It may be Cyber Monday, but it seems more like “Cyber Week” due to a steady barrage of emails, radio & TV commercials and print ads promoting ongoing “web deals.” With that emphasis on cyber in mind, I was interested to read about the results of a survey, in which nearly half of the surveyed manufacturing executives said they lack confidence their company’s assets are protected from cyber threats. Furthermore, according to the results from the survey, “Cyber Risk in Advanced Manufacturing,” from Deloitte and the Manufacturers Alliance for Productivity and Innovation (MAPI), nearly 40 percent of the respondents indicated their company was affected by cyber incidents in the past 12 months—and 38 percent of those respondents said each cyber breach resulted in damages of more than $1 million.
“Manufacturers are innovating at an unprecedented rate, integrating cutting-edge technologies in products, automating the shop floor, connecting supply chains and increasingly investing in valuable intellectual property,” says Trina Huelsman, vice chairman, Deloitte & Touche LLP and U.S. industrial products and services leader. “While these advancements should position them for future growth, the industry is also likely to experience an acceleration in the velocity and sophistication of associated cyber threats.”
There are two reported areas of cyber risk cited by the survey respondents I was most interested to see. The first is that although industrial control systems operate highly automated manufacturing processes to increase employee safety, environmental protection and operational efficiency, they also expose manufacturers to increasing cyber risk. Surprisingly, 50 percent of the respondents indicated their company performs vulnerability testing for industrial control systems less than once a month—and 31 percent said their company has never conducted an assessment.
“To date, many companies have attempted to isolate the networks associated with their industrial control systems with an air gap, essentially a physical barrier between the industrial control systems networks, enterprise networks and the Internet,” says Sean Peasley, partner, Deloitte & Touche LLP and cyber risk services consumer and industrial products leader. “However, if they haven’t actually tested the accessibility of these systems, they can miss hidden access points that could be vulnerable to attack. An air gap strategy is also contrary to industry trends in digital manufacturing, which are designed to generate cost-savings, automation and efficiency benefits.”
Secondly, an increasing reliance on technology-enabled connected devices also introduces significant cyber risk for manufacturers. For instance, 45 percent of the respondents said their organization uses mobile applications and 35 percent cited connected sensor controls. However, 40 percent of the respondents indicated their organization has not yet incorporated connected products into the company’s cyber incident response plan. That takes on added importance when considering that 76 percent of the respondents said their company transmits product data using Wi-Fi, and 52 percent reported that their connected products store and/or transmit confidential data, including Social Security and banking information.
The report’s authors outline several steps to mitigate cyber risk, including to perform a broad cyber risk assessment which includes the enterprise, ICS and connected product; share the results of that assessment, and recommended strategy and roadmap, with executive leadership and the board; identify and evaluate strategies to address third-party cyber risks; and evaluate top business investments in emerging manufacturing technologies, IoT and connected products. However, as the report further notes, leaders must remain vigilant in evaluating, developing and implementing the company’s cyber threat monitoring capabilities. That said, employees cannot be ignored, and it is crucial to ensure all employees are not only aware of their responsibilities to help mitigate cyber risks related to phishing or social engineering, protecting IP and sensitive data, but that they understand appropriate escalation paths to report unusual activity or other areas of concern as well.
What are your thoughts on growing cyber risk? Are you confident your organization is protecting its assets from cyber threats?