The drive towards a more digital future is key to the prosperity of manufacturing. However, digital transformation heralds a new era of connectivity which brings with it rising levels of cyber vulnerability. Indeed, the last few years has seen manufacturing overtake financial services as the most cyber attacked industry. Joe Bush reports.
With over 11 billion IoT devices worldwide in 2021 (rising to an estimated 29 billion by the end of the decade), we’re certainly no strangers to connectivity and the potential dangers of poor cyber security or hacking. While in years gone by the family PC may have been the only internet connected device in the house, now the average home can boast lights, speakers, phones, games consoles, children’s toys, cars and even fridges and washing machines as being smart, internet connected devices.
This is great for making our lives easier and more entertaining, but every connected device represents an avenue of attack for malicious actors with mischief in mind or devious designs on our data. By the end of 2021, cyber attacks cost the global economy an estimated $6tn, a figure which is estimated to almost double by 2025. Of course, cyber crime is nothing new, and we as consumers have long been aware of best practice around making our devices safe and secure, whether that be through firewalls, anti-virus software or password authentication.
However, what of manufacturing? A sector that in some instances is still in the early stages of digital transformation and as such, is perhaps not fully aware of the dangers that can be ushered through the doors of the plant or factory with the deployment of emerging, digital technology. To say nothing of the growing sophistication of the various threat actors at large.
There’s no doubt that smart factories, driven by technology, are the future of manufacturing and can lead to improved productivity and performance via increases in factory output, utilisation and labour productivity. This will also lead to the creation of a hyperconnected supply chain which offers a digital thread throughout the business and a real-time view of product lifecycles.
However, before manufacturers get too excited about digital transformation, it is vital that the cyber risks involved are known and understood, as Rob Hayes, Director at Deloitte explained: “To harness the business benefits and opportunities presented by technological developments, the cyber risks need to be better understood as many organisations are moving to a hyperconnected business without understanding the real risk to themselves and others.
“Hyperconnectivity increases the blast radius of an attack, which means that a cyber incident at a manufacturer is often not an isolated event. Compromising one area could impact the entire organisation, and consequently all of its business partners. Many incidents we have responded to have either been caused by or impacted other organisations in the supply chain. This can be detrimental for organisations with highly stringent quality assurance standards as their products risk being rendered completely unsellable.”
Nuances of manufacturing
Back in 2018 a Make UK report highlighted the susceptibility of manufacturers to cyber risk, revealing that 41% of companies did not believe they had access to enough information to even assess their true cyber risk; 45% felt they did not have access to the right tools for the job; while 12% admitted they had no technical or managerial mitigation processes in place. This created a nervy environment where manufacturers were apprehensive about investing in digital technologies – and this back when manufacturing was only the third most targeted sector.
Fast forward and the events of recent years have shown how vulnerable manufacturing supply chains can be; a fact that has not gone unnoticed by cyber attackers. Downtime can be catastrophic within the manufacturing space, and that operational risk has been exacerbated by the challenges of the pandemic, war in Ukraine etc.. As such, a successful cyber attack has the potential to be seriously disruptive to manufacturing supply chains which are already under pressure.
Malicious actors are looking to capitalise on that vulnerability and it’s no surprise that 2021 saw manufacturing outpace the finance and insurance sectors in the number of cyber attacks for the first time in five years. Indeed, subsequent research late last year by Make UK, in partnership with Blackberry, revealed that nearly half of Britain’s manufacturers have been a victim of cyber crime over the last 12 months. Therefore, along with other challenges around energy and political instability, increasing cyber risk looks set to be one of the key business challenges of 2023.
To be cyber secure means constantly trying to hit a moving target. IBM’s X-Force Threat Intelligence Index 2022 shows that as defences grow stronger, malware gets more innovative. Attackers are increasingly using cloud-based messaging and storage services to blend into legitimate traffic, and some groups are experimenting with new techniques in encryption and code obfuscation to go unnoticed.
And in the world of connected supply chains, it may even be business partners who put you at risk. Triple extortion is an increasingly popular tactic of encrypting and stealing data, while also threatening to expose the data publicly and engage in a distributed denial of service (DDoS) attack against the affected organisation, unless a ransom is paid.
Ransomware gangs are also looking to their primary victim’s business partners to pressure them into paying a ransom to prevent their own data leakages or business disruptions caused by a ransomware attack.
Malware targeting Linux environments also rose dramatically in 2021; a surge that IBM predicts is possibly correlated to more manufacturing organisations moving into cloud-based environments, many of which rely on Linux for their operations.
