In this article Claire Price of QMS International, one of the UK’s leading ISO certification bodies, discusses why manufacturing companies need to be more aware of cyber security in a world of digital manufacturing integration.
As the fourth industrial revolution gathers pace, cyber criminals are honing their craft. But what exactly are the risks and what can the manufacturing and engineering sectors do to keep their new systems safe?
We’re living in a digital age and manufacturers and engineering companies across the globe are embracing the benefits of digital transformation, giving rise to the fourth industrial revolution, otherwise known as Industry 4.0.
This new revolution allows the flow of data throughout a business and its operations, integrating production with business processes and introducing new technologies such as artificial intelligence, cloud computing and augmented reality into the workplace.
By introducing smart manufacturing, factories and warehouses into their operations, businesses are gaining unparalleled visibility and control over their supply chains, machinery and facilities. With real-time data collected across the business and supply chain, businesses can better understand their operations and analyse and improve performance and maintenance.
But this new inter-connectedness and use of big data opens manufacturing and engineering businesses up to new threats when it comes to cyber security.
What is the threat?
Smart manufacturers and engineers are vulnerable to malware, denial of service, device hacking and exploitation. This could result in the loss of intellectual data, a damaging amount of downtime, product sabotage and even threats to health and safety if equipment is hacked and control lost.
These threats have increased with Industry 4.0. With the new emphasis on the transparent flow of data, factory floors and equipment can no longer work in isolation, cut off from the main network. Now, everything is linked, and more people and systems have access to that network, opening up multiple gateways to cyber criminals.
Mobile devices are also becoming more common, which can be difficult to protect and keep on top of security updates. In 2016, nearly half of manufacturers in the Deloitte-MAPI survey were already saying that they were using mobile apps for connected products, a figure that is likely to have grown.
Digital transformations are also often done piecemeal, meaning that old systems exist alongside new with varying levels of security and vulnerability. Combined with the slow installation of upgrades or patches across a network, this creates another challenge for businesses – and another opportunity for criminals.
It is not therefore surprising that the UK manufacturing sector was the victim of 29% of all cyber-attacks according to a report conducted in 2020 by the technology consultancy NTT on the threats to global intelligence.
How can cyber security be improved?
The narrow-focused cyber security of the past won’t cut it in this new digital age. Going forward, the manufacturing and engineering sectors need to adopt a more holistic approach which integrates cyber security into every aspect of their business, creating a culture of security.
Key considerations when thinking about cyber security for Industry 4.0 include: how you can ensure the integrity of your systems and information; protecting sensitive information throughout the data lifecycle and the recovery process of critical systems and how to minimise the effects of an incident.
To protect smart factory networks from cyber criminals, you must first identify possible risks and their likelihood of occurring. A comprehensive risk assessment must therefore be carried out which must consider your organisation, its suppliers and its technology.
You will need to assess how secure your industrial control systems (ICS) are? How and where your sensitive data is stored, the vulnerabilities of your supply chain and who has access to your system? You should also look carefully at what systems control or are linked to physical processes and what may happen if they get disrupted. Once you know what the risks are you can begin to develop ways to mitigate or remove these risks.
Getting cyber tough
Hardening your systems will help to reduce the risk of cyber threats to your business. These include: installation firewalls; creating processes to install patches; the installation of real-time intrusion detection or threat intelligence; encryption; access and identity management (physical and digital); and regular back-ups and the segmentation of systems.
You can also increase your organisation’s resilience by coming up with a disaster recovery plan or business continuity plan, which will help you to deal with an incident and detail the steps needed to return to normal.
Ongoing vigilance is also key and should be undertaken by both your workers and your technology. Monitoring of your networks, personnel and the environment should be continuous so that you can pick up on threats as quickly as possible.
To aid vigilance workers need to be trained so cyber security awareness training should be carried out regularly, especially if new technology is introduced or novel threats emerge.
You should also seek to ensure that your suppliers or any other organisations connected to your systems commit to regular audits and the installation of software patches as soon as they become available.
To create a security-first approach that integrates information security throughout your organisation, you may also want to implement a comprehensive information security management system, such as ISO 27001, which includes processes for physical, digital and legal risks.
ISO 27001 has more than 100 controls that have been developed to help companies implement best practice processes when it comes to integrating security into their personnel, leadership and digital and physical assets. These processes include access control, operations security, system acquisition and maintenance, supplier relationships and incident management, giving the framework needed to build a true culture of security within a manufacturing or engineering business.
The standard can also be extended with additional codes of practice to tailor it to an organisation’s needs. ISO 27017, for instance, provides additional controls that cover information security for cloud services, while ISO 27018 tackles the protection of personally identifiable information kept in a cloud.
Whether you use a management system or not, it remains important to create an integrated defence strategy so that your security is as consistent as possible both within and without your business.