Manufacturing is now one of the leading industries targeted by hackers. It is second only to healthcare. That’s a move in the wrong direction from its third place position last year.
The automotive space is the prime target in manufacturing. Nearly a third of manufacturing attacks in 2015 were to automotive companies. Chemical manufacturers were next.
As manufacturing becomes more broadly connected, the industry’s intellectual property, data, and products have come under fire by cybercriminals. Estimates indicate 21 percent of manufacturers have suffered a loss of intellectual property due to a cybersecurity attack.
Many manufacturers are behind the curve in terms of security, says a November Los Angeles Chapter of the National Tools and Machining Association blog.
That’s in part because manufacturers have not been held to compliance standards in the same way the financial services sector has with PCI DSS and the healthcare vertical has with HIPAA. As a result, the manufacturing space as a whole is considered to be more lax than other leading verticals.
“Manufacturing companies often don’t believe that they are targets because they do not hold vast amounts of consumer data,” wrote Linn Foster Freedman in an August blog for Robinson & Cole law firm. “Therefore, they do not concentrate on cybersecurity and remain vulnerable.”
But perhaps the manufacturing sector is not as naïve about the threat as some might suggest. Ninety-two percent of manufacturers cited cybersecurity concerns in their SEC disclosures last year. That’s a 44 percent increase from 2013.
Cyberattackers have leveraged machine vulnerabilities, such as Heartbleed. They have also gone after human vulnerabilities using social engineering techniques such as Spearphishing. But attacks related to the Internet of Things (IoT) are where the action is.
That’s because production environments are now connected to the internet. That has significantly expanded the attack surface of manufacturing.
In the past, manufacturers did air gapping to separate their industrial networks from their business networks and the internet. Air gapping is no longer a viable option as manufacturers embrace the benefits of the new business models enabled by the Industrial Internet of Things.
That’s a problem because the industrial controllers that operate in every industrial environment frequently lack basic security controls like authentication and strong encryption. That means many ICS attacks do not even need to exploit software vulnerabilities. They just need to access the controllers, and then they can alter configuration, logic, and state.
“Billions of connected devices are pervasive throughout manufactured products and on the shop floors where they are made,” the National Association of Manufacturers notes. “This technology is creating enormous opportunity and driving transformative change. It has made all manufacturers into technology companies.”
But, NAM adds, the “more that shop floors become imbued with intelligent machines, the more those machines will contain data worth stealing.”
Meanwhile, manufactured goods themselves increasingly have communications capabilities. Things like heating, ventilation, and air conditioning systems can use communications capabilities to interact with both their users and their makers. This is a positive development for manufacturers. It enables them to move from a model based on one-time sales to a recurring revenue model. But in in the process it expands the manufacturing industry’s threat surface.
So industry groups and government entities are working to figure out how to secure these connected devices and environments.
Manufacturers, especially smaller ones, lack the resources to establish cybersecurity measures that can withstand attacks from nation states. And nation-states pose the top cybersecurity threat to manufacturing, says the National Association of Manufacturers.
“It’s not a fair fight,” said John Carlin, assistant attorney general for national security, discussing the attacks from China in an interview with CBS last year. “A private company can’t compete against the resources of the second largest economy in the world.”
So NAM is calling for a public-private partnership to encourage investment beyond ordinary levels of commercial cybersecurity spending. NAM is also pushing for The National Science Foundation, the Defense Advanced Research Projects Agency, and the research arm of the Department of Homeland Security to prioritize funding for IoT security research.
Meanwhile, the Federal Communications Commission in January called for requiring cybersecurity accountability of IoT device manufacturers. And it published a white paper and notice of inquiry to get the conversation going.
The large and diverse number of IoT vendors need to keep their device prices low to remain competitive, the FCC noted. As a result, it said, they do not have a strong incentive to build security into their devices voluntarily. So the FCC is working to create that incentive.
Also in January, President Trump was expected to sign an executive order on cybersecurity. In fact, The Washington Post circulated a draft of the order. But, for unexplained reasons, the president opted not to sign the order as expected on Jan. 31. He did however hold a press conference that day talking about the importance of cybersecurity. So we’re likely to hear more about that soon.
Meanwhile, various cybersecurity efforts at the state level in the U.S., and other federal-level efforts elsewhere in the world, are taking shape.
At least 28 U.S. states last year considered or introduced cybersecurity legislation, according to The National Conference of State Legislatures. Australia has developed a national strategy through which government and the private sector are working together to address cybersecurity. Meanwhile, the European Union has approved cybersecurity rules that force businesses to strengthen their defenses.
Manufacturers with a stake in cybersecurity need to be aware of what may be coming. Those that aren’t already involved may want to start voicing their opinions now, before cybersecurity regulatory decisions are cemented.
At the same time, they should keep in mind that regulations typically lag technology by three to four years. So businesses need to go beyond simply complying with cybersecurity regulations if they wish to attain effective security. They need take steps to ensure their organizations are as secure as their risk assessments and mitigation plans suggest they need to be.
Tom Gilheany is a Product Manager with Learning@Cisco.