A Comprehensive Guide to Manufacturing Cyber Security
Securing critical manufacturing sectors from today’s cyber risks & threats.
The manufacturing sector is one of the largest, most diverse, and rapidly changing segments of the global economy. And it is a top target for cyber adversaries. Robotics, automation, machinery, IoT/IIoT, smart devices — it’s time to secure manufacturing from threats, hackers, and risks.
New sections in the Comprehensive Guide to Manufacturing Cyber Security will be published over the next several weeks. Don’t forget to subscribe to get notifications!
Cybersecurity in Action
Learn how improved cybersecurity helped a paper mill manufacturer extend control system lifespan.View Case Study
Table of Contents
Key manufacturing segments include aerospace and defense, automotive, chemicals, computer hardware, electronics, construction, consumer packaged goods (CPG), food and beverage, transportation, pharmaceuticals, and industrial manufacturing.”
We are in the midst of a fourth Industrial Revolution that is upending traditional notions of best practice in operations, supply chain management, cybersecurity, disaster recovery, and other aspects of manufacturing. This revolution is driving a wholesale re-evaluation of how to approach cybersecurity in manufacturing and has created a consensus that a complete migration to this new manufacturing environment cannot be successful without cybersecurity itself becoming a foundational pillar of this new era.
What has become known as Industry 4.0 has been evolving and consolidating for almost a decade, with Germany driving innovation and investment. (Aspects of this idea are also found in Japan’s Society 5.0 initiative and China’s Made in China 2025 industrial plan.) The number of technologies finding their way onto manufacturing floors, into supply chains, and new categories of connected objects is both impressive and bewildering. There truly is a revolution underway, and it is global in its reach and increasingly in its impact. Early adopters have included automotive, mechanical and plant engineering, electronics, and high technology manufacturers.
Industry 4.0 refers to a combination of hardware, software, and services that is modernizing manufacturing infrastructure to improve efficiencies in all aspects of manufacturing processes. Technologies that are being applied to create smart factories include: robotics, sensor technology, additive manufacturing (3-D printing), augmented and virtual reality, wearables, artificial intelligence and machine learning, big data analytics, and cloud computing.
The goal of integrating these technologies into manufacturing is to deliver smart, more aware, more agile, and more resilient infrastructure to design, optimize, and create manufactured goods. This is all done while delivering a safer work environment that uses fewer resources and optimizes maintenance practices to limit downtime.
Industry 4.0 adoption is reaching down into small- and medium-sized businesses (SMB) and across all types of manufacturing. Many of these technologies do not require large capital investments. Not every manufacturer needs expensive robotics, for example. The most important technologies being deployed broadly by manufacturers are robotics, wearables, connected devices (IoT), additive manufacturing (3-D printing), virtual reality (VR) and augmented reality (AR), artificial intelligence (AI) and machine learning (ML), and big data analytics.
The first industrial robot was deployed in 1961. While the use of robots in manufacturing has continued to expand over the decades, the majority are still used in automotive plants, where they represent more than half the “labor” needed to build automobiles and trucks. Robotics has advanced to the point that 100% automated “lights-out” factories have been operational for several decades in sectors such as computer manufacturing.
Critical Manufacturing Cybersecurity
It should come as no surprise that all of this technological change is causing the industry to reevaluate how to approach cybersecurity in manufacturing for both information technology (IT) and operational technology (OT) infrastructure. Industry 4.0 requires an even tighter coupling of traditional IT and OT. In almost every case, these new technologies create additional data, create additional connections to existing data, or enable the storage and use of data in new, more distributed locations.
These architectural changes raise obvious questions about cybersecurity. But they also make clear the need to reconsider traditional approaches to disaster recovery and resiliency planning. Organizations will have a much richer set of operational data that are both distributed and redundant, along with powerful predictive analytic capabilities that will make preventing or recovering from system outages simpler. But the additional connectivity to OT infrastructure required to enable this benefit is accompanied by greater exposure to cybersecurity threats as the attack surface is enlarged.
