We as a collective should consider ourselves quite privileged to be able to witness the transformation in the way goods are produced, thanks to the digitization of manufacturing. This transition, more commonly referred to as Industry 4.0 takes what was started in Industry 3.0 (with the adoption of computers and automation) and enhances it with smart and autonomous systems that are fueled by data and machine learning.
The optimization of the computerization of Industry 3.0 comes with a glittering set of benefits such as optimized logistics, greater application of IoT, affordable robotics, and more. However, there is one major drawback which smart factories in the age of Industry 4.0 must be aware of: security breaches.
Smart Factories: Hot Commodity for Attackers
Attackers view the convergence in Industry 4.0 as an opportunity to move laterally across manufacturing networks within smart factories. They can jump across IT and OT systems for their malicious activities, and take advantage of systems for industrial espionage, IP leakage, many different forms of sabotage. They particularly hit the jackpot when they come across outdated systems, unpatched vulnerabilities, and poorly secured files.
2017 was the year in which data breaches, particularly in the manufacturing industry, hot a record high. According to Digital Guardian, “There were 620 separate data breach incidents in manufacturing alone. To put this into perspective, there were a reported total of 1,579 breaches in all of the US for the same time period.”
Such breaches placed organizations in a position in which they were faced with the challenge of upgrading measures across the board to protect IT, OT, and IP against any weak link an adversary may take advantage of. Unsupported operating systems, unpatched vulnerabilities, and exposed systems risk both physical and digital manufacturing components. Compromised systems and exploited flaws could lead to data leaks, financial losses, and production downtime.
According to Trend Micro, manufacturing companies can avoid common security issues by implementing basic best practices such as the following:
- Individuals who are granted access to files and systems should be identified and given the most restrictive permissions. If they should not be able to modify information, read-only access should be given to them.
- The IT machines and production machines that are allowed to communicate with one another should be identified. There should be restrictions as to which devices in the IT network should be capable of information exchange with which devices in the OT network.
- Unnecessary services in the network should be disabled. Doing so can help prevent exploitation of vulnerable services.
No One is Spared
Even the largest organizations managed to suffer large consequences by allowing basic security fundamentals to slip through the cracks. Here are four examples:
Apple experienced one of its largest breaches of user account data in the company’s history in 2015. A malware, known as “Keyraider”, was discovered after it had already obtained sensitive information for 225,000 iPhone users in nearly 20 countries worldwide. Jailbroken iPhones, were held for ransom.
On that note, Foxconn, which is known for manufacturing components for Apple was also hacked. The company is based in China, and one group, Swagg Security, took credit on Twitter for hacking Foxconn and reportedly released sensitive data that included usernames and passwords for very large corporations in the technology space.
DuPont’s research is one of its largest assets, and was compromised by an insider breach. A company employee accepted a job with a competitor and downloaded nearly 40,000 sensitive files to bring with him to his new employer in 2005.
Boeing is one of the largest airplane manufacturers in the world and has one of the most interesting data breaches on this list. In 2017, an employee asked their spouse to help with formatting on a document with the information of 36,000 Boeing workers. This meant that an email containing sensitive employee information was sent outside of the company’s network. Luckily, none of the information was leaked beyond the spouse.
Resilience is Key
Organizations face a challenge to be cyber resilient in order to adapt to evolving and disrupting technologies. Traditional information security practices might provide necessary approach but might not be enough to completely protect the organizations. Organizations need to focus and commit to a framework that, according to Ernst & Young:
- Provides an integrated approach to cybersecurity – holistic approach to threat landscape rather than employing security technologies in silos
- Develops capabilities for threat detection to respond appropriately and proactively
- Employs the use of AI to recognize patterns for smart monitoring of the IT infrastructure
- Develops strong relationships between organizations across different sectors and government bodies for sharing information, intelligence, capacity building and research
Oftentimes, smart factories simply don’t have the bandwidth to create cybersecurity solutions from the ground up, which stresses the importance for them to look into visionaries that are already on top of the cybersecurity ecosystem. In SOSA, through our Global Cyber Center, established in partnership with the City of New York, we are building the largest cybersecurity ecosystem in the world, which will enable countries, cities and corporations tap into this exceptional expertise.
The consequences of a successful security breaches in smart factory environments go far beyond the immediate cost of outbreak containment and the corresponding cleanup. Destructive attacks such as those involving ransomware can halt the production line and incur significant monetary losses, and the impact of stolen or leaked IP can affect sales and market share. After all, unlike industries such as fintech or insurtech, smart factories do not have the benefit of having clear standards and regulations laid out in regard to handling, processing, and securing the interconnection of systems, processes, and data.