Brian Jackson - Fotolia

IT consolidation leaving manufacturers exposed to security risks

More firms look to consolidate their IT but as KPMG has found a fairly large number have not considered all of the security risks

Those channel players targeting the manufacturing sector and businesses that provide some of the critical infrastructure services have a job on their hands keeping those verticals secure.

With attacks coming from both cyber criminals and nation states the chances of a business operating in manufacturing or delivering infrastructure being targeted is very high.

Despite the awareness of security threats having increased there continue to be problems when customers start to tinker with their IT systems and consolidate operations.

KPMG has warned that when process control and corporate IT systems are merged there is not enough thought given to security.

Roy McNamara of KPMG’s Cyber Security team, said that the move towards consolidation was an ambition of many firms looking for efficiencies and hoping to gain greater insights into their operations.

“As industrial control systems evolve companies are looking to reduce costs and improve efficiency by consolidating IT services and adopting sophisticated data analytics, integrating previously standalone control systems with corporate intranets or even the internet. In doing so, they may open themselves up to threats including organised crime, hacktivism and even state sponsored attack,” he said.

There have already been examples of manufacturing firms being hit by attacks with KPMG citing the case of a German steel mill, where hackers were able to get access to the control, systems and cause damage to the blast furnace.

With the pressure on firms to bring their systems together to unleash BI tools that should unlock business insights as well as the general industry move towards the Internet of Things there are dangers that some firms will make decisions without thinking of the security aspect.

KPMG found that 80% of firms it quizzed had already merged systems or were planning to bring together production and corporate IT systems. But two-thirds did not factor in the security risks.

Even after admitting that the threats had not been properly considered and the budget for security was not growing the pressure to consolidate meant more than half of the firms were still ploughing on with the project.

The channel has a responsibility to help answer the security question at the time the integration projects are being planned and to encourage customers to think about the risks.

“Industrial control systems operate the majority of our critical national infrastructure and manufacturing sector such as power grids, oil refineries, production plants and traffic controls systems. In a worst case scenario cyber criminals could target these control systems in order to sabotage critical infrastructure or cause economic damage,” said McNamara.
“This doesn’t mean that businesses should halt the process of converging these systems, with potentially huge benefits in doing so, but they do need to identify and manage the associated risks – and that means thinking about cyber security up front before regulation or security incidents force their hand,” he advised.

One of the positives is that the message about the need for better security is getting through to the boardroom with Tripwire finding that British IT professionals felt fairly confident that their bosses were discussing the issues.

An increasing number of firms have also appointed someone specifically to be responsible for cybersecurity, but there still needs to be more education for the industry.

“Cybersecurity is definitely a boardroom issue, and I’m encouraged that more organizations are engaging on this topic,” said Dwayne Melancon, chief technology officer for Tripwire. “However, engaging and doing so effectively are two different things.”

He added that he felt that some IT pros might be too optimistic about the grip that the board had on cyber security and although progress had been made there was still work to be done to get a sense of urgency in some boardrooms.

The warnings about cyber security come just days after the head of MI5 said that it needed more surveillance powers to stop terrorists and the Chinese government in a separate move claimed it did not back nation state attacks.​

Read more on Data Protection Services