Mark Camillo, AIG
Cyber attacks threaten manufacturing companies’ production capabilities, supply lines and design processes.
When we consider the industry sectors most vulnerable to cyber attacks, manufacturing is rarely top of mind – but that does not mean it is not under threat.
A recent cyber security survey by EEF, the manufacturers’ organisation, revealed 48% of manufacturers reported having been subject to a cyber attack and half of those businesses suffered some form of financial loss or other business disruption as a result. Separately, NTT Security’s 2018 Global Threat Intelligence Centre report identified manufacturing as the fourth-most targeted industry, behind only finance, technology and business and professional services.
However, there is a critical difference between many of the high-profile attacks that make the news and manufacturing. In other industrial sectors, the critical cyber risk is to customer data only, but for manufacturing companies cyber threats point directly at the heart of their ability to maintain operations. Because of their highly automated and integrated systems, incidents involving manufacturing firms can have a devastating effect on production capabilities, supply lines and design processes.
Manufacturers face a number of key issues. The first is they operate highly interconnected supply chains, linking vendors, contractors and customers. This not only introduces more entry points for a cyber attack but also the risk of importing and exporting malware from and to vital business partners. The second is most manufacturers are in operation 24/7 with different platforms and systems of varying vintage and complexity.
Since phasing out old technology and making sure all patches are up to date is not a simple matter, not least because it might slow down production, criminals know many manufacturing companies are operating with systems and software that have any number of known and readily exploitable vulnerabilities.
Most successful attacks on the manufacturing community to date have been aimed at exploiting businesses whose cyber security credentials are poor. Such attacks are commonly motivated by financial gain and often take the form of “phishing” exercises that exploit human vulnerabilities to gain system access or “ransomware” attacks that target insufficiently protected IT systems, encrypting data until a payment is made.
Mitigating against cyber risk starts with getting the basics right. Manufacturers need to accept there is a very high chance their business will be targeted at some point. Size is not an issue; hackers do not just target multinational giants. They are quite happy to go after a few thousand pounds from small to medium-sized enterprises (SMEs), although the ultimate cost may be much higher in terms of business interruption and reputational damage. Indeed, SMEs are often softer targets.
It is vital to make sure everyone in the organisation understands the issue. From the shop floor up, all staff need to be aware of the threats they face and what to do and – importantly – what not to do. People perennially remain a company’s weakest link when it comes to cyber security. Whether it is leaving a laptop on the train, clicking on an infected attachment in an email or inadvertently (or otherwise) letting someone use their credentials to gain access to the company network, human error is a primary cause of cyber breaches. Companies need to create a positive cyber security culture in the same way they would treat health and safety.
Indeed, the vast majority of cyber attacks are simple in nature, untargeted and unsophisticated. They are designed to prey on systems without even the most rudimentary protection measures; the digital equivalent of a thief trying your front door to see if it is unlocked. So, at a minimum, manufacturers need to have a firewall in place, run anti-virus software and choose the most secure settings for their devices and software.
While the risk of a cyber attack can never be completely eliminated, government-backed schemes such as Cyber Essentials and the standards framework for information security management, ISO 27001, both provide compliant businesses with a much greater degree of confidence in their cyber security architecture.
Finally, when it comes to dealing with third parties that handle their data, manufacturers need to proceed with caution as they could be an open back door into the business. This means checking both that providers have the right defensive measures in place and the wording of contracts so compensation can be claimed in the event something does go wrong.
The good news is manufacturers are increasingly adopting good practice in line with these frameworks, with more than 50% of respondents to the AIG/EEF executive survey released in January having already put in place some form of proactive measure. However, a worrying 14.5% of manufacturers have not taken any action so far, potentially leaving them exposed.
Cyber risk is becoming an enterprise-wide issue for manufacturers. Across the industry the shift from technology being a “business enabler” to a “business driver” is inexorable. Production lines will become increasingly automated and dependent on robotics and artificial intelligence, as big data drives production planning and process optimisation.
For many companies, their potential vulnerability to a cyber attack is likely to increase as operational technology becomes fully integrated. Insurance products provide a layer of protection to help restore and compensate businesses in the aftermath of an attack, but the primary focus should be on risk management and doing everything possible to minimise the threat of a breach in the first place.