of the factory,” he says. “Many
of these companies haven’t even
put their payroll on a computer,
let alone started thinking about
cybersecurity.”
It gets worse, too: “I have
spoken to some very large
providers of digital technologies,
who provide automation for large
factories,” continues Phipson.
“One of them had several
million internet-connected
devices deployed into factories.
When they did a survey of their
customers, they found that 95%
of them still had the default
passwords set on them. People
simply hadn’t realised that their
machines were connected to the
internet and provided a route for
hackers to get into their systems.
It’s vital that people are aware
that yes, you may have got your
fi nancial system protected, but
your CNC machine isn’t.”
Spotting the weak points
For those manufacturers for
whom cybersecurity has been
an afterthought, knowing how
to identify weak points can
be something of a challenge.
However, warns Eaton’s Agostin,
it’s vital to understand where
your weaknesses lie. “A chain
is only as strong as its weakest
link; similarly, a network is only
as secure as its weakest node,”
he says. “A typical process
plant environment includes
equipment and control systems
from multiple vendors and a
variety of third-party packages
and remote support networks.
These disparate systems may
be connected over building
and plant-wide networks
running a variety of industrial
fi eldbus protocols, or even over
international networks via phone
lines and internet connections.
“It’s diffi cult to identify the
nature and source of a security
threat (see image, p24). They
can range from the unwitting
insertion of an infected peripheral
to deliberate sabotage by a third
party, such as the infamous
Stuxnet virus that was discovered
in 2010, or the Shamoon malware
infection at Saudi Aramco. Unlike
Stuxnet, which was designed to
destroy industrial centrifuges,
Shamoon was all about the
annihilation of data.”
Make UK off ers cost-eff ective cyber protection
For many, e ective cybersecurity is seen as a large – and expensive – undertaking. This
is why Make UK has signed an agreement with cybersecurity specialists, Assured Cyber
Protection (ACP) to provide low-cost security training to manufacturers. “We surveyed
our members, and discovered that for 70%, cost was prohibitive when it comes to
implementing cybersecurity,” says Phipson. “ACP is a company that has products and
services that can be deployed at low cost to many, many small businesses.” Find out
more at https://bit.ly/3eQ8bK4
Beware the unwitting threat
The examples mentioned above
were both intentional attempts
to disrupt caused by third parties.
Indeed, the most common
perception of a cyberattack is one
that comes from outside from a
malicious party. It may surprise
you to know, therefore, that in
reality just 20% of cyber breaches
come from intentional attacks,
according to the RISI database,
a repository of industrial
cyberattacks from across the
world. “The 80% of unintentional
incidents are caused by factors
including malware infection,
software fl aws and human
MAY/JUNE 2020 CYBERSECURITY
error,” says Agostin. “Of the 20% of incidents that
are classed as intentional, half of them are caused
internally (for example by a disgruntled employee),
the other half remotely.”
This issue has been exacerbated by the lockdown,
says Phipson. “With people working from home
during lockdown on either a work laptop or their
own laptop, they aren’t going to have the same level
of security that the desktop computer in the offi ce
is going to have. We’ve all just rushed into working
from home without necessarily being given training
on how to stay cyber secure. Cyber awareness is now
even more important than ever before.”
As the physical threat of the virus subsides
over the weeks and months to come, and the
world returns to a new reality, it will be more
important than ever to remember the hidden threat
posed by cyberattack.
Practical tips manufacturers can take
Mo Cashman, principle engineer at McAfee, explains how a shared approach is the best way to stay secure
Elect a governance committee. Creating a committee that includes individuals across IT, OT and
the supply chain is vital. It can remove silos and provide a consolidated view of risk across the business.
Conduct regular audits. Running audits across both IT and OT is key to ensuring visibility across
systems, as well as opening doors to question processes and systems. What systems are out there?
Who are the suppliers? What SLAs/security contracts are in place? Through these audits, teams can
identify risks, kick-start contractual discussions with suppliers and agree the process to mitigate
vulnerabilities before they occur.
Start with monitoring. Increasing overall levels of monitoring will provide greater visibility. This
monitoring should go hand-in-hand with implementing threat detection capabilities and the response
plans that go with them. Ultimately, response times can be reduced if IT and OT teams understand their
roles and responsibility in the process.
Asses the overall security architecture. Fostering a more holistic view of the current enterprise
set-up and how this maps with existing security standards is crucial. If IT and OT teams use di erent
models to meet di erent criteria, manufacturers should aim to bring these models together into one
consolidated enterprise view of cyber risk.
Create a security awareness programme. By implementing a security awareness and readiness
programme, organisations can ensure that all teams are educated on security procedures and are
actively involved in maintaining them. This programme should include everyone from end users to
OT engineers, and all the way up to executive level, in order to ensure that all areas of the
manufacturing process are covered.
www.manufacturingmanagement.co.uk 25
/3eQ8bK4
/www.manufacturingmanagement.co.uk