Cybersecurity attacks against manufacturing have increased in the last several years and will continue to do. While a majority have a financial motive rather than corporate espionage, the result is the same: It costs a company time, money and has a negative on its reputation.
“We hear constantly that security is an afterthought, but that mindset doesn’t work. Security has a place everywhere before you think it’s supposed to,” said Jeremy Dodson, chief information security officer (CISO) at NextLink Labs, in the presentation “Advancing Secure Digital Transformation in Smart Manufacturing Through Foundational Best Practices” at Automate in Detroit, a show and conference coordinated by the Association to Advance Automation (A3).
Cybersecurity attack methods have also changed, said Leah Dodson, cybersecurity specialist at NextLink Labs. Pre-COVID, social engineering was the preferred method, which is more about fooling people and taking advantage of the human element. Now, system intrusion is the preferred attack method for manufacturing. Regardless of how it happens, awareness is very low and it’s usually too late when the attack is discovered.
“Usually by the time someone knows about an attack, the attackers are already looking for their money,” she said.
As to why system intrusion has become the preferred method, Jar Korpi, principal cybersecurity advisor at NextLink, said the attackers are not unlike their targets. “They go for the least intrusive method when they attack. Perhaps reporting is getting better and phishing training is getting better. If you’re an attacker and you see this, you find another way.”
Four ways to improve cybersecurity mindset
Companies looking to improve their security platform need to take a proactive and all-encompassing approach with these four steps:
- Asset visibility.
- Supply chain management.
- Changing roles and responsibilities.
- Policy development and operational objectives.
Total asset visibility benefits
“The reason to gain insight is it gives you an opportunity to take that information and apply it to all the decisions you’re making as an organization,” Leah said. “You can’t make an informed decision unless you know what you have and that’s where asset visibility comes in.”
Total asset visibility is about maintaining accurate and accessible information on physical and digital assets. It’s also about mapping asset relationships and being able to act on information when situations come up. That’s easier said than done in a large facility, of course, especially when there are many physical devices and systems in a facility.
When taking stock of physical devices and systems, companies need to be able to answer these questions:
- What is it?
- Where is it?
- Why is it here?
- Who manages it?
- When was it last updated?
- What risk does it pose?
“If you can’t answer these questions, you have a problem,” Jeremy said.
Most companies, to their credit, can answer the basic questions, but as they get toward the bottom, problems exist. “They often have a basic understanding, but there’s no true person to manage it, or who can explain it, or when it was last updated or when it needs an update,” Korpi said.
That’s not so easily explained with older and legacy equipment, which has been around as long as 50 years in some cases. That older equipment, which had been siloed off until recently, is now vulnerable as systems become accessible through the internet.
“They become low-hanging fruit for attackers. It’s not the newest things. It’s always the things you’ve forgotten about,” Leah said.
Supply chain management and cybersecurity responsibilities
The supply chain has gone through major challenges due to the COVID-19 pandemic. Cybersecurity issues have exacerbated the problem because of attacks against operational technology (OT) systems. This was not an issue they had to deal with even 10 years ago, but now it’s at the forefront and this has brought up questions about who has responsibility and when with information technology (IT) teams.
“We need to have that middle ground where there’s an understanding,” Korpi said.
And the sooner, the better, because companies are becoming more aware. Because of that, cybersecurity awareness and responsibility as it relates to the supply chain is becoming a make-or-break issue when it comes to future relationships.
Jeremy said, “For this industry, especially if you’re dealing with robotics, we’ve seen so many companies who can’t get a contract because we can’t give them the information they want. The ones further along in maturity levels are the ones moving forward.”
“Cybersecurity is no longer an afterthought to your customers,” Leah said. “They’re very aware of the potential, especially after attacks like Colonial Pipeline. It’s something that is on their minds. They’re going to be on the lookout. If you can’t answer their questions, they’re going to struggle with wanting to continue the relationship.”
Supporting the people driving the IT/OT convergence initiatives is key. Both sides, Jeremy said, need to listen to one another. IT people don’t necessarily have issues about safety because it wasn’t an issue for them. The same applies to OT people who know safety, but not security. The two sides should leverage their knowledge base to finding an understanding.
“If you get someone who is invested with the product and the company’s message, that’s the best situation for you. The conversation becomes very important,” Jeremy said. “That’s what’s going to drive companies forward in their initiatives.”
Chris Vavra, web content manager, Control Engineering, CFE Media and Technology, firstname.lastname@example.org.