As many of us are aware, the concept of Industry 4.0 has gained popularity. This is expected to connect the design, manufacturing, operations and service of products and production systems within the IoT (Internet of Things) based proactive data storage and usage. Increased interactions between machines, parts, humans and management systems are expected to make Lights out manufacturing about 30% faster and 25% more efficient. Therefore, pioneering companies have made progress towards implementing Industry 4.0 disciplines within different scales of production, assembly, planning, plant and logistics, quality and maintenance solutions. However, there is one crucial point that they might underestimate in the age of unrestrained digitalization; “cybersecurity precautions on new era production systems”, or cybersecurity for Industry 4.0 as it is more popularly known.
In the age of hyper-connected production, the risk of getting attacked by hacktivists or terrorist increases because it exposes all production data to the outside world. When considering rapidly digitalizing sectors such as automotive, aeronautics, pharmaceuticals, energy supply and food processing, all of them are critical sectors in terms of health and safety. As a result, the potential game-changer can become a major threat to all humanity. To illustrate this, we can separate threat areas of the industries into two categories:
- Large-scale companies: Most of the time these companies are the main targets and successful attacks cause severe damages. For example; French automotive manufacturer Renault was hit by a cyber-attack, where hackers tricked the company through malicious emails. The attackers could reach critical company data and demand Bitcoin to release encryption. In the end, Renault had to shut down production in some factories in France and the Nissan plant in Sunderland. After the incident, detailed investigations showed that the attackers were part of an international crime organization related to the WannaCry cyber-attack targeting the NHS in the United Kingdom. However, the European Union offers legal rights to protect companies against cyber-attacks within the NIS (Network and Information Security) directive. Even if the directive cannot be counted as regulatory law, many cybersecurity divisions have been launched and are increasingly more capable of countering threats. But, it bears mention that the directive is only an instruction to member-state governments to implement their own laws of cybersecurity for industry 4.0, and its legal protection capability, on its own, is questionable.
- Small and medium scaled companies: The main idea of connectivity is that it covers all of the participants in the value chain. To transform the industry, large-scale companies must persuade their small and medium scale supplier companies to change to improve the efficiency of the new digitalization trend. But, the problem is whether those auxiliary companies can maintain a sufficient level of cyber-security while they chase the new standards? So far, the answer is: unfortunately, not. According to a Deloitte-MAPI study, one-third of the manufacturers have not performed any cyber risk assessments on the industrial control systems operating on factory floors. Therefore, the vulnerability remained for threat actors to exploit against companies and it became one of the most vulnerable parts in the ecosystem. The crucial part is the risk of manipulated supplier company production causing malfunctions in end products.
The digitalization of production systems opens new doors for cyber-criminals. According to research conducted by NTT Security, cyber-attacks increased 24% globally during the second quarter of 2017. Manufacturing was recorded as the most heavily targeted industry. Manufacturers experienced a 100 % increase of incidents in industrial control systems and a 400 % increase of leaks in connected product data since 2014. Furthermore, attackers target intellectual property, talent, and products of large companies instead of stealing and extorting money or chasing low-profit user details and credit card numbers.
In the Pharmaceutical industry, attackers pose a threat by sabotaging dosages causing ineffective or harmful drug production. They can change critical production tolerances in aeronautical, disrupt self-driving and electric car control boards, and mix traceability data of huge batches of production stocks, to disrupt after-sale services management and many more. And one of the most critical targets, assailants steal intellectual property like drug recipes, production line setups and other valuable information stored on company servers.
Cyber threat analysts’ first step is: Identifying the threat actor’s motivation and targets in the operational system, to mitigate the threat. Motivations of recent intrusions on manufacturing were separated into 3 categories: political, economic and socio-cultural. Examples of political attacks include (but are not limited to) destroying, disrupting, making political statements, protests or retaliatory actions on company public relation channels. Economically motivated attack examples include theft of intellectual property or valuable assets, fraud, industrial espionage, sabotage and blackmail. And socio-cultural reasons are more emotionally driven with sample motivations such as fun, curiosity, and a desire for publicity or ego gratification.
In over two-thirds of all malware distribution, attackers were found to be pushing e-mails with malicious attachments containing different types of soft boot commands as primary steps in their attack. Other types of attacks can be separated by attack methods, whether they are application-based, physical flash drive infiltrations or website intrusions such as Adobe products and promotional flash drives. Consequently, manufacturers must not see attackers as simply a ‘traditional’ malicious actors such as hackers and cyber-criminals motivated for money, but also competitors and nation-states engaged in corporate espionage, seeking to gain competitive advantage or achieve strategic disruption. Alternatively, the danger can come from an insider threat such as disgruntled employees or thieves.
The latest high-profile attacks contain threat actors using much more complicated techniques, such as multi-flow, multi-vector attacks that reveal vulnerabilities in IT networks that bleed into operational technology systems. Therefore, to prevent these types of cyber breaches, companies must find a way to remain secure, vigilant and resilient. The question is how can they establish typical modern manufacturing IT networks under these disciplines? When it comes to preventing these type of attacks, basic solutions like creating strong passwords, updating security systems are not sufficient anymore.
Companies must establish continuously developing cybersecurity infrastructures while conducting internal compliance and risk assessments, to determine an organization’s vulnerabilities. For example; internal meetings and surveys can be conducted frequently with employees to see espionage vulnerabilities from the employees’ view and try to continuously improve those points step by step. Additionally, IT divisions should be expanded with cybersecurity analysts to detect vulnerabilities, and from those vulnerabilities, they must develop and implement corporate policies and procedures.
The new hyper-connected manufacturing systems requires IT employees with quick response skills to handle cyber-attacks within the usage of those policies, procedures and action plans. Moreover, data protection is another essential point within establishing secure data backup policies in the company so in any type of attack they can be mitigated. Another point is, the sector requires CEOs and executives who are aware of cyber-security risks, such that they are involved in oversight and the decision-making processes in any type of security issues.
Within the cyber-security awareness of executives, they are expected to invest in sufficient electronic security measures to cover proactive testing and probing of systems in an environment of increasingly sophisticated intrusion methods. After assessing the defensive methods and developments, there is one problem ahead for the manufacturing industry: there is a shortage of cyber-security professionals.
Nowadays, most leading companies in the industry struggle to fill their cyber-security roles. As the manufacturing industry becomes one of the most popular cybercrime targets it faces the problem that: you cannot implement your security strategies if you lack qualified employees. Therefore, to solve this looming threat in future it can be suggested that high-end companies hire informational technology related engineers to develop, train and turn them into the cybersecurity professionals and decision makers with educational investments. Furthermore, it is important the implement intelligence analysis methodologies like structured analytical techniques (SATs). It offers cyber analysts the tools to mitigate cognitive biases, generates and intellectual audit trail and assists to alleviate deception or disinformation by threat actors.
For sure the cost of cybercrime varies by organizational size, so do preventive action costs. And making the correct investment that meets a company’s exact needs also relates to its activities. Consequently, those investments could have some quick payoffs, which is motivating for corporations. The critical applications here can be considered as successfully established hybrid business models to develop not only the cybersecurity aspect but also the marketing value of the company such as improving the company’s culture, brand value and reputation. Besides the previous security suggestions, companies are in need of cyber risk evaluation to produce tangible gains and protect businesses from redundant investments. So, it cannot be forgotten that cybersecurity will not only be seen as an option for companies in the near future but also an essential competitive future force in the manufacturing industry.