Industry 4.0 requires an even tighter coupling of traditional IT and OT. In almost every case, these new technologies create additional data, create additional connections to existing data, or enable the storage and use of data in new, more distributed locations.
Legacy OT systems are burdened with a long list of cybersecurity concerns, including:
- Equipment with decades-long life cycles,
- An inability to patch systems due to stability concerns,
- And a lack of basic cybersecurity features such as user authentication or encryption.
Historically, OT security personnel could at least credibly claim that such systems were “air-gapped” to ensure isolation from the rest of the world. However, complete isolation, if it ever existed, has become impossible today. No manufacturing organization can embrace an Industry 4.0 strategy without addressing the severe cybersecurity risks that attend it. This strategy requires a recognition of the almost complete integration of IT with OT in modern Industry 4.0 deployments.
OT cybersecurity has traditionally been its own discipline. Analyst firm Gartner defines OT cybersecurity as: “The practices and technologies used to protect people, assets and information involved in the monitoring and/or control of physical devices, processes and events, particularly in production and operations.” Over the years, as IT has been incorporated into OT systems, the approaches to cyber protection have also merged, but the primary goals of the two disciplines remain distinct.
IT and OT cybersecurity differ in fundamental ways but not only because the systems often require different security controls. The real distinction is that IT and OT security practitioners have different goals for “securing” their assets and different definitions of “secure.” This is hardly surprising given that IT is chiefly concerned with digital assets and OT is chiefly concerned with physical assets.
The Physical Impact of Manufacturing Cyberthreats
CIA vs. CAIC
The standard for IT cybersecurity is the well-known confidentiality, integrity, and availability (CIA) triad. Enterprise data is considered proprietary intellectual property, and therefore keeping digital assets under lock and key has been the primary objective of IT cybersecurity strategies. This is followed by the need to ensure the integrity of digital assets. Organizations must not only keep their data out of competitors’ hands, but they must also ensure that data is not corrupted, either intentionally or otherwise. Finally, that data should be available internally to appropriate employees and partners, and potentially, customers.
The standard for OT cybersecurity, however, requires a broader and a reordered set of priorities, namely control, availability, integrity, and confidentiality (CAIC). Maintaining control of all physical assets to ensure their safe operation at all times is the primary objective of OT cybersecurity and overrides all other concerns. The next most important goal for OT cybersecurity is availability. OT is present in all critical infrastructure facilities, and critical infrastructure typically needs to be available 24/7/365. Integrity is also essential, particularly to the degree it ensures safety and availability. The confidentiality of OT data is the least important concern.
Cybersecurity Challenges Affecting the Manufacturing Industry
The 2020 IBM X-Force Threat Intelligence Index reported an unprecedented 2,000% year-over-year increase in incidents targeting OT environments, like critical infrastructure manufacturing. Attackers are taking advantage of the larger attack surface of these systems and, unfortunately, often are not finding them difficult to penetrate. Typical attacks include brute-force password attacks against legacy OT hardware and software, as well as targeted attacks against known vulnerabilities in legacy equipment.
While that extraordinary growth in attacks might astonish even close industry watchers, it should shock no one that attacks are on the rise. Juniper Research has forecast that globally there will be 83 billion connected IoT devices by 2024, and 70% of these will be in the industrial sector. This level of connectedness completely changes the relationship between IT and OT. And unfortunately, many new connected devices are built with just enough processing power and bandwidth to create vulnerabilities but not enough headroom either to support a firmware update if a vulnerability is discovered or to support an agent to provide protection in the event of an attack. This, of course, necessitates the need for a comprehensive OT protection strategy that reassesses the level of connectivity to and interdependency with traditionally OT assets.
"And unfortunately, many new connected devices are built with just enough processing power and bandwidth to create vulnerabilities but not enough headroom either to support a firmware update if a vulnerability is discovered or to support an agent to provide protection in the event of an attack."
