Cyber-crime is an almost invisible pandemic that has been infecting the world, and Australian manufacturers need to be on high alert. Cyberattacks worldwide are estimated to have stripped companies of US$8.4 trillion in 2022 and industries such as oil and gas have improved their cyber-readiness. Industry estimates put the cost of IT (Information Technology) attacks between $10-$20 trillion by 2025. According to IBM’s 2022 X-Force Intelligence Report, manufacturing became the most attacked industry globally in 2021 – replacing financial services and several of Australia’s biggest, high-tech firms were shocked by last year’s breaches and data theft. So, what has led to manufacturers being increasingly targeted by cyber criminals? This blog will look to provide a deep-dive analysis in this regard.
Perception of Soft Target
The speed at which manufacturers are integrating systems to catch up with the rest of the business world means little or no focus on security which makes them easy pickings. Digitization and systems integration is a new phase for most manufacturers so rookie mistakes are likely and hackers know this. As manufacturing has digitized, it has experienced more cyber-related incidents, often through interfaces and OT (Operational Technology) control systems managing industrial operations. Application Programming Interfaces (APIs) allow different systems to talk and share data. Every time a once-discrete system needs to talk to another, it uses an API and, without the right precautions, increases the attack surface. And, without adequate security, the convergence of OT and IT enables vulnerabilities in one area to be used by hackers to traverse to the other. Deloitte and the US’ Manufacturers Alliance for Productivity and Innovation (MAPI) studied cyber security and risks for manufacturing and structural steel fabrication. Almost half the manufacturers (48%) of 600 IT execs with global firms surveyed by the 2019 Deloitte and MAPI Smart Factory Study said operational risks, such as cyber security, were the greatest danger to smart factory initiatives.
Industry experts say manufacturers’ attention to security suffers from many factors, not least workplace culture, including security awareness and different teams’ priorities:
- Inadequate training: the World Economic Forum’s (WEF) Global Risks Report 2022 declared 95% of cyber security issues can be traced to human error and that insider threats, accidental or intentional, create 43% of breaches across all sectors.
- OT teams naturally focus on physical machinery (e.g., mining plant and equipment), tangible products and maximizing production. Often wary of ‘interference,’ there is a reluctance to give IT oversight and a tendency for OT to integrate systems ad hoc.
- Business leaders have not been sufficiently aware of IT risks. IT advisors struggle to get points on cyber security through to leaders. The C-suite has been criticized for preferring to pay cyber insurance than think about the issues. The prices for cyber insurance in the US have been skyrocketing: up by 96% in Q3, 2021 alone, and a 204% jump on the previous year, says the WEF.
- Factory floors’ fear of downtime means systems have not been patched to latest versions so they are vulnerable. Old factory equipment that is near impossible to update to work with more secure OT.
- Reports of complacency include one security provider’s survey of manufacturers’ knowledge of their systems and their APIs: it showed manufacturers’ confidence in their system security to be badly misplaced.
As smart factories are busy enhancing production and supply chain performance, greater interconnectedness brings greater risk with each interconnection enlarges the attack surface. Yet the trend to more connectivity and more smart devices in the Industrial Internet of Things (IoT) space is not slowing, and 5G networks’ next-level connectivity will accelerate it. The risks are huge and, whether on the cloud or on premises, businesses must be confident of the security of any externals with which they connect. Potential business partners can offer their bona fides but a manufacturer needs to diligently discover their true security posture, all their precautions and if they are vulnerable. In this matter, the old adage holds true: a chain is only as strong as its weakest link!