Over the last decade, U.S. manufacturers are moving their controls systems from being air gapped (isolated) to connection with the corporate networks. The industrial IoT framework, significantly boosts agility, cost savings and convenience—but those benefits go hand-in-hand with a vastly increased vulnerability to cyber attacks, from outside and inside of operations.
Recent research shows that manufacturing is the most targeted industry for DDoS attacks, and in general, this area has seen a rise in cyber attacks. This is a worldwide problem; in the UK, nearly half of manufacturers have experienced a cyber attack. In 2014, a hacker attacked an unnamed steel mill in Germany using a phishing email to get into the corporate network. The attacker was able to access the plant’s network, caused multiple components to fail and lose control, which caused permanent damage to the smelter.
Most of these attacks are not made public, but they are happening. A Kaspersky Lab report showed that industrial control systems (ICS) computers in manufacturing make up almost 33 percent of all attacks. But it’s much easier to fully penetrate manufacturing systems from the inside, making disgruntled employees an arguably bigger risk than foreign entities.
How Did We Get Here?
A perfect storm of talent pool shortages, engrained practices and resistance to part with budget up front.
IT and cybersecurity is in a skills crisis across industries, but particularly so in manufacturing, due to its reliance on a completely different digital infrastructure from others—and there are few skilled workers who can interpret the data from these systems. As a result, manufacturers have used signal alerts, which often wastes time on false positives or presents a problem that staff can’t assess properly.
Because the manufacturing industry has been a physically-based entity from inception, security focused almost exclusively on protecting physical access to a site. The systems were “air gapped,” meaning the physical site ran on a separate network from other related entities, like the corporate network. That was safer, but the convenience and cost reduction that industrial IoT offered took precedence. Physical segregation was never really sufficient, and malware on a USB device was always a threat.
Finally, the upfront cost of putting in a new security system, training staff, and the like can be intimidating. Parting with a chunk of budget for “the devil you don’t know” can be a hard to sell to decision makers, particularly with the sheer volume of vendors who overstate their capabilities. (Ultimately, an upfront spend is a fraction of what manufacturers would spend in damage control should they get hacked. Look at the security issue that hit Jeep Chrysler Dodge vehicles a few years ago. It cost $1 billion to remediate, and would have cost $10M to fix upfront.)
How Is This Changing?
As advances in technology like AI and automation become more accessible, service and software providers are looking at ways to apply them specifically to the manufacturing industry.
For example, Symantec recently unveiled an AI-based USB scanner. In partnership with ForeScout, Respond Software developed a new concept that automates the decision-making processes specifically for threat analysis in industrial control systems.
The biggest advancement than manufacturing has yet to leverage on a broad level is AI’s ability to judge. This capability adds a badly needed layer of logic that goes beyond alerts, and determines whether something is actually a threat in context. Why is that such a big deal? Manufacturing companies, desperate for skilled IT workers, employ mainstream IT professionals to run tests but who can’t analyze data from these vastly different computer systems. In a consumer context, a failed login due to an incorrect password is common; but in manufacturing, it’s extremely concerning.
If a worker sees a high-temperature alert on a piece of equipment, he or she still needs to determine if it’s a security incident, or a failing part. Competing providers tend to carve up the cybersecurity market: some scan for malware, some alert, some analyze. The good news is that AI can tie all of those factors together in an ICS network and do it for us.
Choose your technology carefully, as some still require manufacturers to send specialists to the physical environment to remediate the situation. If a company wanted to update software on PLC or HMI, a USB stick likely has all the code, which requires an in-person installation--and that USB can still have malware. Symantec’s newest product addresses this specific threat vector, whereas Respond’s offers a broad reach for those who choose that route.
Why can’t we return to the pre-IoT days? Because these networks yield valuable data that helps improve the manufacturing process, which has lead to more and more devices networking into this vulnerable surface.
What Does The Future Look Like?
The future of industrial security lies in our applications of the best of man and machine. Employing AI and automation doesn’t translate to replacement of humans, but rather enhancement of those whose work is a vital component to operations.
Humans have traits that AI won’t be able to replicate any time soon: curiosity, intrinsic motivation, creativity and a sense of cultural context, to name a few--all key to problem-solving. In turn, AI can learn rapidly, and retain and recall every iota of data on command. Nor does it need eight hours of sleep.
Additionally, human-to-human communication can’t be replicated. If a manufacturing facility experiences a cyber attack, humans will play a major role in coordinating responses, from technical to employee communications, in a way that technology alone cannot. In other words, there’s a large number of jobs that really need to stay with humans, and integrating new tech is about doing what humans don’t want to do. Is anyone really worried their Roomba will take away their vacuuming opportunities?
Technological developments make it possible to automate human judgement in the form of software, and that has endless potential. We can efficiently monitor environments when there is not enough staff to do so--and that’s further enabled by the software’s “expertise” specific to their industry.
The status of cybersecurity in manufacturing is a global economic issue, and eventually more hacks will become public, casting a shadow of doubt on businesses’ ability to deliver products dependably. Manufacturers, particularly, need a high level of quality control and on-time shipments to remain competitive. History has demonstrated that those who adopt new tech earlier are more successful than their competitors—so when thinking about the industry’s vital security in a connected world, it’s crucial to think about the long game.
Chris Triolo is VP of customer success at Respond Software.