Before 2017 it was often difficult to engage manufacturing enterprises in Board-level discussion about cybersecurity. C-Suite executives in this sector tended to assume that cyber threats were aimed at financial services or companies where data could be monetized by criminals through cyber-enabled fraud. Then came the major ransomware attacks of 2017—Wannacry and NotPetya—and household name manufacturers like Reckitt Benckiser in Europe and Mondelez in the U.S. suffered catastrophic business interruption.
For the first time, major manufacturing companies attributed losses to cyberattacks. Merck pharmaceuticals pointed to “disruption of its worldwide operations, including manufacturing, research and sales operations” in its SEC filings. The company cited a $260 million loss in sales for 2017 and expected further losses of $200 million for 2018.
2017 was a wake-up call for manufacturing because it demonstrated two things. First, even if a company is not specifically targeted by cyber criminals it may well be caught by attacks on others, as cyber ‘collateral damage.’ No one thinks that manufacturers were targeted by either Wannacry or NotPetya, but that was no consolation to those unable to do business when this malware spread indiscriminately.
Second, it became clear that both these global ransomware attacks were state-sponsored: Wannacry by North Korea, and NotPetya by Russia, as part of its political campaign against Ukraine. The increasingly aggressive and irresponsible behavior of nation states online posed a new threat to new sectors. Hostile states might well have reason to disrupt energy, utilities or manufacturing as part of a political campaign against the West. The old assumption that cyberattacks were only about making money, and therefore less of a threat to manufacturing, was shown to be mistaken.
Faced with this new reality, manufacturing businesses have some particular challenges which make a systematic approach to cybersecurity difficult.
The sector’s dependence on operational technology and its OT vendors amplifies cyber risks and makes them harder to assess. Individual products and services which are integrated into manufacturing processes may have poor security and, more critically, industrial control and SCADA systems have widely varying standards. The pressure to automate and digitize is particularly strong in manufacturing and the use of IOT devices, particularly sensors providing telemetry data, is escalating. These devices are generally manufactured and procured on cost rather than security and can provide soft new vectors of attack for cyber criminals.
Manufacturers also find mapping their own attack surface particularly difficult. They may well be geographically dispersed with physical manufacturing plants in many countries and several continents. These may well operate legacy systems and the cost and disruption involved in updating may seem prohibitive. In short, those responsible for cybersecurity in manufacturing companies have a particularly tough job understanding the perimeters of their network and the nature of their attack surface. Many companies will have grown by acquisition, without any certainty about the cyber hygiene of those absorbed into their network.
Even if CISOs are confident about their own company’s security, understanding their supply chain and its vulnerabilities is an even greater challenge in manufacturing than in other industries, where greater central IT security control is exercised. The sheer complexity of manufacturing processes and networks, together with the importance of remote access for a wide variety of vendors, is a toxic combination.
Finally, since good cyber security is as much about corporate behavior and company culture as it is technology, manufacturing again has some particular challenges. The engineer’s instinct—to keep things running and not to tamper with something that is working—does not hold good for IT security, where running a process on unpatched or outdated operating systems and software opens up huge risks. Manufacturers have tended to be very strong in promoting a health and safety culture, but have struggled to instill the same awareness and urgency in cybersecurity. For example, awareness of spear phishing attacks in manufacturing companies tends to lag far behind some other sectors. Staff on the factory floor can see the consequences of poor H&S practice, but cybersecurity tends to be seen as a corporate or head office problem: it is not recognized as a potential cause of down time and business interruption.
As far as solutions are concerned, even the largest manufacturers will not spend the hundreds of millions of dollars prioritized by financial services. But a risk management approach to cybersecurity in manufacturing does not require that level of resource. For many, a managed security service, drawing on the best products available for monitoring and defending networks, will be the cost-effective solution. But this needs to be placed within a wider risk management framework which addresses the policies and cultural change necessary to raise cybersecurity standards to an acceptable level.
It will be some years before government regulation incentivizes the ‘secure by design’ approach to operational technology which is the best long-term mitigation for many of the cyber threats facing manufacturing businesses. In the meantime, if companies are to escape a rising tempo of business interruption from cyberattacks, they will need to accept that they are now in the frame, and take a forensic look at the vulnerabilities in their own companies, their operational technology, and their supply chain.
Robert Hannigan is European Executive Chairman of BlueVoyant and former Director of GCHQ, the UK’s largest intelligence and cybersecurity agency.