Main Operational Technology (OT) Threat Actors
Attacks Against Manufacturers
According to a report by the cyber insurance company Allianz, cyberattacks against critical infrastructure are more likely to target ICS than attempt to steal data. A survey of critical infrastructure suppliers showed that 54% reported attempts to control systems, and 40% had experienced attempts to shut down systems. While manufacturers are particularly vulnerable to attacks designed to cause extended operational downtime, they are also highly sensitive to the loss of trade secrets and customer data. This is true across the board but particularly for manufacturers working in the Defense Industrial Base (DIB) sector.
According to a report by the cyber insurance company Allianz, cyberattacks against critical infrastructure are more likely to target ICS than attempt to steal data.
Disruptive Cyberattack Example at Honda Manufacturing Plant
Unfortunately, business changes made in response to the COVID-19 virus have likely contributed to the increase in attacks during 2020. Remote workers are particularly vulnerable to phishing attacks, which can become a vector for ransomware attacks. Ransomware typically locks down data until a ransom is paid, but for a manufacturer, that is the equivalent of locking down the production line. Manufacturers have been particularly hard hit by ransomware, seeing the steepest increase of any industry in the first quarter of 2020, according to a June 2020 report from cyber insurer Beazley.
Manufacturers suffer from having to maintain highly dispersed and heterogeneous infrastructure and supply chains. Embracing Industry 4.0 technologies makes it even more difficult for organizations to create and maintain accurate real-time inventories of their OT/IoT devices and systems. But this is a minimum requirement for developing a baseline cybersecurity strategy for OT and IT systems: manufacturers must be able to monitor their network state in real-time and understand device behavior. The ability to detect anomalous activity in near real-time is key to preventing operational disruptions, whether from maintenance issues or cyberattacks.
Another difficulty is that basic threat intelligence information is often lacking on attacks targeting OT and IIoT infrastructure. Cybersecurity teams need to be able to detect, analyze, and react to indicators of compromise (IOCs) and anomalous behavior in their network. The broad deployment of IIoT devices provides numerous beachheads for attackers who can then quickly move laterally through a network. Network segmentation is, therefore, a critical component of OT cybersecurity strategies.
The 2019 Deloitte and MAPI Smart Factory Study conducted by Deloitte and the Manufacturer’s Alliance for Productivity and Innovation (MAPI) found that over 12 months, 40% of the manufacturers surveyed had operations affected by a cyber incident. Of those affected, 87% suffered unauthorized access to infrastructure; 86% experienced operational disruptions; and 85% experienced intellectual property theft.
Source: Center for Strategic & International Studies: Significant Cyber Incidents
Manufacturers are attractive targets for both criminal and nation-state attackers. The June 2020 attack against automaker Honda is particularly interesting. As described in The New York Times, “ . . . the attack appears to have been carried out by software designed to attack the control systems for a wide variety of industrial facilities like factories and power plants. Such cyberweapons previously were only known to have been used by state agents.”
The attack temporarily halted production in Honda plants in North America, Brazil, India, and Turkey. The attack tool was suspected to be a new variant of ransomware (in the Ekans/Snake family) designed to disrupt industrial systems. It is unusual in that in addition to encrypting data files, Ekans also includes functionality designed to stop a number of processes related to ICS operations. Argentinian energy company Edesur S.A. was also attacked with Ekans in June 2020.
Manufacturing Cybersecurity Compliance Considerations
In the U.S., the manufacturing sector does not have overarching, mandatory cybersecurity regulations, but many manufacturers meet the official criteria for “critical infrastructure,” which does come under special scrutiny.
More often, regulatory oversight will depend on what a manufacturer makes or to whom it sells products. For example, medical device manufacturers would follow U.S. Food and Drug Administration (FDA) cybersecurity regulations, while DIB manufacturers would look to the U.S. Department of Defense (DoD), while IoT device manufacturers are facing a wave of new cyber regulations from multiple states, as local jurisdictions attempt to place cybersecurity requirements what they see as a growing attack surface. Finally, the U.S. Securities and Exchange Commission (SEC) issued interpretive guidance in 2018 that outlined its expectations for corporate disclosure on cybersecurity risks for any public corporation, which it considers material information for investors.
