By Tom Gilheany, Product Manager, Learning@Cisco
The manufacturing sector has the dubious distinction of being the second-largest target of cyber criminals; only healthcare surpasses it. Within manufacturing, the automotive space is now the prime target in manufacturing. Nearly a third of manufacturing attacks in 2015 were to automotive companies. Chemical manufacturers were next.
With the advent of the Industrial Internet of Things (IIoT), manufacturing’s intellectual property, data and products have come under fire by cybercriminals. Estimates indicate 21 percent of manufacturers have suffered a loss of intellectual property due to a cybersecurity attack.
A recent Los Angeles Chapter of the National Tools and Machining Association blog post states that many manufacturers are behind the curve in terms of security. That’s in part because manufacturers have not been subject to compliance standards in the same way the financial services sector has with PCI DSS and the healthcare vertical has with HIPAA. As a result, the manufacturing space as a whole is considered to be less secure than other leading verticals.
In a blog post for Robinson & Cole law firm, Linn Foster Freedman wrote, “Manufacturing companies often don’t believe that they are targets because they do not hold vast amounts of consumer data.Therefore, they do not concentrate on cybersecurity and remain vulnerable.” But perhaps the manufacturing sector is not as naïve about the threat as some might suggest. Ninety-two percent of manufacturers cited cybersecurity concerns in their SEC disclosures last year.
The Connected, Vulnerable Manufacturing Floor
Hackers have used Heartbleed and other machine vulnerabilities to launch their attacks. They have also gone after human vulnerabilities using social engineering techniques such as spearphishing. But attacks related to the Internet of Things (IoT) are where the action is.
That’s because production environments are now connected to the internet. That has significantly expanded the attack surface of manufacturing. In the past, manufacturers did air gapping to separate their industrial networks from their business networks and the internet. Air gapping is no longer a viable option as manufacturers embrace the benefits of the new business models enabled by the IIoT.
This has created an issue, since the controllers that operate in every industrial environment frequently lack basic security controls like authentication and strong encryption. That means many ICS attacks do not even need to exploit software vulnerabilities. They just need to access the controllers, and then they can alter configuration, logic and state.
The National Association of Manufacturers (NAM) notes, “Billions of connected devices are pervasive throughout manufactured products and on the shop floors where they are made. This technology is creating enormous opportunity and driving transformative change. It has made all manufacturers into technology companies.”
However, NAM goes on to say that the“more that shop floors become imbued with intelligent machines, the more those machines will contain data worth stealing.” Meanwhile, manufactured goods themselves increasingly have communications capabilities. Things like heating, ventilation and air conditioning systems can use communications capabilities to interact with both their users and their makers.
The good thing about this development is that it enables manufacturers to move from a model based on one-time sales to a recurring revenue model. But in the process, it expands the manufacturing industry’s threat surface. So, industry groups and government entities are working to figure out how to secure these connected devices and environments.
An Unfair Fight
It takes significant resources to establish cybersecurity measures that can withstand attacks from nation-states – resources that manufacturers, especially smaller ones, just don’t have. And nation-states pose the top cybersecurity threat to manufacturing, says NAM.
Discussing the attacks from China in an interview with CBS last year, John Carlin, assistant attorney general for national security, said, “It’s not a fair fight. A private company can’t compete against the resources of the second-largest economy in the world.”
To encourage investment beyond ordinary levels of commercial cybersecurity spending, NAM is calling for a public-private partnership. NAM is also pushing for The National Science Foundation, the Defense Advanced Research Projects Agency and the research arm of the Department of Homeland Security to prioritize funding for IoT security research.
Fighting on the Legislative Front
In January, the Federal Communications Commission called for requiring cybersecurity accountability of IoT device manufacturers. And it published a white paper and notice of inquiry to get the conversation going.
The FCC noted that the broad field of IoT vendors needs to keep their device prices low to remain competitive. As a result, it said, they do not have a strong incentive to build security into their devices voluntarily. So, the FCC is working to create that incentive.
There was an executive order on cybersecurity on President Trump’s desk, which he was expected to sign. In fact, The Washington Post circulated a draft of the order. But, for unexplained reasons, the president opted not to sign the order as expected on Jan. 31. He did, however, hold a press conference that day talking about the importance of cybersecurity. So, we’re likely to hear more about that soon.
In the meantime, there are other legislative efforts at the state level in the U.S., as well as other federal-level efforts elsewhere in the world. At least 28 U.S. states last year considered or introduced cybersecurity legislation, according to The National Conference of State Legislatures.
The European Union has approved cybersecurity rules that force businesses to strengthen their defenses. Meanwhile, Australia has developed a national strategy through which government and the private sector are working together to address cybersecurity.
A Holistic Cybersecurity Approach
Manufacturers need to be aware of what may be coming down the cybersecurity pike. Those that aren’t already involved may want to start voicing their opinions now, before cybersecurity regulatory decisions are cemented. However, it’s important to remember that, due to the slowness of the legislative process and the speed of technological innovation, regulations usually straggle behind technology by three to four years.
With that in mind, businesses must strive to go beyond mere compliance if the goal is a robust security posture. What’s needed today is awareness of and active participation in not just abiding by current laws or helping to fashion new ones but in forging a comprehensive cybersecurity strategy that ensures the people, processes and technology are in place to keep critical data safe.
About the author
Tom Gilheany is the product manager of security learning products within Cisco Services. His background is diverse; he’s worked in small startups and multinational Fortune 100 companies in product management and technical marketing positions. Prior to his transition to marketing, he spent more than a decade working in Information Technology and Operations. Tom holds a CISSP, an MBA, and is an active board member of the Silicon Valley Product Management Association and Product Camp Silicon Valley.