Not only are the attacks becoming commonplace, the intensity and ultimate impact (to consumers and the bottom line) continues to escalate as well. The recent ransomware attacks on Colonial Pipeline ($4.4 million ransom) and JBS Foods ($11 million ransom) are prime examples of the associated costs and the ripple effect of the current generation of cyberattacks.
Simply put, when it comes to manufacturing's approach to cybersecurity, the status quo is no longer effective.
Like many industries, manufacturing organizations have developed robust business resilience plans. “However, they are often predicated on the loss of a single site. For instance, we see organizations build manufacturing plants on both the east coast (subject to hurricanes) and the west coast (subject to earthquakes), to protect against natural disasters affecting production,” Sean Curran, West Monroe’s senior director of cybersecurity tells IndustryWeek. “This has been a sound strategy. However, cyberattacks are not impacted by geographic boundaries and typically affect all systems in all sites. Business resilience plans need to be reviewed and adjusted for this risk.”
Changing environments
Cyberattacks are not new, yet a lot has changed when it comes to hacking. Today manufacturers are up against far more sophisticated hackers with a battery of powerful attack tools at their disposal. Understandable, this creates an environment where companies need to work much harder to stay at least a step ahead of bad actors.
What does the ongoing evolution mean to manufacturers?
According to Curran, early cyberattacks were primarily focused on data. “This led manufacturing organizations to assume they were immune to attacks, after all they had nothing of value, and therefore resulted in an underinvestment in cybersecurity,” he says. “Manufacturing also has a history of leveraging their technology investments for as long as possible, resulting in many aging or out of support operating systems. Lastly, production floors are typically the domain of production engineering teams that are not aligned with internal IT teams or corporate IT standards.”
This underinvestment, technical debt and cultural divide between IT and operation technology (OT) is a large gap to overcome quickly, explains Curran. “Coupled with the slow response to recognize the impact ransomware attacks and the incorrect assumption that production systems are segmented from corporate IT systems, manufacturing has been a happy hunting ground for threat actors.”
Forward motion
Manufacturers should identify the critical systems that could affect their business operations – especially revenue generation. “This is not a traditional cybersecurity review; it is more aligned with a business continuity planning analysis,” says Curran. “The review needs to include both IT such as ERP systems used for orders, invoicing, and distribution as well as those systems that affect the production floor. It is also critical to recognize the OSHA importance of the production floor systems.”
Thinking holistically about the entire process and understanding the IT interdependencies is extremely important. “For example, your production floor could be isolated from corporate IT. But once the product is manufactured it must be shipped,” says Curran.
Distribution is typically managed within an ERP system which typically sits in the corporate IT arena. It is one thing to know that you can successfully continue to produce product, but it is another if that stockpiles in your warehouse (which is typically of limited capacity) with no information on where products need to be shipped.
Once the manufacturers know and understand the production to IT dependency, they can start identifying a plan to address points of failure, explains Curran. “Focus as much on business resilience in the event of a cyberattack (ransomware or otherwise) and build a playbook for what you will do if it occurs,” says Curran. “This approach of resilience will allow the organization to not only address the current risks, but the new and emerging threats that will inevitably arise in the future. The side effect can also be a healthier collaboration between the IT and production teams, with the organization recognizing the symbiotic relationship they both play in the success of the organization.”