Manufacturers in the U.S. should view recommendations for critical infrastructure providers as best practices. The cybersecurity regulation regarding critical infrastructure providers has been evolving since shortly after the 911 attacks. There have been numerous Executive Orders, particularly over the last decade, that have attempted to improve critical infrastructure cybersecurity.
Quick History of U.S. Regulations
These Executive Orders include Executive Order 13636: “Improving Critical Infrastructure Cybersecurity,” (February 12, 2013); Executive Order 13800: “Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure” (May 11, 2017); and Executive Order 13873: “Securing the Information and Communications Technology and Services Supply Chain.” (May 15, 2019).
In 2015, the Department of Homeland Security (DHS) released a Critical Manufacturing Sector-Specific plan as an annex to the National Infrastructure Protection Plan. Cyberattacks were called out as a significant critical manufacturing sector risk. In the same year, DHS released “Critical Manufacturing Sector Cybersecurity Framework Implementation Guidance.” And in 2017, the National Institute of Standards and Technology (NIST) released its internal report titled “Cybersecurity Framework Manufacturing Profile” (NISTIR 8183). Regardless of whether a manufacturer technically falls under the DHS definition of “critical manufacturer,” these documents should be viewed as providing current best practice guidance for cybersecurity.
A Quick Look at the IoT Cybersecurity Improvement Act of 2020
European Union Activity
The European Union (EU) Directive on security of network and information systems (NIS Directive) entered into force in EU countries in 2016. The EU Cybersecurity Act became effective in 2019, strengthening the role of the EU Agency for cybersecurity (ENISA). The act created a permanent mandate for the agency, expanded powers, and widened its scope, including setting up a European cybersecurity certification framework. ENISA is particularly active with respect to Industry 4.0 and IIoT guidance. Two important ENISA documents are “Industry 4.0 Cybersecurity: Challenges & Recommendations” and “Good Practices for Security of Internet of Things in the Context of Smart Manufacturing.”
The NIST Cybersecurity Framework Manufacturing Profile
The NIST Cybersecurity Framework Manufacturing Profile provides a useful framework for protecting both IT and OT infrastructure. As the document notes, the “reliance on technology, communication, and interconnectivity of ICS [industrial control systems] and IT has changed and expanded the potential vulnerabilities and increased potential risk to manufacturing system operations.”
NIST takes a broad view of manufacturers, addressing the needs of process-based manufacturers—both continuous and batch, as well as the needs of discrete-based manufacturers. The Manufacturing Profile builds on the five concurrent and continuous functions at the core of the NIST Cybersecurity Framework: Identify, Protect, Detect, Respond, and Recover.
The Manufacturing Profile is designed to support cybersecurity outcomes based on the business needs of each manufacturer, which are determined from selected framework categories and subcategories. The detailed subcategories are derived from the security controls of NIST Special Publication 800-53 (NIST SP 800-53). The Profile provides tailored values for cybersecurity controls for manufacturing infrastructure. Categories and subcategories are created “based on domain-specific relevance, business drivers, risk assessment, and the manufacturer’s priorities.”
Objectives and Functions
The manufacturing business objectives of maintaining human safety, environmental safety, quality of product, production goals, and trade secrets are aligned across functions, categories, and subcategories of cybersecurity objectives. In addition to these, security levels of Low, medium, and High are used to prioritize implementation of the framework. Severity levels can be used to inform a maturity model but should not be confused as a substitute for a maturity model. The former is tactical, and the latter is strategy. The Profile should therefore not be viewed as a maturity model so much as a road map that is progressively more useful to organizations with higher levels of cybersecurity maturity.
For example, the “Asset Management” category and its “Asset Identification” subcategory fall under the framework’s “Identify” function. NIST classifies the automated detection of unauthorized hardware and firmware as a “high” impact task. Clearly, however, the task’s value is higher if it is part of a continuous process of well-documented asset discovery and management than if it is a one-off scan of OT assets.
