compromise and tamper with those automation programs and impact the functionality of those machines.
“The biggest misperception about cybersecurity is only critical infrastructure companies or other highly visible or popular [organizations] are at risk of a cyberattack,” says Nettles. “I’ve heard some companies say ‘we’re not important enough for someone to want to attack.’ Cyberattacks can happen to anyone and the motivation [behind them] differs based on the threat actor.”
According to Nettles, the biggest cybersecurity challenge all manufacturers face is how to prioritize vulnerabilities and threats, and determine which require immediate investment and action, and which they can live with. “For most manufacturers, hitting production targets is still the No. 1 priority,” he explains. “[Manufacturers] have to balance production needs vs. cybersecurity needs.”
Today, any organization that is connected to the internet is a target for cybercrime.
“No matter how small or specialized a business is, there are cybercriminals focused on breaking in,” warns Kevin Bocek, vice president of security strategy and threat intelligence at Venafi Inc., a company that specializes in securing machine-to-machine connections. “The parts of your network you thought of as ‘safe,’ or at least ‘safer,’ are still vulnerable, and cybercriminals are getting more and more efficient at breaking in.
“Robotic systems and processes are vulnerable in all kinds of ways,” explains Bocek. “One of the most commonly overlooked are machine identities. On every network, there are two actors: people and machines.
“People use names and passwords to gain access to networks, data and services,” says Bocek. “Machines also need to identify each other to connect to a network securely. However, machines don’t rely on user names and passwords. Instead, they use keys and certificates that serve as digital identities.
“Manufacturing organizations spend a lot of time and money protecting user names and passwords, but very little time protecting and managing machine identities,” claims Bocek. “Attackers know this, and they routinely target them in order to break in.”
The recent convergence of OT and IT has enabled business continuity and remote management needed during the Covid pandemic. But, it has also made cybersecurity more complex in factories.
While no company is safe from cyber threats, organizations that rely on OT are particularly at risk. Previously, OT systems consisted of standalone devices with no connection to the outside world, making assets virtually inaccessible. However, with Industry 4.0, those days are long gone. Formerly air-gapped OT assets are now connected to the internet because of various monitoring, control and automation benefits.
“The connection of OT systems to IT networks results in unintended exposure to [manufacturers],” says Terry Olaes, technical director at Skybox Security Inc. “Many OT attacks begin with an IT breach, followed by lateral movement to access OT systems. Threat actors [who engage in cyberattacks] can also use OT systems to access IT networks where they can deliver malicious payloads, exfiltrate data or launch ransomware attacks.
“Automation technologies are an incredible development in manufacturing, enabling unprecedented yields while driving down losses caused by error,” notes Olaes. “However, they also require instructions to work their magic, and this need for communication creates yet another attack vector. Unfortunately, the rapid increase in innovations for manufacturers that connect assets to networks has led to an 88 percent increase in OT vulnerabilities.
“The need to increase production often results in overly permissive access controls to enable connectivity for automation solutions to reduce friction,” claims Olaes. “Often, there is every intent to come back after the initial deployment and ‘tighten down’ the access control, but priority conflicts cause a delay in making the necessary changes. A skilled adversary requires very little time to infiltrate and infect a critical system, causing an expensive disruption or worse.”
Manufacturers Fight Back
Some manufacturers are taking an aggressive stance in the cyber wars. According to Olaes, they’re implementing vulnerability management strategies to maintain visibility into both their IT and OT environments.
“This means going beyond active scanning to include scanless detection techniques,” explains Olaes. “Traditional scanning is a reactive technique that alerts administrators of vulnerabilities and does not consider other factors that may influence the vulnerability. This leaves security teams wasting resources on issues that attackers may never find or know how to exploit.
“Modern vulnerability management strategies help manufacturers identify and assess risks more accurately,” claims Olaes. “This approach also enables organizations to prioritize resources and implement the most effective remediations by applying methods that reduce exposure. It allows manufacturers to cut off initial access where possible and prevent lateral movement between OT and IT systems if a breach occurs.”
