3 Key Takeaways About the Cyber Risk for Manufacturing
- Operational technology (OT) in manufacturing environments is often outdated and unable to be patched (fixed), leading to cyber risks that can be challenging to address.
- Contrary to popular belief, OT is often not air-gapped since the pandemic, meaning many previously “secure” technologies are now vulnerable.
- Companies can address their cyber risk for manufacturing by working with a security partner to identify and remedy their vulnerabilities to prevent data breaches and associated costs.
NetDiligence® President Mark Greisiger and Trend Micro Director of Cyber Risk Solutions Vince Kearns discuss how manufacturing cyber risks have changed and what companies can do to reduce their risk and secure their assets.
Vince Kearns is the Director of Cyber Risk Solutions with Trend Micro, a global cybersecurity leader, where he has helped make the digital exchange of information safer since 2003.
These takeaways provide keen insights into manufacturing and cyber risk. Watch the video for the full discussion with Mark and Vince, or read on for some of the highlights.
What Are the Risks Facing Operational Technology (OT), and How Are They Different From Traditional IT?
Manufacturing is one of the top sectors facing cyber risks. When it comes to manufacturing environments and the OT infrastructure, it’s always been different from the IT side of things.
The IT personnel manage their side, and the OT professionals manage their environment with different goals, and sometimes they don’t align. This separation can create communication issues within companies and make common goals for risk mitigation challenging. An example is getting a new computer every few years in an IT environment. But in manufacturing, there may be computers and systems that are decades old with vulnerabilities that are not able to be addressed with a patch; but that’s common in a manufacturing environment.
So, the cyber risk for manufacturing is greater because of older technology and operating systems.
What Does a Secure Environment Look Like Today Compared to Pre-Pandemic Conditions?
Before the pandemic, manufacturing environments could claim that there was limited risk because the environment was “air-gapped,” meaning employees and system users were badged in and out. There was no remote access and no Wi-Fi connections in the environment. It was essentially locked down.
During the pandemic, however, you had to have remote access. You had to remove the air gap from that environment to keep it running. This has led to the belief that these manufacturing environments continue to be immune to risks, but they are no longer off the grid. They have Wi-Fi connections and remote access, and the risk of doing that with machines with known vulnerabilities can be a big problem.
What Options Do Customers With Cyber Risk Have to Identify Their Risks?
It starts with a cybersecurity risk assessment. Someone running the environment has some idea of their assets and machines, but the assessment would specify what specific machines and software are used. Understanding known vulnerabilities, especially in controllers, is important to identify potential threats.
An assessment helps these companies understand their specific risks. Once you know what your assets are and whether they’re secure, integrating OT risk exposure into your institutional risk management plan is paramount.
So, if a company has a risk management plan, is OT part of that risk plan? If it’s not, then it needs to be. This is where a security partner can help. They can look at your environment and say, “Here’s your exposure, and here’s how you can close that gap.” These professionals can give companies options of what they can do to secure that OT environment just like the IT environment.
What Percentage of Manufacturing Companies Have a Modern Security Strategy and Solution in Place for Their Environments?
The Fortune 100 companies are pretty secure. They have invested millions into a secure environment. However, everybody else–probably over 90% of these environments–do not have modern cybersecurity strategies or solutions in place. This is a big issue.
These companies were air-gapped until a few years ago, and now they are open to the internet, which means they are vulnerable to hackers and data breaches. These machines and infrastructures are not ready for today’s level of threat.
Why Is Manufacturing a Huge Target for Cyber Criminals?
OT systems are easy to breach. Cybercriminals don’t have to put in a lot of effort to access a 20-year-old machine with an outdated operating system and a vulnerability that can’t be fixed. They are easy targets, and often they don’t have an appropriate breach response plan that can get them back up and running as quickly as possible.
So, how easy would it be for someone to do a mass attack on multiple manufacturing OT environments? It would be a little too easy.
What Are the Biggest Challenges to Securing OT Environments?
Although manufacturing companies have the potential to safeguard their assets, one of the main inhibitors to securing OT environments is the cost incurred in two distinct areas:
- The cost of the hardware and software necessary to protect the environment.
- The cost of downtime.
The average installation time of a comprehensive security installation is two weeks. Many decision makers are hesitant to implement the installation of a comprehensive security system because of the time it would take combined with the cost of downtime for such an installation.
The combination of these two costs to the manufacturing customer is deemed too great to implement. So even though the system is necessary to address cyber risk for manufacturing and would be beneficial, it’s not considered.
To learn more about Trend Micro, visit their website. If you’d like to learn more about this topic, check out their article on OT and IT visibility and efficiency barriers.
To learn more about NetDiligence and our solutions for changing how companies prepare for and respond to modern-day cyber risks, visit NetDiligence.com/solutions.
Download our tips sheet to start preparing for impending cyber threats by building your incident response plan today.