It’s been eight years since the widely publicized Stuxnet virus was released to wreak havoc on its unsuspecting victims. Are we in a better place now to deal with a highly sophisticated next-generation Stuxnet-style attack?
Most experts say no. In fact, studies suggest that manufacturers, in particular, are increasingly vulnerable to cyberattacks. While information-heavy companies have grown to employ entire teams dedicated cyber defense, American factories have quietly been growing more and more susceptible.
Time to Pay Attention
Ransomware attacks, in which hackers use malware to encrypt data, systems, or networks until a ransom is paid, are alarmingly common. According to a recent report from Radware, 42% of global companies have dealt with this kind of attack. That number has been steadily rising. The number of companies reporting financially motivated attacks has doubled in the last two years.
Manufacturers — if you haven’t been paying attention yet, it’s time. This summer, about half of the organizations targeted by the sweeping Petya ransomware cyberattack were manufacturers. The recent WannaCry virus actually forced a Honda plant in Japan to halt production.
And there’s a bit more: The Wall Street Journal recently reported on what they call a new type of cyberattack that targets factory safety systems. Hackers who attacked a petrochemical plant in Saudi Arabia last year specifically focused on a safety shut-off system.
Is the WSJ right? Is this a new trend? Will hackers begin targeting control-system computers that manage American factory floors, chemical plants, and utilities on a more regular basis? Maybe.
There are plenty of theories that even the most crippling ransomware attacks like Petya and WannaCry are, at their core, motivated by something other than money, namely sheer pleasure in chaos and disruption. The potential damage to factory production and safety systems is growing. Now is the time to wake up and pay attention.
Factories Growing More Susceptible
Factories and manufacturers are at a heightened risk for a few coinciding reasons.
The complexity of our supply chains is a liability. With parts and materials from diverse and sometimes changing sources, as well as networks that can span all phases of production, our supply chains are large and constantly adapting and, because of this, extremely vulnerable.
The intensity of the manufacturing schedule raises a second issue. Many manufacturing facilities run around the clock, and halting factory production for testing is often cumbersome and costly.
The third reason is, of course, the byproduct of a manufacturing sector that has become steadily more data-driven and dependent on information technology. As manufacturing has steadily merged with technology to create the Industrial Internet of Things, we too have unknowingly created a space in which hackers see the potential for massive amounts of under-protected data, equipment, networks, and intellectual property.
How Can We Prepare
We’ve all heard the mantra, “The first step to solving any problem is admitting you have one.” A core concern has been the manufacturing sector’s inability or unwillingness to face this growing threat.
A report summary issued through a joint venture between MForesight and the Computing Community Consortium warned, “There’s a widespread failure to reckon with the risks.” The report recognizes that solving the issue will be long-term and complicated, but offers a few suggestions, including wide-reaching efforts to increase awareness, collaboration with trusted third-party partners, and cybersecurity research and development.
In the shorter term, maybe this can help. Last year the National Institute of Standards and Technology (NIST) released a Cybersecurity Framework Manufacturing Profile that provides a roadmap to managing cybersecurity and reducing risk to your manufacturing systems.
But I think Sridhar Kota, professor of engineering at the University of Michigan, hit the nail on the head in his article entitled A Plan for Defending U.S. Manufacturers from Cyberattacks, when he wrote: “Cybersecurity needs to become a deeply ingrained part of every manufacturing company’s culture — embedded in management decisions, workforce training, and investment calculations.”
The risks to manufacturers are growing from all-too-common ransomware attacks to sophisticated Stuxnet-style assaults targeting our safety systems. Its’s time that we in the manufacturing sector think of cybersecurity, and cyber defense, in absolutely every decision we make. To do otherwise is reckless.