A manufacturer’s perspective
Neil Matthews, Managing Director of MSP, a leading manufacturer of stampings and springs, claimed that the sector is currently falling short in terms of providing adequate protection against cyber attacks, and has urged manufacturers to start putting security at the top of their agendas both for themselves and their upstream customers.
He commented: “While cyber security affects every company in all industries, the manufacturing industry overall is particularly vulnerable, prone to cyber attacks and can face considerable challenges such as theft of IP.
“Malware and ransomware attacks are increasingly using sophisticated new tricks to infiltrate and exploit weaknesses. These attacks can result in a loss of competitive advantage, denial of access or damage to operational systems including production facilities. Significantly, it can also negatively impact a manufacturer’s trading reputation, leading to a loss of customers or suppliers.”
Manufacturing had a reported 23.2% share of cyber attacks and a further 33% increase in the number of incidents caused by vulnerability exploitations from 2020 to 2021. In that same period, 63% faced losses of up to £5,000, with 22% revealing a cost to their business of between £5,000 and £25,000. Neil added that with nearly half of British manufacturers having fallen victim to cyber crime since 2018, the industry can no longer adopt the notion that ‘it won’t happen to us’.
“As manufacturing businesses grow increasingly digital, it is now more important than ever that companies’ cyber security is just as proactive, because reactive improvements are too late, and damages will already have occurred.
“Vulnerabilities like single-layered protection, lack of firewall implementation, lack of protection to broadband connections and others can all be easily exploited by cyber criminals when the reality is that these vulnerabilities can be easily fixed and remote working infrastructures strengthened.
“The increasing tech-native nature of criminals, who have similarly adapted to the changing landscape of technology, and the lucrative nature of data, means that manufacturing experts agree that cyber security can no longer be taken for granted. Instead, we firmly believe it should become an integral element of all company’s strategies and plans for the future.”
Summary
There is certainly no silver bullet solution to cyber security issues, particularly due to its ‘moving target’ nature as mentioned earlier. However, as Rob explained, manufacturers can get off to a good start by adopting a ‘zero-trust’ security model and building incident response capabilities into their operations.
The level of connectivity within manufacturing organisations and the wider supply chain will continue to head in the same direction, and therefore, strong prevention, detection and response capabilities will be vital to reduce the negative impacts of hyperconnectivity and minimise the level of recovery required. Rapid recovery capabilities are also essential to limiting disruptions and getting operations back to the levels required for a viable business.
“Smart factories and digital supply networks need an approach that breaks down the perceptions of traditional ‘business-disabling’ cyber and brings them closer to something that is aligned with the principles of the digital supply chain,” said Rob. “We believe that the zero-trust security model could have significant potential, the core principle of which is ‘never trust, always verify’. The zero-trust model moves away from the traditional ‘perimeter-based’ concept that constrains business freedom, to one where trust is created between individual resources and customers.
“The zero-trust strategy is therefore uniquely placed to provide agility and scalability while minimising the costs and complexity of cyber management. This is important when moving to a borderless model where traditional technology boundaries no longer exist. It allows data to move freely as it interacts with the business across the digital thread. Accomplishing free movement of data is the prerequisite to realising a smart factory and its digital supply chain.”
Views from the sector
We’re on a digital transformation journey and while cyber security is now on the agenda, we are some way off being an exemplar. We have put in place what we consider to be appropriate tools for our current systems, and these will be enhanced as we grow and implement our digital transformation strategy.
Greater connectivity will inevitably mean greater risk of attack, and this will be addressed as we build our next generation systems.
Cyber security has always appeared on MPE’s risk register but in recent years the consideration of this has become increasingly important. We now undertake an annual review of systems. This is carried out by an independent third party, so that we may gain the UK government approved Cyber Essentials certification. This certification is now required when bidding for and being awarded certain government funded work.
It is clear that in the future, cyber essentials certification or its equivalent will be increasingly demanded by clients. This alone means that manufacturers will have to invest a certain level of resource/time/ cost toward attaining and maintaining such accreditation. In addition, as more and more systems become reliant upon IT and digitally connected to the world outside the respective manufacturer, any negative impact from a cyber attack or event will become increasingly significant.
Cyber security has always been a top priority. However, this is increasing in our manufacturing processes as we adopt a more data driven approach. This is exemplified by our Digital Factories initiative which is delivering a new data-driven approach to design and manufacturing and building in secure by design from the outset.
The range of threats are increasing, so organisations need to be more aware and respond appropriately. That is why we are investing in our cyber capabilities and developing our Cyber Advantage product in the UK. We are also a National Cyber Security Centre Certified Cyber organisation and have a dedicated team of specialists making sure we deliver appropriate security across our organisation.
