Manufacturing’s IoT Adoption Opens Up Big Security Holes

Manufacturing's IoT Adoption Opens Up Big Security Holes

Though the manufacturing industry has embraced technological advancements and emerging trends like internet of things (IoT), survey data reveals their security posture leaves something to be desired. In fact, half of surveyed manufacturing executives lack confidence their assets are protected from external threats.

A study from Deloitte and the Manufacturers Alliance for Productivity and Innovation (MAPI) reveals that 40% of manufacturing companies were affected by cyber-incidents in the past 12 months, and 38% of those impacted suffered damages in excess of $1 million.

The survey found that four of the top 10 cyber-threats facing manufacturing organizations are directly attributable to internal employees, including phishing/pharming (32%); direct abuse of information technology systems (25%); errors/omissions (26%); and use of mobile devices (24%).

But other problems lurk as well: A full 40% of respondents said they do not incorporate IoT and connected products into the company’s broader incident response plan. Among executives surveyed, 45% said their organization uses mobile applications and 35% cited sensor controls. That’s an issue given that 76% of companies surveyed transmit product data using Wi-Fi, and 52% reported that their connected products store and/or transmit confidential data, including Social Security and banking information.

"Manufacturers are innovating at an unprecedented rate, integrating cutting-edge technologies in products, automating the shop floor, connecting supply chains, and increasingly investing in valuable intellectual property," said Trina Huelsman, vice chairman, Deloitte & Touche LLP and US industrial products and services leader. "While these advancements should position them for future growth, the industry is also likely to experience an acceleration in the velocity and sophistication of associated cyber threats. Cyber risk and innovation are closely linked, and through our study, we have identified leading practices manufacturers can implement to address these emerging risks and make their companies more secure, vigilant and resilient."

Overall, the highest number of incidents originated within the organization (46%), while 39% came from external sources and 15% originated from vendors and business partners. The top motives of cyberattacks seem to be financial theft, intellectual property theft, and targeted attacks on senior executives for financial gain or access to company strategies or investments.

Manufacturers said that they see intellectual property as the No. 1 risk.

Intellectual property can constitute more than 80% of a company's value, according to Ocean Tomo. In the study, 36% of manufacturing executives said that intellectual property tops the list of data protection concerns, followed by consumer data (32%) and accidental disclosure of personal information (29%). In addition, significant and increasing concern exists around more sophisticated state-sponsored attacks on intellectual property.

"Cyber risk is a critical part of every manufacturing environment and demands attention from every employee, contractor, and business with whom a company interacts," said Stephen Gold, president and CEO, MAPI. "The most effective approach will rely on more than the CIO or CISO by also engaging the board and C-suite. Company leadership needs to understand their comprehensive cyber risk profile to appropriately allocate resources to mitigate risk."

When it comes to the shop floor, industrial control systems (ICS) tend to operate highly automated manufacturing processes where employee safety, environmental protection and operational efficiency are of paramount importance. Yet, 50% of surveyed companies indicate they perform vulnerability testing for industrial control systems less than once a month and 31% have never done an assessment.

"To date, many companies have attempted to isolate the networks associated with their industrial control systems with an air gap, essentially a physical barrier between the industrial control systems networks, enterprise networks and the internet," said Sean Peasley, partner, Deloitte & Touche LLP and cyber-risk services consumer and industrial products leader. "However, if they haven't actually tested the accessibility of these systems, they can miss hidden access points that could be vulnerable to attack. An air gap strategy is also contrary to industry trends in digital manufacturing, which are designed to generate cost-savings, automation and efficiency benefits."

Photo © Zapp2Photo

Source: Information Security Magazine