“Manufacturers must remain resilient from today’s cyber threats, but to do it effectively will take a comprehensive strategy,” adds W. Curtis Preston, chief technical evangelist at Druva Inc., a software company that specializes in data protection. “Manufacturers have thousands of connected devices across many different sites and environments, including plant floors and data centers that store large quantities of critical data.
“To protect this data from malicious actors, leading organizations are turning to cloud data protection that can help them increase their cyber resilience by storing data off-site, which makes it resistant to cyberattacks,” Preston points out. “A software-as-a-service approach also plays directly into the time-tested 3-2-1 rule of data protection, which states that for data to be truly secure it needs to be backed up in at least three separate copies, on at least two different mediums, one of which is located off-site.”
Manufacturers in a variety of industries are also adhering to the IEC 62443 standard. It provides a thorough, systematic set of cybersecurity recommendations for defending industrial networks.
“Leaders in the field are focusing on implementing technologies and processes that enable them to see the reality of what’s happening within their networks and the ability to proactively take action to mitigate any potential threats before they’re impacted,” says Andrew Nix, OT cybersecurity solutions and services manager at Schneider Electric.
“The IEC 62443 standard lays out a framework that any organization can follow to set themselves up to defend against certain levels and types of cyberattacks, as well as laying out the tools, technologies and processes to achieve that in a framework,” explains Nix.
Specifically, Nix says there are several steps that all manufacturers can take to help ensure the security of their networks and operations:
Build a holistic and vendor-agnostic approach to cybersecurity. “Since many OT systems interact and depend on each other to function properly, the entire environment needs to be protected in a way that can be managed centrally,” says Nix.
Use available standards and regulatory requirements. All security standards, such as IEC 62443, contain strong reference models for the secure development of industrial automation and control systems, giving manufacturers a starting point for their cybersecurity journey.
Train all team members on cyber policies to create a culture of cybersecurity. “All it takes is one person clicking on a phishing email to infect the network, so it is critical for everyone in the organization to know how they can ensure they’re not the weak link,” explains Nix.
Monitor anomalous behavior in day-to-day operations. Looking for abnormal network activity, such as incorrect logins or unapproved changes, is critical to remediate issues, perform root cause analysis and prevent them from reoccurring.
Utilize advanced tools to fight the latest threats. “A new side of the cybersecurity environment is the emergence of AI tools that can do the heavy lifting by learning the network and identifying threats in real-time, then letting employees focus on solving the problems with the insights provided by the tools,” says Nix.
Bridging the IT vs. OT Divide
Operational technology equipment operates in a way that is fundamentally different than IT devices. It functions differently, communicates differently, and is more sensitive to network scans and patches.
This opens them up to more risks and vulnerabilities to manufacturers—both internally, by accidentally overwhelming the device in a way that causes a failure, and externally, via manipulation of an unsecured protocol or out-of-date firmware.
One of the top cybersecurity challenges facing many manufacturers is bridging the IT vs. OT divide. Since the advent of Industry 4.0, there has been an increasingly converging IT-OT pattern that is changing the dynamics of data analytics, production equipment and other functions. Assembly line machines and tools that have previously been offline are being brought online by the power of IoT.
“This is an ongoing challenge for every manufacturing organization,” says Venafi’s Bocek. “The reality is that the two teams, who typically have different goals, have to work together to create an effective cybersecurity program that doesn’t slow the business down. The only way to do this is with strong executive leadership.”
“Typically, IT is responsible for cybersecurity within plants,” adds Rockwell Automation’s Nettles. “[It’s a good idea to] have a cross-functional team of IT and OT engineers jointly responsible for cybersecurity, which ensures that the unique needs of OT are understood by IT.