The cyber threat is going to increase as the drive towards increasing connectivity and use of data to drive efficiency continues. However, this presents opportunities for those organisations who adopt an approach to cyber security based around cyber resilience and secure by design, where security can act as a genuine business enabler and allow organisations to take advantage of new technologies without exposing themselves to unacceptable levels of risk.
As a key supplier to the MoD, emergency services and the nuclear industry, security has always been one of Babcock’s highest priorities and cyber security is a critical element of that. Increased connectivity in manufacturing has added to the threats we face, however, our understanding of the risks is well established and our protocols defined. We apply the same rigorous security processes to a sensor in the manufacturing environment as to a laptop connected to our network.
It takes significant dedication and effort from our information services, information assurance and security teams to maintain our networks and the information assets that Babcock use to securely deliver our work for our customers. People are considered our best defence and we are all comprehensively trained to spot and prevent cyber-attacks.
The threat landscape is constantly changing and the range and complexity of connected devices is increasing. Vulnerabilities in systems and applications are continuously being found, and while we wait on vendors to develop and test updates and patches, they remain vulnerable. In addition, cyber threat actors never cease looking for vulnerabilities and learning how to exploit them.
Industry Interview: Rob Clifford, Chief Data Officer for BAE Systems Maritime and Land Division
How are attitudes towards cyber security changing within manufacturing?
Increasing connectivity and the market facing nature of the manufacturing sector is creating more vectors of attack. And increasingly, an awareness of outside influences disrupting manufacturing processes through technology has risen through the chain of command.
Research suggests that the awareness and impact of cyber attacks on the manufacturing industry has increased in recent years so it’s easy to conclude that manufacturing is acutely exposed to cyber crime. Attitudes are hardening and it’s a topic that people don’t equivocate about. There’s a balance to be had as it’s important that manufacturers don’t become embroiled in the topic to the extent that they take a step backwards in terms of innovation and development, while at the same time recognising the existential risks that exist and take appropriate steps to manage them.
Within manufacturing the advent of IoT and connectivity has seen an acute threat to critical infrastructure reflected not just within businesses, but in terms of a national and transnational concern. In the US, there’s the IoT Cybersecurity Act of 2021 and in the UK, the Product Security and Telecommunications Infrastructure Act 2022, plus we have the National Cyber Security Centre.
It’s a subject that’s now part of the firmament and forms the backbone of the critical infrastructure of UK manufacturing.
Does BAE have personnel dedicated to cyber security?
Cyber is standalone, but also has the relevant connections into the broader information, management and technology (IM&T) and engineering spaces. It is a pan-sector issue and we have a senior individual who leads a discrete programme of work, both in terms of remediation and improvement, while keeping a watchful eye on the space as it develops.
There’s also working level, operational activity as well. Critically, we make sure that cyber security is not merely relegated to an IT issue; it’s much broader than that. And in the manufacturing space, it’s essential that the people doing the delivery, building the equipment, maintaining and supporting it, are just as aware and informed about the risks of cyber, and the opportunities to mitigate it, as the people who are involved in the technical and academic work.
How is BAE mitigating against cyber attacks?
Cyber security is an interesting topic, as it covers a broad spectrum from very bespoke, niche, technical risks that might be faced by different organisations, through to some fairly pragmatic elements of security that you’d expect everyone to take seriously. For BAE, education, planning and tighter orchestration of our data estate is at the top of the table. It’s important to take practical steps around updating your infrastructure, making sure you maintain your legacy systems and they remain secure.
As mentioned, there’s also a balancing act between tolerance of risk and being risk averse. One of the most pernicious side effects of cyber attacks is that they cause businesses to stand rigid and conclude that safety will be assured if everything is locked down. That might be the case, but that in turn will stifle momentum, innovation and progress, which is at the heart of the UK manufacturing industry, and why we’ve got such a profound tradition.
Critically, when we talk about cyber threats and attacks, we inevitably get into a conversation about technology. Yes, there’s a huge technology element involved, but many of the most effective attacks occur due to a lack of social awareness, so education and training is vital.
Whether it be watering hole attacks, infected USB sticks or spear phishing attacks; they’re all linked to a human element, and people are risk vectors too. Of course, the technology is important, but equally integral is making sure an organisation’s people are up to date.
How challenging are legacy systems as an attack vector?
It’s an ongoing challenge, and it always will be. If nothing ever changed within an organisation, then there would be no dynamism or progression and the benefits of Industry 4.0 and connectivity would not be realised.
