The manufacturing sector has the dubious distinction of being the second-largest target of cybercriminals; only healthcare surpasses it. Within manufacturing, the automotive space is now the prime target in manufacturing. Nearly a third of manufacturing attacks in 2015 were to automotive companies. Chemical manufacturers were next.
With the advent of the Industrial Internet of Things (IIoT), manufacturing’s intellectual property, data, and products have come under threat as a result of cybercriminals. Estimates indicate 21 percent of manufacturers have suffered a loss of intellectual property due to a cybersecurity attack.
A recent Los Angeles Chapter of the National Tools and Machining Association (NTMA) blog post states that many manufacturers are behind the curve in terms of security. That’s in part because manufacturers have not been subject to compliance standards in the same way the financial services sector has with the Payment Card Industry Data Security Standard (PCI DSS) and the healthcare vertical has with the Health Insurance Portability and Accountability Act (HIPAA). As a result, the manufacturing space as a whole is considered to be less secure than other leading verticals.
In a blog post for Robinson+Cole law firm, Linn Foster Freedman writes, “Manufacturing companies often don’t believe that they are targets because they do not hold vast amounts of consumer data.Therefore, they do not concentrate on cybersecurity and remain vulnerable.” But perhaps the manufacturing sector is not as naïve about the threat as some might suggest. Ninety-two percent of manufacturers cited cybersecurity concerns in their Securities and Exchange Commission (SEC) disclosures last year.
The Connected, Vulnerable Manufacturing Floor
Hackers have used Heartbleed and other machine vulnerabilities to launch their attacks. They have also gone after human vulnerabilities using social engineering techniques such as spear phishing. But attacks related to the Internet of Things (IoT) are where the action is.
That’s because production environments are now connected to the Internet. That has significantly expanded the attack surface of manufacturing. In the past, manufacturers did "air gapping" to separate their industrial networks from their business networks and the Internet. Air gapping is no longer a viable option as manufacturers embrace the benefits of the new business models enabled by IIoT.
This has created an issue, since the controllers that operate in every industrial environment frequently lack basic security controls like authentication and strong encryption. That means many industrial control system (ICS) attacks do not even need to exploit software vulnerabilities. They just need to access the controllers, and then they can alter configuration, logic, and state.
The National Association of Manufacturers (NAM) notes, “Billions of connected devices are pervasive throughout manufactured products and on the shop floors where they are made. This technology is creating enormous opportunity and driving transformative change. It has made all manufacturers into technology companies.”
However, NAM goes on to say that the “more that shop floors become imbued with intelligent machines, the more those machines will contain data worth stealing.” Meanwhile, manufactured goods themselves increasingly have communications capabilities. Things like heating, ventilation and air-conditioning systems can use communications capabilities to interact with both their users and their makers.
The good thing about this development is that it enables manufacturers to move from a model based on one-time sales to a recurring revenue model. But in the process, it expands the manufacturing industry’s threat surface. So, industry groups and government entities are working to figure out how to secure these connected devices and environments.
An Unfair Fight
It takes significant resources to establish cybersecurity measures that can withstand attacks from nation states—resources that manufacturers, especially smaller ones, just don’t have. And nation states pose the top cybersecurity threat to manufacturing, says NAM.
Discussing the attacks from China in an interview with CBS last year, John Carlin, former Assistant Attorney General for National Security, said, “It’s not a fair fight. A private company can’t compete against the resources of the second-largest economy in the world.”
To encourage investment beyond ordinary levels of commercial cybersecurity spending, NAM is calling for a public-private partnership. NAM is also pushing for the National Science Foundation (NSF), Defense Advanced Research Projects Agency (DARPA), and research arm of the U.S. Department of Homeland Security (DHS) to prioritize funding for IoT security research.
Fighting on the Legislative Front
In January, in the United States, the Federal Communications Commission (FCC) called for requiring cybersecurity accountability by IoT device manufacturers. And it published a white paper and notice of inquiry to get the conversation going.
The FCC noted that the broad field of IoT vendors needs to keep their device prices low to remain competitive. As a result, it said, they do not have a strong incentive to build security into their devices voluntarily. So, the FCC is working to create that incentive.
Just this month, on May 11th, the White House signed a long-anticipated Presidential Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure. This is the most significant executive order in the cybersecurity space since the previous administration signed the Executive Order -- Improving Critical Infrastructure Cybersecurity in February 2013. The new order commissions nine reports, covering cybersecurity issues across the areas of national cybersecurity, critical infrastructure cybersecurity, and federal network cybersecurity.
Of special interest to us in the executive order is the commissioning of a report to "assess the scope and sufficiency of efforts to educate and train the American cybersecurity workforce of the future, including cybersecurity-related education curricula, training, and apprenticeship programs, from primary through higher education." The White House is looking for recommendations on how to "support the growth and sustainment of the nation’s cybersecurity workforce in both the public and private sectors."
In addition, there are other legislative efforts at the state level in the United States, as well as other federal-level efforts elsewhere in the world. At least 28 U.S. states last year considered or introduced cybersecurity legislation, according to the National Conference of State Legislatures.
The European Union has approved cybersecurity rules that force businesses to strengthen their defenses. Meanwhile, Australia has developed a national strategy through which government and the private sector are working together to address cybersecurity.
A Holistic Cybersecurity Approach
Manufacturers need to be aware of what may be coming down the cybersecurity pike. Those that aren’t already involved may want to start voicing their opinions now, before cybersecurity regulatory decisions are cemented. However, it’s important to remember that, due to the slowness of the legislative process and the speed of technological innovation, regulations usually straggle behind technology by three to four years.
With that in mind, businesses must strive to go beyond mere compliance if the goal is a robust security posture. What’s needed today is awareness of and active participation in not just abiding by current laws or helping to fashion new ones, but in forging a comprehensive cybersecurity strategy that ensures the people, processes, and technology are in place to keep critical data safe.
You don't need to be in healthcare or manufacturing to be experiencing the demand for trained cybersecurity specialists. In fact, cybersecurity is fast becoming everybody's business, not just the security team's. Find out how you can learn more about cybersecurity. And, let us know in the comments below if cybersecurity has cropped up as a bigger issue these days in your field of work.
Tom Gilheany is Cisco’s Product Manager for Security Training and Certifications. He has a diverse background in startups through multinational Fortune 100 companies. Combining over 20 years of product management and technical marketing positions, and more than a dozen years in IT and Operations, he has conducted nearly 50 product launches in emerging technologies, cybersecurity, and telecommunications. Tom is a Certified Information Systems Security Professional (CISSP), holds an MBA, and is an active board member of the Silicon Valley Product Management Association and Product Camp Silicon Valley.