October 29, 2019
By: Taeil Goh, Chief Technology Officer at OPSWAT
The manufacturing industry has been at risk of cyberattack since long before the proliferation of Industrial Internet of Things (IIoT), sensors, robots, industrial control systems and other connected devices increased the attack surface exponentially. From nation state threat actors seeking to obtain intellectual property to hacktivists attempting to disrupt mission-critical services for ransom, there’s no shortage of motivations or sophisticated attack techniques at an adversaries’ disposal.
As 2020 approaches, the traditional networks and devices that power manufacturing plants 24/7/365 and connect them to the outside world remain vulnerable to cyberattack. Yet, industry is increasingly concerned with how the more contemporary supply chain threats and the many risks inherent to remote work and bring your own device (BYOD) policies can and will disrupt the operations and economics of manufacturing.
Such concerns aren’t without merit, as borderless supply chains lack unified cybersecurity rules and regulations for vendors to remain in compliance with and budget constraints favor partnerships with the “cheaper option” and not those with greater security safeguards that might cost a little bit more. In fact, in a study on supply chain risk, 71% of the organizations surveyed believe they do not hold external suppliers to the same security standards as their own.
Attempts to reduce cyber risk stall
More than half of manufacturing companies have fallen victim to a cyberattack in the past year despite all of the time, money and effort invested in risk mitigation, threat detection and response. From employee awareness training and technology adoption to the mandate given to many DevSecOps teams to build cybersecurity directly into new equipment – there’s been no shortage of attention paid to cyber risk.
In addition, a report from Deloitte recently revealed that 87% of manufacturing companies have a cyber incident plan, but astonishingly only 37% have it in documented and tested state. While this is disturbing, it’s not at all surprising when considering no regulations exist that mandate incident response testing with any regularity.
Interestingly, that same report also revealed that most cyber threats experienced by manufacturers were actually coming from internal employees through “phishing, direct abuse of IT systems, errors and omissions and use of mobile devices.” From this information we can infer two key takeaways: 1) employee training beyond the IT and security teams has not been sufficient enough and 2) the vast majority of cyber incidents were likely preventable.
Training the entire manufacturing team in cybersecurity is a ‘must have’
In the next decade, the burden will truly be on manufacturers to take various steps to make all employees, regardless of role or responsibility, understand that any interaction with technology can play a role in a cyberattack. This type of educational focus will represent a change to both culture and strategy – which is never easy to deploy despite its necessity. And manufacturing leaders must do so without the overuse of scare tactics but with the goal of showcasing in a digestible manner to all employees how cyberattacks operate and how to handle them upon suspicion or confirmation.
Consider taking some of the following steps:
- Prioritize practical, hands-on cybersecurity workforce training that is specific to understanding protection need for a critical infrastructure sector rather than just relying on theories and concepts that are difficult to visualize.
- Set up the right incentives, performance management, training, processes, procedures and other systems to ingrain the mindset and cultural changes needed.
- Train OT professionals in technologies and processes that are valuable to making manufacturing stronger and more resilient, but don’t neglect the processes needed to also protect the IT systems that have grown invaluable as well.
- Lead by example – have all managers and leaders take in-depth critical infrastructure cybersecurity training courses to become knowledgeable in cybersecurity for manufacturing and to understand how to communicate that information to everyone involved.
Protecting the manufacturing sector against cyberattacks is a two-part problem. The industry must put in place better protections, more advanced security protocols and better incident response plans, but that starts with better cybersecurity knowledge across the entire workforce. Ultimately, we need to change the way everyone in the ecosystem thinks about cybersecurity. The success of the manufacturing sector relies on the steps taken by the workforce to mitigate risks – and that starts with the knowledge and understanding of the nuances that make up this sector’s cyber risk.
In the decade ahead, manufacturers cannot afford to not train each and every employee in cybersecurity – the risks are simply too great to ignore.
About the Author
Taeil Goh is CTO at OPSWAT and has over 12 years of Software Engineering experience primarily in cybersecurity, delivering enterprise products to high-security industries such as government, military, critical infrastructure, and finance. His main focus is on leading the engineering team, but he also takes on other roles including CISO, cloud architect, UX design, and DevOps. His current cybersecurity focus is on content disarm and reconstruction (CDR), DLP, dynamic analysis, static analysis, security analytics, email security, web security, and APT detection. Taeil Goh is a regular speaker at cybersecurity events and contributor to OPSWAT blogs. Taeil earned his bachelor’s degree in Computer Science from San Francisco State University. Outside of work, he loves playing tennis and he has been a student pilot for the last 4 years hoping to finish that this year.