igor - Fotolia
Some 48% of UK manufacturers admit they have at some time been subject to a cyber security incident, with half of them suffering financial loss or disruption to business as a result, a survey shows.
“There seems little doubt that many more attacks will have gone undetected, and that cyber-related risks for manufacturers are only likely to deepen and broaden with increasing digitisation,” according to the survey report published by manufacturers’ organisation EEF in partnership with insurance firm AIG and the Royal United Services Institute (RUSI).
While 91% of the nearly 170 UK manufacturing businesses polled are investing in digital technologies, 35% consider that cyber vulnerability is inhibiting them from doing so fully.
“This suggests that opportunities are being missed and some businesses risk falling behind in the race to digitise. The result must not be that the UK falls away from the vanguard of manufacturing excellence,” the report said.
Across the manufacturing sector, the report said cyber security maturity levels are “highly varied” both in terms of awareness of the cyber security challenge and the implementation of appropriate risk mitigation measures.
More than four in 10 manufacturers do not believe they have access to sufficient information to confidently assess their specific risk, and 45% are not confident they are prepared with the right tools for the job.
According to the report, a “worryingly large” 12% of manufacturers surveyed have no process measures in place at all to mitigate against the threat, and only 62% of respondents said they train staff in cyber security, while 34% said they do not offer cyber security training and 4% said they did not know.
The EEF welcomes the steps the government is taking to improve national cyber security resilience, the report said, but notes that to date, no priority has been given to the specific needs of manufacturing.
“This must change. There needs to be a particular focus on the requirements of our sector, recognising that a one-size-fits-all approach for business is insufficient and, equally as importantly, comprehensive security cannot be the exclusive domain of large businesses who can afford bespoke end-to-end protection,” the report said.
The need to have demonstrable cyber security safeguards in place is becoming ever more necessary to operate in the business environment, the report said, with 59% of manufacturers reporting that they have already been asked by a customer to demonstrate or guarantee the robustness of their cyber-security processes, and 58% saying they have asked the same of a business within their supply chain.
For the 37% of manufacturers who report that they could not do this if asked to today, business will become increasingly challenging, the report said
“However, while some manufacturers are only at the beginning of their cyber-security journey, as this report shows, sensible precautions and a proper cyber security business plan are in reach of all. These measures will provide the confidence businesses need to invest in digitisation, and the credibility to operate in the sector as a trusted supplier,” the report said.
Manufacturing companies are one of the most popular targets for cyber criminals, based on the sheer amount of classified information they hold, according to Tim Bandos, director of cyber security at Digital Guardian.
“Increases in cyber attacks targeting manufacturing can be attributed to a growing number of financially motivated, state-sponsored hackers. Typically, government-funded organisations target manufacturers’ networks to steal intellectual property (IP) and trade secrets. Data or more specifically intellectual property is the lifeblood of this industry and it must be protected accordingly,” he said.
Key performance indicator
Bandos recommends organisations take a key performance indicator (KPI) perspective to cyber security, by setting goals and metrics to improve security stature. “A key benefit of this is the ability to develop a heat map of sorts, to outline where they should be focusing their efforts and/or where they should continue to invest in protecting their most sensitive assets,” he said.
The issue with industrial systems is that many of them are up to 20years old in some cases, and there is not necessarily a practical way to upgrade them due the criticality of their availability,” said Sylvain Gil, vice-president of products at Exabeam.
“Industrial networks were designed before cyber threats emerged and as a result, they lack the visibility and policy enforcement layers that enterprise IT networks have. We need more insight into the behaviour of these systems.
“They are rudimentary and were never thought to be vulnerable to people outside the operating facility – but they certainly are. We’ve seen enough examples that we know they can be manipulated, not just in terms of being used for cyber crime, but they can actually have physical consequences, as well, like a shutdown or explosion,” he said.
However, Tim Erlin, vice-president at security firm Tripwire said it is important to distinguish between cyber attacks on manufacturers and cyber attacks on industrial control systems.
“While they may be related, they’re not the same thing. Any organisation with connected computer systems may fall victim to cyber attacks across a broad spectrum of technologies, but attacks on the systems that control a manufacturing plant floor are much more specific. Of course, manufacturing isn’t the only industry using industrial control systems.
“We have seen a rise in attack on control systems themselves, and the impact to the business of these attacks can be very direct. At the same time, cyber attacks in general continue to plague organisations around the globe,” he said.
David Emm, principal security researcher, Kaspersky Lab said the world is not ready for cyber attacks against critical infrastructure. “But attackers are clearly ready and able to launch attacks on these facilities – as this trend towards attacks on the manufacturing sector shows.
“We’ve seen attacks on power grids, oil refineries, steel plants, financial infrastructure, seaports and hospitals – cases where organisations have spotted attacks and acknowledged them. But many more companies do neither, and the lack of reporting of these attacks hampers risk assessment and response to the threat.
“Security must be tailored to the specific needs of each organisation and be seen as an ongoing process. This is true also of the human dimension – tricking people into taking action that launches the initial exploit is as common in attacks on such facilities as it is in any other attack."
Commenting on the finding about cyber security training, Steve Malone, director of security product management at Mimecast said it is “not good enough” that only 62% of manufacturers invest in training.
“While the sector has specific requirements for control systems and IoT [internet of things], the risk management reality is much worse, as it is vulnerable to the same attacks as everybody else – particularly spear phishing emails and ransomware targeted at employees.
“The upcoming GDPR [EU General Data Protection Regulation] may be a wake-up call for some, but we’re still not seeing these threats taken seriously. Regulations such as the NIS Directive, which aims to help build cyber resilience for essential and critical services, will be key for fostering a new culture of security,” he said.