However, with legacy systems it’s important that manufacturers are aware that you can’t just make a transition to something new and forget about the system being replaced. Historically in the UK, there have been some challenges associated with legacy systems.
We had the WannaCry ransomware attack a few years ago, and some of the worst affected industries have been those where legacy systems have been exposed. Manufacturers need to have a grasp on where data sits (and where the risk is), while also making sure that if patching or improving the estate is being considered, then all the ingress and egress points are being captured.
What is the potential impact of a cyber attack?
There’s a spectrum of severity but of course, for the manufacturing industry, we’re talking about stopping or slowing production, or otherwise making it harder to get back to the optimum levels of output that existed prior to the attack. Manufacturers are always looking for efficiency and the improvement of quality, so anything that interrupts or disrupts that is going to present a challenge.
You could also look at the law of unintended consequence. An impact to one part of the system, particularly in a high assurance and complex manufacturing space, might create a ripple effect and have an impact somewhere else in a way that might not be expected.
There’s a huge amount of dependency when delivering very complex platforms and systems, so manufacturers need to make sure they understand how their businesses fit together. And of course, it’s not just the attack itself. What also requires consideration is the chilling effect that cyber intrusion and disruption present; that can stymie innovation and deter investment in new areas because of the concern of what’s lurking outside the light of the campfire; there’s a fear of the unknown and that can cause you to move at a slower pace.
The balance of risk needs to be sensibly split. I genuinely think connected systems and data are good for the industry, but they need to be accompanied by a complete awareness of the risk/benefit equation. Yes, be innovative and connect your data, but do so in a logical manner that doesn’t expose you to more risk than is actually needed.
Is cyber security becoming more challenging as connectivity increases and malicious actors become more sophisticated?
Statistically, evidence would suggest cyber attacks are still on an upward trajectory in the manufacturing sector. And in terms of scale, it’s not that hard to launch a cyber attack (albeit it’s harder to make an attack successful). However, all these risks have to be combated and time and money has to be invested in making sure businesses are properly insulated from them. However, sophistication is no guarantee that an attack will be successful.
Indeed, we’ve seen some very large institutions, both in the UK and internationally, brought down by what on the surface are quite unsophisticated techniques. Again, there’s a slight misnomer behind the word ‘cyber’, where it is often assumed there must be, for example, some incredibly complex data mining going on. In the majority of cases however, the attack’s success is often down to, as discussed previously, those human factors or because the legacy estate hasn’t been attended to sufficiently and has been left vulnerable as a result.
What’s important here is forward planning and having the right tempo behind your training so it is calibrated effectively. Are things becoming more challenging as they become more connected? The answer is yes. But the real challenge is to make sure that your training and mitigations are keeping pace with the scale of expansion.
What does the future look like in terms of cyber security and the challenge it presents manufacturers?
As a data person, I’d say one of the things manufacturers should be up to speed with regardless is understanding their data ecosystem, from both a technology and business perspective. Where is the data that matters to you? Where is it sourced from? Where is it stored? And how is its quality validated? You need to understand the relative value of the information you hold. Once you’ve done that you can start to think about how to protect it?
Another big issue, and it’s ongoing, is getting comfortable with the shift from open access to all data to very tightly managed permissions models. IoT is exciting because it opens up connectivity; the whole system can talk to itself, and you can get information moved around the manufacturing floor and workspaces as you want.
That’s great. But does that mean that all data has to be opened up? There needs to be a close focus on identity management; a clear understanding of who needs to see what, when and how, and what is the appropriate level of granularity of information that you share? That’s something all businesses will need to become proficient at.
In terms of cyber security, manufacturers will need to compartmentalise their businesses in such a way that it can work to effectively deliver products and operations without leaving attack vectors open. The most damaging cyber attacks find a fairly routine way into the business, but in doing so can access the crown jewels and move freely around systems and processes.
As we make our businesses more sophisticated and complex, in some ways, we need to get back to more simplistic principles of command and control. In a positive sense, IoT is going to provide more information to us, and when orchestrated with the cloud, there’s an opportunity to perhaps de-risk the manufacturing space.
Some reports have claimed that the advent of cloud is a precursor to cyber risk in the manufacturing industry. I’m not sure that’s entirely the case. In many instances, utilisation of cloud will provide better security than many people have on their premises already.
Obviously, in most organisations, a hybrid approach is the appropriate way forward as not all information will need to be in the public cloud. However, you can reduce some of your risk by managing the cloud estate effectively and allowing some of its more enhanced security to protect your estate.
For more stories on Digital Transformation click here.