Have you ever told your team, “Upgrading our equipment is too expensive and likely to cause downtime. Let’s just keep it running.” Ultimately, you made a risk decision. While cyber security hasn’t been a critical risk factor until recently, it has quickly emerged as one of today’s biggest risks.
Manufacturing risk management often comes down to a cost and safety discussion. These costs include downtime, IP theft, counterfeiting, brand damage, personal injury, and loss of life. Furthermore, significant security attack costs must be reported on your company’s SEC filings.
“Manufacturers are increasingly being targeted not just by traditional malicious actors such as hackers and cyber-criminals, but by competing companies and nations engaged in corporate espionage. Motivations range from money and revenge to competitive advantage and strategic disruption.” – Deloitte
Limited security and dated systems unnecessarily expose plant operations to uncontrolled failures, including complete process “crashes.” As cyber-induced crashes become more sophisticated, they are more commonly placing the workforce at personal risk. In 2014, a German plant sustained massive damage when its blast furnace was hacked. Fortunately no injuries were reported, but the plant incurred damages in the tens of millions of dollars.
As part of corporate risk management, more and more manufacturers are adding cyber attack coverage to their overall insurance portfolio. Unfortunately, insurance policies are a reactive approach and represent the cost of doing nothing. Manufacturers need to adopt a balanced approach that includes not only insurance but proactive measures that reduce or eliminate plant floor attack vectors.
You can’t lock down your factory and limit access because you won’t be competitive in a connected world. So what’s the best approach?
Here are a few steps to protect your company while embracing IoT, external connectivity, and machines as a service:
- Upgrade your old equipment and control systems to ensure they support the latest virus and malware protection. Until an upgrade is possible, add strict controls on legacy equipment and require purchases of new automation adhere to a much higher cyber attack standard
- Eliminate USB Drives – EVERYWHERE, especially on the manufacturing floor
- Virtualize PCs and industrial computers on the shop floor to reduce unplanned outages and increase security
- Implement edge compute capabilities through centrally managed industrial switching platforms
- Install firewall and identity management technologies to allow managing, controlling, and auditing access to your factory floor networks
- Partner with leading security companies – at Cisco we employ over 5,000 people focused on cyber security
- Deploy platform-based solutions leveraging a secure, pre-integrated modular platform. While it’s tempting to purchase the hottest start-up’s latest security products, the costs (integration cost, vendor stability, and technology obsolescence) create a HUGE risk to your business
To go even further, the National Institute of Standards and Technology (NIST) has created a draft Manufacturing profile for cyber security. The NIST profile details an approach to identify, protect, detect, respond, and recover.
Additionally our whitepaper, Holistic Security for the Factory of Tomorrow, addresses these topics in more depth from both the business and technology perspective.
If you would like to continue the conversation about security for your manufacturing plant, please send me a note at neheller@cisco.com. I welcome the opportunity to learn more about your goals and objectives and see how we can help. I would like to thank my colleagues Steve Marchewitz, Pat Mitchell, and Greg McCarthy for their insights and guidance in creating this blog.
For more information on factory security:
Great Stuff!
Agree 100%. Security is a top priority for individuals, small, medium, and large businesses, manufacturers, and government. Thank you for this interesting blog post, with your insights and links. Greatly appreciated.
I could not agree more. The heads in the sand approach will cost more later and possibly even open up some older systems to security breaches or incompatibility with some minor piece of new gear. Move up to efficiency and effectiveness.
The first thing that came to mind — too many businesses are using duct tape and paper clips to hold their things together. Cisco will lead the way in streamlining their processes and show them the value of investing a little now to profit a lot later.
Thank you very much for this valuable article and links.
Security is never a black and white boxes, but context matter rather than technologies.
Best regards.