Today’s manufacturers are already reaping the benefits of Industry 4.0, but can they withstand its potential instabilities? As opportunities for the IoT increase, so do the risks. Interestingly enough, 81 percent of manufacturers surveyed for The MPI Internet of Things Study feel confident or very confident in their current cyber risk management program. Although thoughtful cyber management should be proud of their security systems, there is always room for improvement.
Manufacturers with IoT-connected products and services report increased productivity and profitability. Half of manufacturers surveyed already manage their plant production equipment and processes via the IoT and 88 percent of manufacturers plan to increase use of the IoT in the next two years. Industrial IoT systems will only become more elaborate in the next few years, meaning that cybersecurity efforts should also intensify. And, fittingly, cybersecurity is now fully on manufacturers radars: 96 percent of the largest publicly-owned U.S. manufacturers cited potential cybersecurity breaches in their 10-K filings, according to BDO’s 2017 Manufacturing RiskFactor Report.
Alarmism aside, manufacturers should be particularly mindful of these three security components:
Enhancing Existing Systems
While the majority of survey respondents maintain confidence in their cyber risk management programs, 19 percent are unsure if their current program can address security concerns in the IoT. Despite this gap, manufacturers’ overwhelming level of confidence is surprising, and potentially problematic, given the increasing rate of IoT-enabled cyberattacks. In 2016, the Department of Homeland Security's Industrial Control Systems Cybersecurity Emergency Response Team reported 63 security incidents involving critical manufacturers.
For manufacturers with cyber security programs already in place, hackers and malicious software are still a force to be reckoned with. Forty percent of manufacturers surveyed cite adapting existing technologies as one of the biggest challenges to implementing the IoT. But relying on legacy infrastructure, which can include outdated PCs and equipment, can inadvertently expose manufacturers to risk. Legacy systems are inherently tough to secure against modern cyberthreats, and it can be difficult to connect and service disparate systems. IBM and Ponemon estimate the average cost of a data breach at $4 million, so proactive investment in systems and security can pay off later if it means faster, stronger threat detection and response.
Indirect Access Points
Manufacturers have particularly exposed cyber vulnerabilities along their supply chains, which are often scattered throughout the globe. While most manufacturers monitor third-party cyber risk, more than a quarter (27 percent) do not have or are not sure if they have a security policy in place for their supply chain partners and other vendors.
Third-party risk also increases with the IoT, as evidenced with the Mirai botnet, a strain of malware that infects internet-connected devices for hackers to commandeer and create an IoT “army.” The botnet’s primary target was Dyn, a cloud-based Internet Performance Management company that controls a substantial portion of the Internet’s domain name system infrastructure. But when Dyn’s servers went down, it wasn’t the only victim — the websites of its 3,500-plus enterprise customers also went down.
Manufacturers’ corporate networks are already exposed to security issues when employees bring their personal devices into the workplace or use them to remotely check work email. Training programs for employees are a first step towards securing companies’ system. Teaching employees how to detect suspicious e-mails and practice cyber hygiene can create a stronger network and increase awareness of threats.
Building in Defense Early
So, when in the product lifecycle should manufacturers begin to prioritize cybersecurity? The earlier the better, in our view — and the good news is that nearly half (47 percent) of manufacturers surveyed begin looking at potential security issues during the product conceptualization and design stage. The Department of Homeland Security agrees: In November 2016, the agency ranked “Incorporate security in their design phase” as the first cybersecurity principle for the IoT.
Less ideal, 21 percent of manufacturers start thinking about cybersecurity during the production stage, while 18 percent wait until the quality control phase. Another nine percent either don’t consider cyber risk until they market their product, when it’s often too late to implement defensive systems, or don’t consider cybersecurity at all.
With careful consideration of cyber risk throughout each stage of research, development, production and distribution, manufacturers can build robust defense networks against impending cyber threats. Despite security risks, manufacturers investing in the IoT can look forward to plenty of exciting development opportunities. For those who don’t yet have an IoT strategy in place, now is the time to proactively prepare for manufacturing’s digital renaissance.
Rick Schreiber & Mike Dombrowski are both with BDO.