As the fourth industrial revolution gathers pace, cyber criminals are honing their craft. But what exactly are the risks and what can the manufacturing and engineering sectors do to keep their new systems safe?
We’re living in a digital age and manufacturers and engineering companies across the globe are embracing the benefits of digital transformation, giving rise to the fourth industrial revolution, otherwise known as Industry 4.0.
This new revolution allows the flow of data throughout a business and its operations, integrating production with business processes and introducing artificial intelligence, cloud computing and augmented reality into the workplace.
By introducing ‘smart’ manufacturing, factories and warehouses into their operations, businesses are therefore gaining unparalleled visibility and control over their supply chains, machinery and facilities. With real-time data collected across the business and supply chain, businesses can better understand their operations and analyse and improve performance and maintenance.
But this new inter-connectedness and use of ‘big data’ opens manufacturing and engineering businesses up to novel threats when it comes to cyber security.
What is under threat?
Smart manufacturers and engineers are vulnerable to malware, denial of service, device hacking and exploitation. This could result in the loss of intellectual data, a damaging amount of downtime, product sabotage and even threats to health & safety if equipment is hacked and control lost.
These threats have increased with Industry 4.0. With the new emphasis on the transparent flow of data, factory floors and equipment can no longer work in isolation, cut off from the main network. Now, everything is linked, and more people and systems have access to that network, opening up multiple gateways to cyber criminals. Mobile devices are also becoming more common, which can be difficult to protect and keep on top of security updates. In 2016, nearly half of manufacturers in the Deloitte-MAPI survey were already saying that they were using mobile apps for connected products, a figure that is likely to have grown.
Digital transformations are also often done piecemeal, meaning that old systems exist alongside the new with varying levels of security and vulnerability. Combined with the slow installation of upgrades or patches across a network, this creates another challenge for businesses – and another opportunity for criminals.
It is not therefore surprising that the UK manufacturing sector was the victim of 29% of all cyber-attacks recorded by the NTT’s 2020 Global Threat Intelligence Report.
How can cyber security be improved in manufacturing?
The narrow-focused cyber security of the past won’t cut it in this new digital age. Going forward, the manufacturing and engineering sectors need to adopt a more holistic approach which integrates cyber security into every aspect of their business, creating a culture of security.
Key considerations when thinking about cyber security for Industry 4.0 include:
- How you can ensure the integrity of your systems and information
- The protection of sensitive information throughout the data life cycle
- The recovery process of critical systems and how to minimise the effects of an incident
To start, you must first assess your risk.
Assessing the risk
To protect your smart network from cyber criminals, you must first identify possible risks and their likelihood of occurring.
A comprehensive risk assessment must therefore be carried out which must consider your organisation, its suppliers and its technology. You will need to assess how secure your industrial control systems are (ICS), how and where your sensitive data is stored, the vulnerabilities of your supply chain and who has access to your system. You should also look carefully at what systems control or are linked to physical processes and what may happen if they get disrupted.
Once you know what the risks are you can begin to develop ways to mitigate or remove these risks.
Hardening your systems
‘Hardening’ your systems will help to reduce the risk of cyber threats to your business. This includes:
- The installation of firewalls
- The creation of processes to install patches
- The installation of real-time intrusion detection or threat intelligence
- Access and identity management (physical and digital)
- Regular back-ups
- The segmentation of systems
You can also increase your organisation’s resilience by coming up with a disaster recovery plan or business continuity plan, which will help you to deal with an incident and detail the steps needed to return to normal.
Ongoing vigilance is key and should be undertaken by both your workers and your technology. Monitoring of your networks, personnel and the environment should be continuous so that you can pick up on threats as quickly as possible.
To aid vigilance, your workers need to be trained. Cyber security awareness training should be carried out regularly, especially if new technology is introduced or novel threats emerge.
You should also seek to ensure that your suppliers or any other organisations connected to your systems commit to regular audits and the installation of software patches as soon as they become available.
A culture of security
To create a security-first approach that integrates information security throughout your organisation, you may want to implement a comprehensive information security management system, such as ISO 27001, which includes processes for physical, digital and legal risks.
ISO 27001’s 114 controls have been developed to help you implement best-practice processes when it comes to integrating security into your personnel, leadership and digital and physical assets. These processes include access control, operations security, system acquisition and maintenance, supplier relationships and incident management, giving you the framework you need to build a true culture of security within your manufacturing or engineering business.
The Standard can also be extended with additional codes of practice to tailor it to your organisation’s needs. ISO 27017, for instance, provides additional controls that cover information security for cloud services, while ISO 27018 tackles the protection of personally identifiable information kept in a cloud.
Whether you use a management system or not, it remains important to create an integrated defence strategy so that your security is as consistent as possible both within and without your business.
This article was written by Claire Price of QMS International, one of the UK’s leading ISO certification bodies.