One of the most important benefits of moving up the maturity curve is the ability to integrate with broader enterprise risk management solutions. There is currently a significant gap between the output of most cybersecurity risk management programs and the input that is required to effectively integrate cybersecurity into traditional enterprise risk management systems. NIST is attempting to address this issue, and in 2020 it released NISTIR 8286: “Integrating Cybersecurity and Enterprise Risk Management (ERM),” which provides a good overview of the issues and some potential solutions.
1. Train and qualify cybersecurity assessment team (CSAT)
2. Identify critical systems and critical digital assets
3. Develop cybersecurity defensive strategy
4. Implement cybersecurity defense-in-depth architecture
5. Establish cybersecurity program policies/ procedures
6. Perform and document the cybersecurity assessment described in the cybersecurity plan
7. Implement security controls not requiring plant modification
8. Implement security controls requiring plant modification
Lessons Learned from Manufacturing Cybersecurity Incidents
The NSA and CISA recommend the following resources for help in understanding and evaluating cyber risk on “as-operated” OT assets:
Vendor-specific cybersecurity and technical advisories (Examples for technology and services.)
DHS – CISA Advisories. (Available at https://us-cert.cisa.gov/ics/advisories)
MITRE5 Common Vulnerabilities and Exposures (CVE8) for both IT and OT devices and for system software. (Available at https://cve.mitre.org)
National Institute of Standards and Technology – National Vulnerability Database. (Available at https://nvd.nist.gov)
Implement mitigations for each relevant known vulnerability, whenever possible, such as patches and offsetting security controls.
Audit and identify all OT network services that are being used.
Use vendor-provided programming and/or diagnostic tools and procedures.
Implement a system monitoring program to enable system anomaly detection.
Log and review all authorized external access connections for misuse or unusual activity.
Monitor for any unauthorized controller change attempts.
Implement integrity checks of controller process logic against a known good baseline.
Where possible, disable remote program mode for process controllers while in operation.
Lock or limit set points in control processes.
The good news for critical manufacturers is that there is a large and growing set of resources designed to improve cybersecurity in this sector. Manufacturers globally should expect more cybersecurity oversight as Industry 4.0 technologies increasingly become commonplace and expand traditional attack surfaces. It is critical that manufacturers remain engaged with public and private organizations that are driving cybersecurity regulation and determining best practices in this sector. The expectation should be that additional regulation is coming, but it is likely to continue to be applied piecemeal, particularly in the United States.
Manufacturers should be focusing on creating a specific OT cybersecurity plan, be integrating OT and IT cybersecurity efforts as much as possible, and looking to bundle OT cybersecurity more fully into broader enterprise risk management strategies. Business considerations are driving a wholesale revolution in manufacturing technology deployment, and OT cybersecurity strategy needs to be viewed as a foundational core competency within manufacturing organizations.
- Critical Manufacturing Sector Cybersecurity Framework Implementation Guide
- Critical Manufacturing Sector Security Guide
- Critical Infrastructure Vulnerability Assessments
- EU Cybersecurity Certification Framework
- ENISA Good Practices for Security of Internet of Things in the context of Smart Manufacturing
- ENISA Industry 4.0 Cybersecurity: Challenges & Recommendations
- Industry 4.0 A New Definition of Manufacturing?
- NIST Cybersecurity Framework
- NIST Integrating Cybersecurity and Enterprise Risk Management (ERM)
- NIST Manufacturing Profile
- NIST MEP Cybersecurity Self-Assessment Handbook
- NIST MEP Manufacturers Guide to Cybersecurity for Small and Medium-Sized Manufacturers
- NSA and CISA Cybersecurity Advisory Reduce Exposure Across all Operational Technologies and Control Systems
- Managing a Cyber Attack on Critical Infrastructure
- Reference Architecture Model for Industry 4.0 (RAMI4.0)
- U.S. Critical Manufacturing Sector-Specific Plan – 2015
- U.S. DoD Maturity Model
- U.S. Federal Communications Commission (FCC) Cybersecurity Guide
- U.S. Nuclear Regulatory Commission Template for Cybersecurity Plan Implementation Schedule