Cybersecurity for Manufacturing: Is Your Facility Secure?

Digitization and automation make manufacturing processes smoother and more efficient, but can also raise concerts with cybersecurity for manufacturing. Automation applications include robotic material handling or product assembly, process monitoring and quality assurance, and programmable configuration of batch production jobs to various specifications. The modern factory is characterized increasingly by operators working closely with a host of sensors and controllers that enhance process productivity, consistency, and safety.

The connected factory also captures huge amounts of data for analytic uses, which today often include machine learning and artificial intelligence (AI). Many companies leverage production data to optimize complex manufacturing environments in real-time, better predict and manage operations to drive down production costs, and gain valuable insights to develop and refine their products. For example, data from automated systems used to carry out routine preventive maintenance is now also used to provide predictive maintenance, in which AI-driven models detect unscheduled repair needs and proactively alert process owners.

The problem? Hackers find this environment attractive, whether to steal intellectual property secrets, to hold data for ransom, or just to wreak havoc. Automation and digitization are often added into manufacturing processes over time in an organic, ad hoc fashion—rather than as a holistic, enterprise-wide effort. The lack of a comprehensive plan for digital adoption, as well as inadequate initial investment in solution security, can present opportunities for bad actors.

Early industrial control and manufacturing systems operated in isolation. Specialized hardware and software, located in physically secured areas, communicated over proprietary protocols and were not connected to other systems or the internet. That’s all changing.

Now, more plant systems and equipment use traditional IT networking protocols for data transmission, known collectively as the industrial internet of things (IIoT). But software can become outdated. Not all companies monitor and audit their systems carefully enough to detect vulnerabilities and patch against attacks, exposing themselves to potential downtime events, lost intellectual property, and compromised customer trust. A single cyber attack can visit immediate operational, financial, and reputational damage on an unprepared enterprise.

Manufacturing Cybersecurity Risk By the Numbers

• Automation is popular. A Sikich survey found that 79% of production process/machining companies had at least some automation of operations. That included 64% of assembly companies reporting they used automation, as well as 60% of packaging companies¹.
• Data breaches are common. Half of manufacturers faced at least one data breach or cyber attack during the past year¹.
• Internet of things (IoT) is a popular way in. Gartner predicted that in 2020, more than 25% of identified attacks in enterprises will involve IoT. Yet IoT makes up less than 10% of IT security budgets².
• Vulnerability advisories are rising. The Department of Homeland Security issued 233 vulnerability advisories for industrial control systems in 2018, up from 17 in 2010³.
• Passwords and other credentials are vulnerable. Of manufacturers’ data breaches this year, 55% involved leaked credentials, 49% personal data, 25% other, and 20% payment data⁴.

Technology Challenges Manufacturers Face

• Aging systems: Manufacturers face big challenges with cybersecurity and automation. Some companies are not upgrading their legacy systems, and their operational environment includes older equipment without built-in security. Data transmission may predate modern security standards and rely on ‘security by obscurity’ to avoid attacks. Upgrades can be expensive and unique to the software or hardware. 
• Managing downtime: Manufacturers may also need to operate 24/7, so bringing systems offline in order to upgrade is an expensive proposition. If an update causes any problems, the facility may incur even more downtime than anticipated. With these risks in mind, some manufacturers put off investment in security and modernization projects.
• Lack of integration: The lack of an integrated system makes visibility to vulnerabilities and development of a coherent risk management strategy more difficult. A manufacturer may have applications and software that do not live on one platform or common operating system. These disparate systems and their interfaces comprise a larger and less manageable attack surface.
• Supply chain issues: Manufacturers rely on large networks of third-party vendors for raw material and product components. That may involve connecting software systems to suppliers’ IT services, introducing security risks. A company is only as secure as its weakest link, so an attack penetrating a vendor system can potentially expose the manufacturing environment as well. 

Staving Off Manufacturing Cyber Attacks

Manufacturers should implement a formal cybersecurity practice if there’s not one already. And if there is a cybersecurity for manufacturing practice, it’s time to revisit the plan and see how it can be improved. Start with a security audit, which should be repeated periodically even after a comprehensive plan is in place. 

