The Dangers of Cyberrisk in Industrial Environments

Cyberrisk is a clear and present danger to companies of all stripes, including manufacturers and industrial organizations. The business impact is real and companies need to understand that when they find themselves in the crosshairs of cybercriminals, the dangers and damages can extend far beyond financial loss and easily add up to a litany of issues including (but not limited to):

• theft of intellectual property
• loss in productivity
• harm to reputation
• destruction of data
• theft of personal employee data
• disruption to business continuity
• damage to physical facilities
• liability or fines for noncompliance with data-privacy regulations
• possible legal action by customers and employees whose personal information has been breached or employees suing for lost wages if the company cannot pay due to the breach
• costs of remediating the damage itself
• relationship damage and lost confidence within original equipment manufacturer (OEM) and supplier relationships

Companies are under pressure to become more efficient, increase quality, reduce expenses and drive productivity. It is only natural to add technology to the mix. With more automation coming onto the scene and the Internet of Things (IoT) innovations becoming commonplace, more technology is being built into the very fabric of an organization’s day-to-day internal and field operations, as well as the very products they are producing. While this has enabled manufacturers to operate at performance and revenue levels never achieved before, it has also increased the number of technology touch points within an organization, which significantly increases their susceptibility to cyberattacks, a risk that has historically been difficult for business leaders to quantify. With the proliferation of cyberattacks across all industries, executives are being challenged to view cybersecurity differently. Cyberrisk is business risk, not just technical risk, and nowhere is this truer than for manufacturing and industrial companies. Hackers (in particular, nation-states) like manufacturing and industrial companies because they have trade secrets, business plans and valuable intellectual property at their fingertips. Furthermore, manufacturing and industrial companies have historically made fewer technology and security investments, and are generally less experienced and equipped to manage and secure internet-facing or internet-enabled technologies. The result is expanded access into the network by threat actors and increased business risk due to the critical nature of the production line, the proliferation of IoT, the prevalence of legacy technology and “technical debt” and reliance on vendors and supply chain partnerships. Business Disruption. The key to any manufacturing business is to keep the production line running. Automation is the key to any production system and that technology is at risk to security breaches just like any other. Malicious actors, or even insider threats, can bring down a business’s ability to generate revenue, produce product and operate efficiently. Isolation of these computerized systems from the internet is one layer of control. However, cybersecurity issues can disrupt a business in many ways including availability, efficiencies and noncompliance to required standards. IoT. As more and more devices are connected through networking and internet protocol (IP) addressing, they are increasingly open to attack. A recent attack called the Mirai Botnet involved thousands of in-home and commercial cameras and IP-enabled devices to send terabytes of traffic at a single target, causing it to fail. These devices are a part of any industrial and manufacturing system that could easily be compromised. The control is visibility and a simple password change. Most of these devices had default passwords that have not been changed. This will continue unless companies understand and secure our increasingly connected world. Legacy Technology and Technical Debt. Industrial systems and manufacturing equipment are investments that need to provide a payoff. The longer assets run and produce, the better the return on the investment. However, the older those systems are, the more vulnerable they become to security risks. Older systems are at risk of getting hacked due to insecure software, unpatched vulnerabilities, misconfigured operating systems and needed upgrades. The costs of technical debt can cripple a company over time, and it is much less expensive to continually update and upgrade systems rather than trying to play catch up years down the road when a piece of technology is no longer supported and must be replaced. Vendors and Supply Chain Risk. A company’s technology systems are interconnected and rely on other systems, such as the internet, email, file storage, cloud applications, etc. This interconnectivity increases the risk that those third-party connections will cause a breach of some type. In order to control this risk, assess the risks that vendors, suppliers and contractors introduce to the company. This could cripple production and bring down the company. Vendors and supplier cybersecurity postures need to be formally assessed at least annually. Before selecting them for partnerships, ensure that they are not adversely impacting security.

