Does Cybersecurity Keep You Up at Night? It Should.
One day in mid-October, more than 1,200 U.S. websites were taken down by a massive botnet attack launched through hacked Internet of Things (IoT) devices such as home Wi-Fi routers and CCTV cameras. There doesn’t seem to have been a political or criminal motive for the assault. Rather, it was more like some sophisticated hackers taking a joyride at the expense of millions of Americans.
Of course, considering the growing number of complex global networks, back-office business applications, and industrial control systems (ICS) managing high-risk manufacturing processes in our industrial infrastructure, such joyrides may turn out to be far more serious a threat than they sound.
Former CIA and NSA Director Michael Hayden has been issuing warnings about the risks of such attacks for years. He categorizes three levels of cyber threats: criminals, often working out of Eastern Europe, who are simply out to steal stuff and make a buck; nation states launching more strategic assaults, such as China (whose hackers infiltrate U.S. corporate networks to steal trade secrets) and Russia (responsible for hacks designed to disrupt the presidential election this year); and random terrorist elements, cyberactivists, and anarchists, whose goal is to bring down a nation’s critical infrastructure. The October botnet attack seems to fall into this latter category.
How prepared are American manufacturers for this growing threat? To get a sense of this, MAPI partnered with Deloitte this fall to undertake a survey of manufacturers and provide some analysis of the responses (the study, Cyber Risk in Advanced Manufacturing, was published this month). Deloitte’s cybersecurity team then developed specific recommendations for senior executives to consider.
Here is a summary of some of the recommendations:
Engage the board and C-suite to develop a business-driven cyber risk program. Nearly half of the survey respondents said they lacked confidence that their businesses were protected from external cyber threats. One third indicated their cybersecurity budgets had remained flat or even decreased over the past three years. To ensure the issue is front and center at the highest levels, Deloitte recommends establishing a senior management–level committee with board representation dedicated to the issue of cyber risk.
Be purposeful in addressing talent-related challenges. Three-fourths of respondents say they thought their companies lacked the internal skilled resources to meet the threat of cyberattacks. Needless to say, the challenge of attracting and retaining cybersecurity talent makes it harder for companies to protect themselves. The study recommends establishing a cross-functional team of key stakeholders in the cyber program, including IT, operational technology, R&D, finance, and risk.
Remain vigilant in protecting critical investments in intellectual property. More than a third of respondents believe IP theft was the primary motive for cyberattacks on their company, second only to financial theft (45%). And 38% of respondents said that over the past year, monetary damages for cyberattacks at their companies averaged more than $1 million—with 15% averaging more than $5 million. To ramp up a company’s IP protection, Deloitte suggests reducing the value of sensitive data by encrypting or obfuscating it to render it difficult to use when compromised.
Harden security, implement monitoring, and implement incident response for ICS. Almost one-third of respondents say they have not performed any cyber risk assessments specifically focused on their industrial control systems. To address shop floor–related security vulnerabilities, Deloitte recommends creating a holistic inventory of all connected devices, including ICS that are attached to network segments. Also, create a “zero trust network” that extends to all layers of the enterprise, reducing the exposure of vulnerable systems.
Design cyber risk management mechanisms into connected products before deployment. Almost half the respondents say they have mobile apps associated with their connected product, and three-fourths choose Wi-Fi to enable data flows between their connected products. In addition, more than half said the connected products they produce are able to store and/or transmit confidential data. Yet when it comes to product-related cyber breaches, nearly 40% of manufacturers surveyed do not incorporate those products within their broader incident response plans. To Deloitte, this suggests a need for a more holistic approach to cyber risk associated with connected products. End users, whether households, businesses, or government, are expecting secure products off the assembly line, and companies that do not comply potentially face negative impacts in the way of operations, their brands, regulatory compliance, and functionality.