In a guest blog by James Cash, founder and MD of Birmingham IT support company, Superfast IT and advocates of the WMCRC business starter membership, James details the distinctive cyber challenges in manufacturing and provides proactive cyber security advice for engineers and business owners to radically reduce their chances of being exploited.
Manufacturing’s unique cyber risks
Cybercriminals, like any criminal, hunt for the most vulnerable and profitable targets. Their aim: to find exploits that reliably produce a fast return. The manufacturing and engineering sector offer just this. While every modern business should have a basic level of cyber security, the manufacturing and engineering industry has a distinctive set of characteristics that cybercriminals can take advantage of. And there isn’t just one, but several Achilles heels which make manufacturers a highly attractive target:
Digitised and connected manufacturing plant = More points-of-entry. High risk of sabotage
High-value data = Leverage
The cost of downtime = Leverage. Ransomware paid quickly to get production back up and running
Connected supply chain = High risk through uncontrolled third parties
Smart factory and the adoption of new technology
We work in an ever-connected world. The manufacturing and engineering industry is embracing Industry 4.0, digitalisation and smart technology. UK manufacturing is on board with government’s ambitious plans to become world leaders in new industries such as connected and autonomous vehicle (CAV) and clean technology, while embracing the digital twin, augmented reality, big data, artificial intelligence, 5G and additive manufacturing.
The smart factory digitally connects these new technologies to other IT systems to ‘speak’ to one another. It means that if one system is hacked, for example your emails or your IoT device, a cybercriminal can potentially access many other systems. This could include monitoring systems, designs, intellectual property (IP) and procurement data – all of which are all typically connected within a manufacturing business.
Sabotage and data leaks threats used as leverage
Hijacked IT systems can cause great damage. Cybercriminals are not afraid to shut down your IT and use factory downtime and the threat of high-value data leaks as leverage. They are looking for a fast return and factory owners need production back up and running as quickly as possible.
Consider, what high-value information could be accessed from your business? IP theft is commonplace. Hackers have been known to steal cyber insurance documents to understand how much money they can extort.
What settings could be changed to sabotage your operation? For example, temperature changes in an industrial furnace would lead to a serious fire.
Increased number of entry points
The smart factory increases the number of entry points into your business, due to the addition of connected IoT devices e.g. sensors. Every IoT device is an entry point into your business, in addition to your computers, laptops, smart phones and devices. Every entry point can potentially be hacked, providing a gateway to all business IT systems.
More points-of-entry equate to increased cyber risk. It is very important that manufacturers secure every point of entry into their business.
Connected supply chain
The sophisticated manufacturing and engineering supply chains are digitally interconnected. It means third party suppliers could become the entry point of a cyber-attack. It is easy to lose track of large and complex supply chains and vulnerabilities can be introduced and exploited at any point in the supply chain.
Why cyber security is important for manufacturers
Manufacturing businesses should expect some form of cyber-attack at some point. It is important that the risks of a cyber-attack are understood. A lack of preparation will increase your risk of falling victim.
No preparation could be devastating
Manufacturing and engineering business that don’t act are most vulnerable to a cyber-attack. Most cyber-attacks are not sophisticated and can be easily prevented by implementing basic cyber security measures. However, if you are not prepared, the damage is potentially devastating and hugely disruptive. How long could your business survive if operations or financial systems went down – days, weeks, months?
Cyber-attack could cause the next big recession
The next global financial recession can realistically be caused by a cyber-attack. Some of the world biggest cyber-attacks have been analysed and acknowledged that a serious cyber-attack could have the same effect as the pandemic or global financial crisis recessions. Cyber security should form part of your risk management and contingency planning.
Cyber-attacks are common in manufacturing
Make UK report that 47% of manufacturing businesses have been hit by a cyber-attack in the past 12 months.
Cyber security is taboo
Many businesses do not report cyber-attacks. Make UK report that one-third would not report a cyber incident. The potential reputation damage makes the topic taboo. In order for the industry to learn and develop, there needs to be an open forum to hear about the issues and challenges other businesses have faced from a cyber-attack. Progress is potentially being hindered by its taboo status.
Proactive cyber security advice for manufacturers
By following best practise, many cyber threats can be mitigated. Cyber security isn’t about having expensive security, but adopting good habits. A proactive business culture to security can mitigate a manufacturer and engineering firms security risk. Use the following points below to improve your manufacturing business’ cyber security:
1) Add cyber security to the boardroom agenda
Normalise security. Encourage security to be discussed. Add focus and continuous improvement by adding cyber security to your management team’s monthly agenda.
Keep up to date with GDPR legislation. GDPR was introduced as a first step by the UK Government to create a base level of data security within organisations. Maintain and review your GDPR processes to prevent receiving heavy fines from the Information Commissioner's Office (ICO). Serious breaches should be reported to the ICO within 72 hours, otherwise you will be fined.
