As the fourth industrial revolution — or Industry 4.0 — continues apace, factories and supply chains are becoming more connected than ever. This can be great for companies, delivering increased value and efficiency, but more connections also mean more cyber risks. Every device, sensor, piece of equipment and connected product can be both an asset and a vulnerability. Despite their benefits, smart factory environments can expose people, technology, physical processes and intellectual property. This raises questions of if the manufacturing industry has adequate cybersecurity programs in place to prepare for the expanded risks of smart factories.
The risks of smart factories
The increased connectivity of smart factories can be great for business continuity, but there are some downsides, said Moty Kanias, VP of cyber strategy and alliances with NanoLock. Kanias recounted a story about a conference he recently attended with “huge, monster machinery” that had stickers on it advertising that it was ready for Industry 4.0. When he asked what that meant, he got an unsurprising answer.
“They said that everything inside their system communicates to every different part and that they’re ready for the new era,” Kanias said. “Then, I started asking them questions about cybersecurity, and I got exactly what I think everyone knows. Nobody knows what cybersecurity in the future will look like, and 4.0 is kind of a slogan of saying, ‘Well, we want the world to be connected because we understand how good it will do to the world.’ But the question of cybersecurity in 4.0 is unsolved, and we have a long way into finding the specific technology that is needed to find a good solution.”
Industries don’t just start up from zero and buy brand new machinery every day for their whole production line. There is a mix of old and new products, and they should all connect and work together. The problem is that there is always a weakest link in a network, and that will be the factor that tells you how strong you are.
In the past, the way the Cybersecurity and Infrastructure Security Agency (CISA) advised organizations to deal with cyberattacks in the industrial zone was to just disconnect from the internet or make sure that only authorized personnel can touch your computers.
“[Industry] 4.0 is kind of the nightmare of where we were,” Kanias said. “It means that everything is connected. It means that everyone could directly get into any piece of data that he wants and could probably see all the configuration and how to change them according to what he or she would want to do.”
The era of big data creates many cybersecurity challenges. Big data makes programs more complicated, and more complicated programs mean more vulnerabilities. According to Kanias, that’s a big reason we’re seeing more and more vulnerabilities being posted every day.
Who is at risk?
Kanias said that no one would argue that smart factories are bad for business. There are just too many benefits. But cybersecurity must be moved to the forefront. The worst risk is outdated legacy machinery that doesn’t have any cybersecurity protections in place. There are also some industries that are more vulnerable to cyberattacks, such as critical infrastructure. This includes areas like oil and gas, water/wastewater, food manufacturers, transportation, banking systems and nuclear facilities.
“4.0, in some ways, will connect all of them together,” Kanias said. “Therefore, it’s hard to know exactly which will be the weakest link. Connectivity means that everything is connected, and it will be much harder to build systems that are not interfering with the connectivity and the upsides of it.”
What are hackers generally after? That one is simple, according to Kanias: money.
“When factories main goal is to make money for themselves and to continue produce what it is that they’re producing, it means that it’s money toward money,” Kanias said. “If an adversary manages to attack a bakery and stop their process from working, [it would] be a good way of getting money from the company.”
How smart factories can protect themselves
According to Kanias, the best thing companies can do is to first educate their workers to get them more aware of what cybersecurity is and what cyber actors are trying to exploit. Once that awareness increases, it’s much easier to protect corporate resources. It’s also important to invest in cybersecurity and bring in smarter, zero-trust solutions.
“It means finding the right products that will make sure that only authorized people can make critical changes to sensitive computers,” Kanias said. “It’s the only way of preventing bad things from happening.”
Only air-gapping, or having no connectivity to the internet, is no longer a viable plan. Organizations also can’t just leap into Industry 4.0 and connect everything without considering cybersecurity. There needs to be a plan in place and dedicated resources toward securing systems.
“We need more hands in the cybersecurity area,” Kanias said. “We need more programmers. We need more specialists in order to build a strong protection plan for industries with connectivity that is just expanding every day.”
Check out Part 1 of our interview with NanoLock’s Moty Kanias, where he talked about the threat of insider attacks. And check out our Industrial Cybersecurity Pulse YouTube page to view previous installments from our expert interview series.