According to Cyber Risk in Advanced Manufacturing, from Deloitte and the Manufacturers Alliance for Productivity and Innovation (MAPI), as much as 39% of manufacturing companies experienced a breach in the last 12 months, whereas 38% had losses up to $1-10m. The majority of cyberattacks have always been geared towards Information Technology (IT), but with the rise of IIOT, 31% of security professionals said their organisations have already experienced cyberattacks on operational infrastructure.
The Industrial Internet of Things is enhancing asset management workflow in asset-intensive industries. Cyber-attacks can have significant reputational, operational and financial implications. This article emphasises the need to train operational employees on cyber awareness to avoid operational disruption.
A recent cyber-attack occurred on a workstation running a Schneider Electric Triconex safety shutdown system. The hackers used advanced malware to take remote control of the workstation and attempted to reprogram controllers used to identify safety issues. The attackers were likely investigating how they could alter safety systems to cease functioning when the hackers planned an attack that disrupted or damaged the plant. With these attacks leading to the damage and destruction of critical systems, the significance of cybersecurity becomes more apparent.
The Industrial Internet of Things (IIOT) has allowed us to connect devices never before connected to the internet and improve our work processes. Manufacturers can monitor machine temperatures and automate processes with the touch of a button, but with these new advantages therein lays new complications with security. These newly connected devices include many different types of devices, each type susceptible to different kinds of attacks. Manufacturing ranks second among the top 5 industries affected by cyberattacks, the need for cybersecurity in operational technology (OT) is more prominent than ever.
The IIOT certainly makes the workplace more efficient, but cyberattacks can reduce that efficiency by causing financial loss, potential fines and lawsuits, and reputational damage.
Prioritise Human Intelligence and Involvement
Industrial Control Systems (ICS) are largely human-operated and have become more chaotic with the induction of cyberspace. Most of the cyberattacks on operational technology are due to the unintentional cyber-attack-friendly internet activities by shop floor/operational employees. Human miscalculation is accountable for about 84% of all cybersecurity attacks.
These attacks are becoming more widespread and sophisticated, threatening the general working order of ICS and resulting in massive physical damage. The most common cyberattacks such as spear-fishing, social engineering, attacks on ICS clients, exposed servers, forged Internet protocol addresses, etc., are most leveraged due to human/user miscalculations. More and more hackers are relying on uninformed employees to facilitate infiltration of target systems.
A recent example of an ICS cybersecurity attack occurred in a German Steel Mill. This assault resulted in massive physical damage to the industrial infrastructure. The attack was first initiated when the hackers controlled the office software network of the industrial facility. Through the control of this network, the attackers were able to infiltrate the production management software of the steel mill.
At this point, the hackers took over most of the plant’s control systems and systematically destroyed human-machine interaction components. They were able to intercept security settings on a blast furnace, causing severe damage to the industrial infrastructure. This type of damage was unprecedented, but has now become an actuality in modern day manufacturing industries.
Cyber Aware Workforce Reduces Cyber Risks, Significantly
The demographic dynamic of manufacturing industries as well as the nature of the industry makes most employees more protective about physical assets rather than virtual cyber assets.
Training operational employees on cyber risks and how to avoid them remains core gap in most manufacturing industries. To bridge the gap, ongoing security training in large manufacturing organisations has increased 58% in 2013, up to this year’s figure of 72%.
A study of 500 executives showed that “Companies that train their employees about cybersecurity best practices spend 76% less on security incidents than their non-training counterparts.” Yet, about 50% of organisations perform vulnerability testing for ICS less than once a month. Data security awareness and training should be part of the initial hiring and training process. These programs should be implemented periodically and continuously updated to tackle the persistently evolving cybersecurity threats.
Nonetheless, several organisations report that providing cybersecurity training and awareness programs for their staff are not their main concern. This type of inattention towards cyber risks is one of the root causes of the rising security breaches in the past several years. The implementation of cutting-edge technologies and increasing investment in intellectual property in the manufacturing industry will continue to grow alongside associated cyber risks.
Malicious hackers pose more severe threats as IIOT grows and unaware employees remain easy targets that they can exploit. Cybersecurity training will prepare employees for IT security issues and inform them of precautions to take if any security breach does take place.
The time and energy it takes to train and assess employees will exponentially outweigh the massive costs of physical damage and financial repercussions generated by potential cyberattacks. Employee awareness and education are fundamental to preventing attacks and ensuring a successful and secure manufacturing industry.
Written by Prasanna Kulkarni, Founder and Product Architect of Comparesoft