3) Cyber Essentials
The second step introduced by the UK government to protect UK businesses from cyber-crime was the introduction of Cyber Essentials. By meeting Cyber Essentials assessment criteria you are mitigating against 80% of all cyber incidents. I would highly recommend all manufacturers to gain this accreditation. It is one of the best ways to protect your business.
Many large clients now stipitate having Cyber Essentials as part of their supply chain security requirements because it provide such a good base level of security. Businesses wanting further accreditation can obtain Cyber Essentials Plus or one of the ISO 27000 series of security standards to impress prospects and clients.
4) Secure manufacturing equipment
The capital-intensive equipment found in the manufacturing and engineering industry form a serious cyber security vulnerability. The life cycle of manufacturing assets/equipment is normally decades. This means that when machinery or a high-value asset has a computer, over time, security rapidly declines.
If we compare this to an everyday laptop, it receives regular security updates and after five years the technology is outdated and a security risk. Once support from the manufacturer or the operating system has ended this laptop should be quickly replaced.
The computer within an asset does not typically receive any security updates, ever. While the asset’s computer will be out of date in 5 years, like the laptop, the asset’s life cycle will still be 20-30 years. The security and IT implications are huge. The computer within the asset essentially needs to be completely isolated from the rest of the business’ IT systems in order to remain secure.
Manufacturing assets can be easily hacked when IT networks are not properly managed. What setting could a hacker change in your business? Sabotage is a huge risk.
5) Consider your supply chain security
Cybercriminals target SMEs in complex supply chains because smaller businesses typically have fewer security controls. It can be used as way of infiltrating larger organisations. Many supply chain security requirements ask for Cyber Essentials for this reason.
How about if you are a tier 1, 2 or 3 supplier? Do you check your suppliers security? All businesses should routinely audit their suppliers, particularly those holding sensitive data, for example, solicitors, accountants and IT companies, but this could extend to all of your suppliers.
Audit your suppliers by simply asking: ‘What security measures do you have?’ Later, set minimum security requirements e.g. Cyber Essentials.
6) Secure your Intellectual property (IP)
Manufacturing and engineering businesses have high value IP’s – these are targeted by cybercriminals. Victims of IP theft are asked to pay a ransom during a ransomware attack. If the ransom is not paid then the precious documents will be leaked, which may mean losing your competitive advantage. UK Government stats suggest it costs UK businesses an estimated £9.2bn every year from theft of IP.
Always limit access to sensitive documents. By limiting access, there are fewer ways it can be hacked, and therefore less likely that the information can be stolen. Also, enable two-factor authentication (2FA). This is where a username and password is required, but also an extra method of verification, such as SMS or email.
7) Secure IOT devices
It’s essential that every engineering and manufacturing business identifies and lists their IoT devices. As previously discussed, each device is a potential access point a hacker can use to enter your IT infrastructure and access other business IT systems. IoT devices should have their default passwords reset and receive regular security updates. Two factor-authentication is also recommended.
If the IoT device discontinues being used, it should be properly decommissioned so that it no longer connects with your business’ digital framework. It should also be restored back to factory settings and any data deleted. If you think your IoT device is insecure or has been hacked, turn it off and seek advice from your IT support.
Also, research IoT devices before you purchase. What security controls does the IoT device have? Look out for the IoT Security Assured certification, which demonstrates that manufacturers have proved that their devices meet UK and EU legislative requirements.
8) Expect more legislation changes
Much like the smart factory, cyber security is a new industry. Legislation will continue to change as the sector matures, so expect to have to adapt and change. During the 2021 Queen's Speech, the Product Security and Telecommunications Infrastructure Bill was introduced. It will be brought before Parliament in the next parliamentary session and will issue manufacturers, importers and distributors with the requirement to meet minimum security standards for consumer connected products.
Expect more legislation. Government report to be disappointed in the uptake of cyber security within businesses generally. Legislation will be quickly introduced to take control of industry’s lack of action to reduce the national security risk.
9) Outsource where in-house cyber knowledge ends
Be realistic about what you can do in-house in terms of time, but also bridging your knowledge and skill gaps. Just like your business needing an accountant or solicitor, it is likely that you will need to outsourced specialist partners in cyber security.
In the worst-case scenario, victims of serious cyber-attacks often require outsourced security expertise. Don’t wait for a cyber-attack to appoint a cyber security partner, when your decision will have to be rushed. Make a considered decision and appoint a long-term security partner sooner rather than later.
10) Utilise free Government resources
The National Cyber Security Centre holds key information for businesses about cyber security. Use their free guides and advice. Also, join the West Midlands Cyber Resilience Centre’s free or paid membership. We also have five Regional Cyber Security Centres located around the country. All of our partnering centres help businesses - of all sizes - to become cyber secure.
We hold regular, helpful webinars, while also providing free and heavily discounted cyber security tools. Cyber security does not have to complicated but it does need to be considered a key business function today. By implementing these core security controls, manufacturing businesses can mitigate against most security threats and be prepared for the future.