In the exceedingly interconnected world of Industry 4.0, so much is possible and so much is at risk.
While enmeshed networks allow for efficiency, innovation and research opportunities, the technologies that are changing the manufacturing sector also leave it vulnerable to sophisticated and evolving cyberattacks. Hackers run the gamut from individual bad actors to cyberthieves acting at the behest of a foreign government, often in search of IP and trade secrets as much as looking to disrupt systems controlled by aging equipment.
Simple perimeter security, such as a firewall, is as good as putting up a chain-link fence to hold back a rockslide, and manufacturers are learning more comprehensive protection is needed in their underserved sector. Wise companies recognize their counterattack must be wide-ranging, beginning with a comprehensive audit of what systems are most important to production and running their business effectively.
But where do you start to look? Are some spots more vulnerable than others? These are three areas hackers exploit.
1. The supply chain: Today, many small- and medium-sized businesses are thinking globally. More than ever, the supply chain can stretch over hemispheres, connected by the weaving tendrils of the world wide web.
But that scale – along with the speed of globalization, lax oversight and more complex information and communication technologies – has created more opportunities for hackers to create havoc long before a company even realizes there’s a problem in their systems or products. A National Institute of Standards and Technology official painted a stark picture for manufacturers, highlighting that the majority of companies do not have full visibility of their supply chain or a process for assessing the cybersecurity of the third-party providers with which they share data or networks.
Proper vetting of supply chain partners and an understanding of how they handle their own cybersecurity will go a long way toward protecting your own company. The International Organization for Standardization produced general information security standards for supplier relationships, as well.
Think of it like when you’re driving a car. You need to be mindful of what you’re doing, along with everyone else on the road. That’s how you get home safely.
2. The Internet of Things: HBO subscribers might recall an episode of the comedy series “Silicon Valley” in which a character hacks a rival’s 'smart' refrigerators. That specific scenario was worth a laugh, but ultimately, it was a little far-fetched. Still, the plotline introduced a growing concern that the online functionality of consumer products – broadly called the Internet of Things – can be used for nefarious purposes.
These elaborate IoT hacks aren’t limited to fiddling with fictional refrigerators or an apartment’s Nest thermostat, either. Hackers can use consumer-grade products, such as webcams, smart speakers or smart plugs, to make a backdoor into a manufacturer’s internal systems. Truly, it’s an internet of things, so if any piece of manufacturing equipment is connected to the web, it’s part of a larger network and therefore vulnerable.
Just as they would when equipment has a physical problem, manufacturers must be constantly vigilant in digital functions, creating patches for holes in their security and updating their software. The same goes for their own consumer-grade IoT products, especially older merchandise that may be forgotten as newer versions hit the shelves.
3. Your inbox: Any cybersecurity assessment should pay special attention to email protection. There is perhaps no easier way to break into a company’s network. Your emails may not play a direct role in the production process, but if an unwitting employee who has access to the company’s internal network opens a message with dangerous ransomware, the consequences can go well beyond taking out some non-essential computers.
Just last year, companies across the globe and from all industries were blindsided by the infamous WannaCry ransomware attack, which the U.S. blamed on North Korea. The Trojan virus was masked in emails as seemingly common files – among them, invoices, job offers and, ironically, security warnings – before spreading across systems, encrypting hard drives and demanding a ransom to unlock the system. For days, the attack disrupted systems used by hospitals, railway lines, delivery companies, automakers and more.
The lesson learned: This can happen anywhere and to anyone.
A 2017 report by MForesight and the Computing Community Consortium showed that while vulnerabilities in industrial control systems are decreasing, hackers are responding with more malware and phishing scams, and the manufacturing sector is being targeted at a higher rate than other U.S. industries. The report described how one type of scam, in which an email appearing to come from a company’s senior management asks financial staffers to transfer funds to the scammer’s account, caused more than $3 billion in losses across the industry in just one year.
While it seems almost too good to be true for the hacker, seemingly simple scams for monetary gain work because employees don’t expect them and emails are easy to fabricate. It’s not hard to imagine WannaCry-scale attacks or worse using the same methods to get into a manufacturer’s internal network, which may contain costly secrets or give a route to a facility’s vital systems.
As technologies change rapidly and more information is shared digitally within the manufacturing industry, it’s impossible to keep pace with the matching challenges in cybersecurity all on your own. But for even small- and medium-sized businesses, cloud-based solutions for advanced threat protection, spam and virus filtering and email encryption are effective and efficient. Cloud security vendors vastly reduce the need for internal IT security specialists and are affordable on most any budget.
Oliver Dehning is the CEO for Hornetsecurity’s U.S. operations.