Cybersecurity for Manufacturing

New Report

Cybersecurity has long been indispensable in finance, HR, government administration and other fields that depend heavily on data. Cybersecurity is now also pivotal to the most physical of economic sectors: manufacturing.

While the recent ransomware strikes, including the “WannaCry” virus, garnered tremendous publicity for their impacts on commercial and government websites, one of the biggest impacts was on a physical manufacturer: a Honda plant in Japan was forced to halt production. This wasn’t unusual. In June 2017, more than half of the organizations targeted by the Petya, or Expetr, cyberattack were industrial firms.

In recent years, the scope and diversity of cyber threats to manufacturers have grown — they now span from sophisticated Stuxnet-style attacks to the relatively frequent ransomware risks. Beyond malware attacks on industrial firms, cyberattacks on manufacturers can include efforts to corrupt data, steal intellectual property (IP), sabotage equipment, and disable networks. The motives and impacts vary widely — but all such cyberattacks cost time and money to firms and their customers. These growing cyberattacks pose increasing risks to economies and societies at large.

In March 2017, MForesight — in cooperation with the Computing Community Consortium — convened a unique multidisciplinary workshop focused on identifying emerging cyber-risks to manufacturers and practical solutions to the problem.

In some ways, cyber threats to manufacturing should be expected — after all, the sector is increasingly digitized and data-driven. But there’s a widespread failure to reckon with the risks. Participants in the March workshop — including representatives of major manufacturers, government agencies, cybersecurity firms, and leading computer science departments — were unanimous in the view that U.S. manufacturers do not recognize the growing dangers. Much of this unawareness is attributable to firms’ luck to date (there’s yet to be a major cyberattack on a U.S. manufacturer), but it’s extremely unlikely that this luck can be sustained. The number of threats is growing constantly and the complexities of multi-organizational dependencies and data-management in modern supply chains mean that at least some attacks are inevitable.

Cyber threats to manufacturing present a complex challenge. Participants in the March workshop, accordingly, called for more holistic thinking in industrial cybersecurity: improvements to technologies, management practices, and learning processes that span units and supply chains. Solving the emerging security challenges will require commitment to continuous improvement as well as investments in R&D, training, and awareness initiatives. While efforts should ideally be market-driven, there may also be future needs for expanded and refined regulations — akin to those that govern other aspects of industrial safety today.

There are no simple solutions. But there are opportunities to get started. The March workshop highlighted several, including the following:

· Manufacturers need trusted third-party partners, and there’s space for the creation of a new public-private partnership focused on manufacturing supply chain cybersecurity.

· Public and private partners can expand and coordinate manufacturing cybersecurity “boot camps” to boost awareness of best practices and train key manufacturing personnel to mitigate risks.

· There’s particular need for R&D investment in solving near-term security challenges and seizing opportunities, including: automated risk assessment tools, tools to audit the extent of attacks, robust parts and data validation.

· There’s also need for long-term research investments — for example, the creation of “security reference architectures” for manufacturing. This means working to define Information Technology and Operational Technology functions as well as consistent standards and integration requirements for diverse players and system “touchpoints.”

· Information-sharing matters. An Information Security Advisory Council (ISAC) or similar body could facilitate fault-free, anonymous sharing on incidents, threats, vulnerabilities, best practices, and solutions. Existing ISACs provide useful models.

Federal agencies can help: A range of institutions including the Manufacturing USA institutes, the Manufacturing Extension Partnership (MEP) program, and manufacturing sector consortia — as well as other relevant federal agencies including Defense, Energy, Commerce, and Homeland Security — have valuable capabilities and experience in this work.

The challenge of industrial cybersecurity isn’t just technical — it’s cultural. Firms need new risk management models and new modes of thinking to address the threats. It’s incumbent on public and private intuitions to work together to build cultures of learning, information-sharing, and collaboration to respond to emerging threats.

Cybersecurity is a serious issue for the future of American manufacturing. But, with smart investments and sustained attention, the challenge is surmountable.

Download & Read Cybersecurity for Manufacturers: Securing the Digitized and Connected Factory (PDF)

Read op-ed by Sridhar Kota (The Hill, 10/20/17): A plan for defending US manufacturers from cyberattacks