Additional Avenues of Attack

Furthermore, manufacturing and industrial companies are impacted by at least three additional broad categories under which most cyberattacks and threats occur: Espionage and IP Theft. In a globally competitive environment, some unscrupulous companies would rather steal what they need instead of investing the time, money, expertise, research and the other thousand layers of processes and resources needed to build something better. Hackers see the possession of business plans, trade secrets and intellectual property as an extremely lucrative venture for resale, especially to nation-states. Ransomware for Revenue. Ransomware is an example of cyberextortion. Ransomware attacks are usually undertaken by a Trojan that is designed to look like a file that a user downloads or opens in an email attachment. Even more devastating are worms such as the recent WannaCry attack that traveled automatically and unrestrained between computers and users. Ransomware is usually designed to encrypt data and prevent a company’s access to the data until an anonymous payment is made to the hacker. Many times, even after payment, the encryption keys are not provided, and access to the data is not granted. Those who engage in ransomware are almost always seeking money. Pure Destruction and Harm. For some, the purpose of hacking is not finances, but rather causing damage for political or emotional purposes. Stuxnet was discovered to be the world’s first “cybermissile” with the ability to control industrial processes that damaged a nuclear centrifuge fuel-refining plant in Iran. More recently, a confirmed case of a cyberattack against a manufacturer caused physical damage when hackers struck a steel mill in Germany. They were able to gain access to the network and disrupt control systems to such a degree that a blast furnace could not be properly shut down, resulting in “massive” damage.

Executives Have More Control Than They Think

In the face of these threats, many business leaders think they are powerless—but the truth is, they are wrong. In fact, many of the root causes of breaches are within the C-Suite’s control. According to the authoritative IBM-sponsored 2017 Ponemon Institute’s “Cost of Breach Report”:

• 28 percent of all breaches involved system glitches, including both IT and business process failures that are preventable.
• 25 percent were human factor errors by negligent employees or contractors, which are also largely preventable.
• The other 47 percent involved a malicious or criminal attack, which tend to drive most of the hype in the press.

A strong case can be made for a top-down cyberhygiene program, which, if executed correctly by executives, can reduce up to 70 percent of cyberrisk. The following areas provide executives a great starting point. 1. Prioritize business risk as it relates to cybersecurity. Business considerations such as brand protection, business disruption, legal liability, IP protection, and compliance and governance are all important, but must be prioritized. The challenge for executives is each line of business or department prioritizes risk differently: i.e., marketing leans toward brand protection, operations is partial to business disruption, while general counsel manages the legal liability. It is imperative that the executive work with all members of the leadership team to prioritize business risk for the entire organization, not just individual departments. Doing so ensures consistency and aligns cybersecurity risks with the company’s true business risks. 2. Create a culture of security. Because the human factor has such a large impact on a cyberrisk, a culture where everyone is responsible for information security, at whatever level, is critical to reducing the risk of a cyberbreach. Building and enforcing a corporate culture of security takes time and effort. Therefore, it requires executive buy-in and support to ensure those tasked with managing cyberrisk are successful. 3. Implement a cybersecurity leadership committee. Successful cybersecurity programs are governed by cybersecurity leadership committees, comprised of members of the executive team with representation from IT. All too often, organizations place cyberrisk programs exclusively in the hands of the IT department with minimal participation from senior leadership. Effective committees are comprised of senior-level, cross-departmental members managing security risks from the perspective of people, process and technology. 4. Create a framework-based cyberrisk program. With the cybersecurity leadership committee in place, the committee collectively determines the appropriate cybersecurity framework for the organization. Regulatory bodies like the International Organization for Standardization (ISO) have created their own cybersecurity frameworks, while organizations like Underwriter Laboratories (UL) are adopting existing frameworks (e.g., National Institute of Standards and Technology (NIST). Organizations can save significant time and money by leveraging best practices already defined in such frameworks. Remember, cybersecurity is not a one-time project. Security maturity is achieved through effective, ongoing and evolving program management.

Cyberrisk is Business Risk

Cyberrisks are evolving as fast as technologies evolve, and as such, companies need to take a different approach to cybersecurity. Those at the top of the corporate ladder should take a more active role in combating cybersecurity as a risk to business survival. This type of leadership is the only way a healthy, holistic and effective strategy can be created. References Eide Bailly, The Fundamental Five Ways to Reduce Cyber Risk by 70 Percent, https://www.eidebailly.com/insights/articles/2018/6/five-ways-to-reduce-cyber-risk-by-70-percent