Auditors should determine which IT systems to focus on, starting with those that are the highest in importance to the facility—or those that may have been compromised previously. A review may include the cybersecurity manual, policies and procedures in place, system architecture, network configuration, the types of hardware and software in use, past incident reports, prior audit reports and action plans, and a facility organizational chart. Auditors should also meet with process owners across the plant to better understand the current technical landscape, document risks, and identify potential improvement opportunities.

Manufacturers may want to use the NIST 800-171 cybersecurity framework as a guide⁵. The framework includes basic security categories such as access control, awareness and training, configuration management, identification and authentication, incident response, maintenance, data integrity and loss prevention, personnel security, physical protection, and security risk assessment.  

Since a cybersecurity issue can affect any team, as well as the company as a whole, both audit and cybersecurity for manufacturing program development efforts should involve leadership in all business areas. Sharing the ways each department can be impacted and how individuals contribute to security is a good way to generate buy-in.

The manufacturing firm should appoint a cybersecurity lead within the IT organization, with the executive backing, budget, and decision-making power to affect the entire risk reduction journey—including regularly scheduled audits, maintenance, and additional investment. Companies shouldn’t forget about the importance of maintaining back-up systems, as well as hosting critical applications and data across locations. Redundant, isolated systems limit the blast radius and potential data loss associated with a cyber attack.

It’s not always possible for a program to address every item on the cybersecurity wish list. There may not be enough financial or human resources to tackle everything at once. Therefore, manufacturers may find the most value by prioritizing risk mitigation items according to cost and potential severity, then developing an accompanying roadmap and timeline.

With a comprehensive program in place, every time a new piece of hardware or software is considered, security should be part of that process, built into development and integration before it goes live. Any new connection with another application, program, or client constitutes a potential vulnerability. The time to consider security is at the evaluation and planning stages of a project, not the go-live date.

How Maven Wave Can Help

Your company doesn’t need to start the process from scratch. Maven Wave works with top-tier manufacturers to conduct enterprise audits, develop security roadmaps, and implement best-practice solutions. Adoption of cloud infrastructure and services is often a key component of modernization programs in manufacturing. Cloud can help reduce overall IT spend while enhancing business continuity and agility for the enterprise. 

Cloud computing can also help manufacturing organizations meet their security objectives while leveraging existing, on-premise investments. The Google Cloud Platform, for example, supports encryption of data at-rest and in-transit, access management for users and devices, and deployment of applications with built-in, end-to-end security. Google Cloud also enables secure hybrid cloud models, in which local systems are integrated with cloud resources to deliver greater capability and economy. Google networking services enable enterprise-grade private connections between on-premise and cloud infrastructure, allowing flexible expansion and transformation of data centers and hosted applications. 

Google Cloud’s Identity-Aware Proxy (IAP) allows customers to use a single point of control to manage user access to web applications and cloud resources. Google Cloud launched its BeyondCorp Remote Access earlier this year, though it uses the same SaaS platform Google has relied on internally for years. Based on the zero-trust principles, the platform enables employees to securely access internal applications, whether in the cloud or on-prem, without needing a traditional VPN. Google’s Anthos provides management of application deployment across local and cloud platforms—as well as multi-cloud environments—while integrating security into each phase of the development life cycle.

The Google Cloud also features device management, data streaming, real-time analytics, and distributed storage services to support migration of critical industrial IoT applications to its secure and highly-available platform. With these tools, a manufacturing IT organization can offload data and application workloads while retaining necessary functionality and performance at the edge.

A manufacturer’s cybersecurity exposure spans sensitive financial and customer data, as well as the operational systems used to develop and produce its products. We are happy to walk you through the cybersecurity for manufacturing audit and planning processes, and pinpoint ways in which Google Cloud and Maven Wave can make your facility more secure. Contact us to get started.

¹https://www.sikich.com/wp-content/uploads/2019/06/SKCH-MD-Report-2019-1.pdf

²https://www.gartner.com/imagesrv/books/iot/iotEbook_digital.pdf

³https://www.gao.gov/assets/710/701079.pdf?mod=article_inline

⁴https://www.thomasnet.com/insights/verizon-says-73-of-manufacturing-data-breaches-are-financially-motivated-report//

⁵https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171r2.pdf