When the NotPetya virus infected computers internationally in 2017, the Russian military's target was Ukraine, not manufacturing.
As collateral damage, NotPetya immobilized Merck's pharmaceutical manufacturing, costing the company $870 million, halted Mondelez's food production, running $188 million in losses and disrupted manufacturing and shipping capacity for U.K. company Reckitt Benckiser, maker of Durex condoms and other consumer brands, for two months.
"Multiple companies stopped operations, some for weeks or months," said Sean Peasley, cyber IoT leader at Deloitte Risk and Financial Advisory. The potential for damage in an operations environment is so high that it can dramatically affect revenue, if not shut businesses down completely.
While risk is high, a quarter of companies surveyed in the 2019 Deloitte and Manufacturers Alliance for Productivity & Innovation (MAPI) Smart Factory Study did not perform a cyber risk assessment during the previous year. With more manufacturing sites using connected and smart technology, hackers and other bad actors have more access points, and companies are not doing enough to protect their sites.
"The risk has now shifted from access to data or pulling down service in back office, to maybe disrupting the whole manufacturing environment," Peasley said. The shift is to the business' front line. If the systems go down, it can be a disaster for the company's viability.
Internal operations and supply chains present risks to manufacturing
Large manufacturers are at risk, yet small manufacturers are potentially at even higher risk. "People think they're after the big companies, and they won't touch me. That's where the vulnerabilities lie," said Elliot Forsyth, vice president of the National Cyber Program at the Michigan Manufacturing Technology Center. "As you move down the supply chain, capabilities become less sophisticated. That's where a majority of nation states and other forms of hackers try to leverage and steal information," as this lack of sophistication leads to vulnerability.
Companies are not operating in isolation, though, especially with technologies connecting supplier tiers and partners. Gaining access to critical information shared with suppliers can affect the larger company, even if that company's system isn't breached.
A hacker can steal a company's proprietary data or customer information from the supplier. Or if a supplier's system goes off line due to a cybersecurity breach, that could impact its operations. The supplier might make parts that the manufacturer needs for production, and without those parts, manufacturing can cease. A virus can also spread from suppliers to manufacturers through email or through file sharing features.
Smart factories use analytics that are important to improve the ability to predict and manage the work and drive down cost. Cyberattacks involving data as well as electrical and software components could come from supply chain partners. "You're only as secure as your weakest link," said Peasley.
With more connected components, communicating and storing data, the risk rises. "We talk about it being increased attack surface," Peasley said, with more areas vulnerable to attack.
With more connected devices, vulnerability advisories are gaining steam as well. Manufacturers use internet of things (IoT) devices, robots, sensors, programmable logic controllers, mobile apps and connected technology that access the corporate network or internet. The Department of Homeland Security logged 223 advisories for industrial control systems in 2018, up from 17 in 2010.
Complexity increases as systems age and grow
Aging and legacy systems are part of the problem, as is the number of systems used. Large manufacturers can have thousands of sites globally, Peasley said. "How do you go through and protect all those environments? The technologies in these environments are different than the traditional information environment."
Rather than using Windows or Linux, operational environments might have more heterogenous programs that are harder to protect. The equipment may be 40 years old with no security built in. It's expensive to upgrade.
"People think they're after the big companies, and they won't touch me. That's where the vulnerabilities lie."
VP of the National Cyber Program at the Michigan Manufacturing Technology Center
"Any number of companies we work with are still using XP as their operating system," said Forsyth. And Microsoft no longer supports Windows XP. A Trend Micro Research report, Securing Smart Factories: Threats to Manufacturing Environments in the Era of Industry 4.0, found 4% of manufacturing companies are still using Windows XP as of December 2019, and authors say the use "is relatively pronounced in the manufacturing environments."
While companies don't necessarily need to buy a new operating system, Microsoft doesn't provide patches, and applying a custom one could bring down a piece of equipment or the whole environment, said Peasley. With older systems, there also may be limited options for multifactor authentication or encryption.
Monitoring and assessing cyber threats
Most manufacturers have not implemented monitoring capabilities in their operational environment, said Peasley. That may require specialized monitoring systems that don't interfere with manufacturing. "The type of capabilities you'd find in the IT world is different than in the OT world," he said. It has to be done passively so it doesn't bring down the operations systems and enables continuous manufacturing around the clock.
Specialized and newer monitoring platforms and technologies exist, often with small consulting companies at the helm. They've been shown to identify potential threats and abnormal activity in these environments, and the monitoring company may have specific playbooks to walk an operator through a potential concern, like setting a firewall, said Peasley.
OT is different than IT in other ways as well. The IT department keeps the enterprise current and running, with a disciplined way to deploy infrastructure. The department has standards and policies to ensure the systems work. OT, on the other hand, needs to keep the manufacturing line running continually, any way possible, Peasley said. "If they have to go to Best Buy and get a router, they'll do it," he said. "They don't have the legacy discipline IT has." Ideally, the two groups come together to understand each other's motivations, objectives and goals.
Companies should conduct regular cybersecurity risk assessments, also called maturity assessments, at least annually, said Peasley. These are based on standards relevant to the nature of what is needed. For manufacturing, it could be the NIST 800-171 Cyber Security Framework, the ISO 27002 or the IEEE Standard. The company would go through governance, how it is looking at network and physical security. This comprehensive approach considers all aspects of the cybersecurity program, defining processes and policies, and technical controls.
"It will be next to impossible to address everything immediately. It will probably take years," said Peasley. But these plans can be used to get funding and resources from the executive leadership, to begin addressing items based on the risk.
Analysts typically recommend that enterprise security comprises 3% to 5% of the IT budget, if the organization has a mature cybersecurity program, said Peasley. However, the percentage depends on the company's baseline security levels. For organizations without many controls, that figure should rise to the mid-teens of the IT budget.
For OT security programs, most companies likely start from a less mature baseline, so the budget will probably be large, he said. They'll need to include a monitoring program, network security and engineering. "On top of that, if they have 10 to 1,000 manufacturing sites, it can get fairly significant quickly," he said.
Having security professionals, like a chief security officer on the manufacturing side, is helpful to understand needs and convey the business case to board members and executives from the perspective of the operations environment. "If something catastrophic happens to one plant, let alone multiple, it could affect the life of the organization," Peasley said.
"You're only as secure as your weakest link."
Cyber IoT leader at Deloitte Risk and Financial Advisory
Before adding any new components or opening a new manufacturing site, the cybersecurity team should address potential security issues. "It should be part of the culture and fabric of the organization," Peasley said. "You don't want to have that conversation just before you go live, but throughout the process. Think about how to bring in AI, cloud, IoT and sensors. Consider it all in the security by design approach."
The assessment process should do more than check the boxes, said Forsyth. It may require business changes, like adding new equipment or software. The staff should go back in six months later to reevaluate, making security changes as needed. The security process should never stop, Forsyth said, and part of that risk assessment is having a back-up system should the system be breached. Also part of the continuous process is informing employees about cyber risk, what it means and how to protect the company. "They should become aware of what the phishing scams look like."
Addressing cybersecurity is not a one-and-done proposition. Implementing a plan to address the issues can take years and a big budget. But even if it can't be accomplished all at once, ignoring the risk is a recipe for disaster. "Companies are constantly under attack with behavior that's disruptive, whether a phishing scam permeates through your organization and shuts down your operating system, your back office systems or your shop floor. The world is highly connected," said Forsyth.
This story was first published in our weekly newsletter, Supply Chain Dive: Operations. Sign up here.