“A common challenge we hear from organizations where IT is solely responsible for cybersecurity is IT wants to patch everything regardless of the risk the patch could cause if it renders a machine or program inoperable,” says Nettles. “[I suggest] conducting a cyber workshop to align all team members or bring in a third party to help establish cybersecurity policies, processes and procedure based off of the input from both OT and IT.”
“Many manufacturing organizations don’t have visibility into their attack surface,” notes Skybox Security’s Olaes. “This doesn’t come from blind spots, such as unscannable OT and network devices alone. It’s also from organizational siloing that occurs between IT and OT departments and their various teams.
“Each group has responsibility for a small piece of the bigger picture, but no one has a complete view,” warns Olaes. “Without total visibility, it’s challenging to detect vulnerabilities, misconfigurations, faulty design or unauthorized changes.
“It’s also becoming increasingly difficult to recognize and respond to complex attacks,” Olaes points out. “Because of this, individual IT or OT teams may only see isolated incidents and fail to recognize that these are part of larger campaigns.”
According to Olaes, there is often an organizational disconnect in manufacturing organizations where some departments refuse to believe OT systems are vulnerable, while other areas believe the next breach is imminent. Chief information security officers (CISOs) and chief information officers (CIOs) are often less in tune with OT security risks, because it’s an entirely different domain.
While IT focuses on information, OT focuses on operations and physical assets. These parts of an organization often have entirely different objectives or priorities, and require different skill sets.
“Unlike CISOs, plant managers are on the factory floor working with the machines,” explains Olaes. “They see the potential threat vectors evolving and the sticky notes with passwords around the plant floor. They know that OT devices are often plugged into networks without changing default passwords and exploitable default settings. They also see firsthand the cost of machine failure and the possibility of injury when something goes wrong as a result of a breach.
“IT teams typically make cybersecurity decisions for manufacturing organizations with no central oversight of other teams,” says Olaes. “Unfortunately, this doesn’t provide the required alignment across IT and OT teams needed for today’s threat landscape, creating a gap in security.
“Because of this, enterprises working to establish a convergence of IT and OT networks face challenges due to separate reporting structures and inconsistent security practices across teams,” warns Olaes. “Most OT network teams typically report to the chief operating officer, while IT network teams usually report to the CIO. These teams have different goals and approach security from different perspectives.
“Manufacturers need to create a standard view and processes to eliminate silos between security, IT and plant managers,” claims Olaes. “Security blind spots can be mitigated through the ability to share data across teams, assets and infrastructure, allowing for the collection and optimization of data. The ability to aggregate and analyze data across devices enables teams to speak the same security language and work together to find and prioritize critical vulnerabilities.”\
Four Dangerous Cybersecurity Myths
The volume of cybersecurity incidents is on the rise across the globe, but several misconceptions persist, including the notion that:
- Cybercriminals are outsiders. In reality, cybersecurity breaches are often the result of malicious insiders, working for themselves or in concert with outside hackers. These insiders can be part of well-organized groups backed by nation-states.
- Risks are well-known. In fact, the risk surface is still expanding, with thousands of new vulnerabilities being reported in old and new applications and devices. And opportunities for human error—specifically by negligent employees or contractors who unintentionally cause a data breach—keep increasing.
- Attack vectors are contained. Cybercriminals are finding new attack vectors all the time, including Linux systems, operational technology, Internet of Things devices and cloud environments.
- My industry is safe. Every industry has its share of cybersecurity risks, with cyber adversaries exploiting the necessities of communication networks within almost every government and private-sector organization. Ransomware attacks are targeting more sectors than ever, and threats on supply chains have also increased.
Source: IBM Corp.
Four Tips for Effective Cybersecurity
1. Start by creating a topology diagram of all IT and OT assets and identify connectivity.
2. Identify prevention, detection and response cybersecurity controls in place to thwart a cyberattack to steal data, install ransomware or disrupt operations. Plug any holes in controls.
3. Perform a tabletop exercise to assess resiliency to a cyberattack and identify weaknesses.
4. Continually test cybersecurity controls to detect security holes and fix them so attackers cannot exploit.