Industry 4.0 offers great promise, but with this promise comes risk. A host of cybersecurity vulnerabilities require careful attention.
In this series, we have explained the Industry 4.0 transformation and highlighted the opportunity to harness innovative technologies that weave together physical and digital worlds across disciplines, industries, and economies. Those who effectively harness Industry 4.0 have the power to connect to potentially billions of people and endless resources virtually, vastly improving efficiency along the way.
There is a clear business case for applying our approach to the production environment. Integrating IoT-enabled assets—including data technologies, the cloud, advanced computers, robotics, and people—increases the speed, reliability, and flow of information between all systems of a manufacturer. For instance, estimates from the United Nations suggest an increase in production line availability by 5% to 15%.
Industry 4.0 incorporates numerous technologies that introduce cybersecurity vulnerabilities. These technologies include:
As evidenced by the list, Industry 4.0 connects previously isolated systems from the outside world. Every connected device represents a potential risk regardless of the environment it is utilized in. Whenever systems are digitized, digitalized, and made more intelligent via technology, insufficient safeguards will expose the entire enterprise to the threat of stolen intellectual property equipment commandeered by saboteurs, the introduction of ransomware, and personal/corporate identity theft.
When done well, cybersecurity technology protects digital systems from internal and external attack vectors. Modern applications that employ innovations such as blockchain or artificial intelligence can guard new technologies such as industrial IoT devices.
Manufacturing carries its own set of unique vulnerabilities. Think, for instance, of the complexity that is inherent in Cyber-Physical Production Systems (CPPS) and Industrial Control Systems (ICS) and look at that complexity through the lens of the critical role that a CPPS or an ICS plays in a company. This combination makes these systems particularly susceptible to cyberattacks.
Also consider that, as of 2021, there is a ransomware attack every 11 seconds and estimated damage can cost about $20 billion, up from 39 seconds and $11.5 billion in 2019.
Another major challenge: organizational alignment within IT and OT typically resides in different organizations. These organizations have different budget allocation and project priority. Alignment and coordination become a challenge.
“Information technology” (IT) is the use of computers to store, retrieve, transmit, and manipulate data or information. IT is typically used within the context of corporate operations as opposed to personal or entertainment technologies. IT is considered a subset of information and communications technology.
“Operational technology” (OT) is hardware and software that detects or causes a change, through the direct monitoring and/or control of industrial equipment, its assets, processes, and events and is typically a business/operations focus area.
Specific Activities or Conditions Creating Additional Risk
- Deployments in many organizations involve IT and OT groups—groups that traditionally have not worked together on deployments before and have different perspectives on IoT. IT is concerned with protecting enterprise data, while OT is focused on the production side of the business. Before deployment, procurement of these advanced technologies is owned by IT or OT users separately based on where the budget is allocated.
- Upgrades are often installed piecemeal since the systems are very complex and can involve multiple vendors and internal groups.
- Manufacturing has minimal regulated compliance standards compared to other sectors, so software codes may not have the same security rigor as those codes used on aircraft.
- Visibility is poor across separate systems and isolated environments. Unauthorized users are not detectable.
- Security in the past was not a priority due to the offline nature and isolation of the OT equipment from the outside. OT is typically highly customized and proprietary as a company’s trade secret. When it is offline, there is almost no cybersecurity concern. When it is online, the risk of cyber-attack is usually unknown to operations team as there is no history or talent to figure that out.
- Low employee awareness and accidental leaks are a source unintentional IP loss.
- Lack of employee training leads to misuse of smart systems and creates unexpected equipment downtime. Training for IT and OT teams require a different software and hardware knowledge base and skills to manage their various operations.
Create an Action Plan
A plan, commonly called System Security Plan, should be in place before there is a breach, so that protective measures that can safeguard data and equipment --including their IoT systems – are readily deployed.
Start by weighing the broad risks. How susceptible is the company to phishing schemes, ransomware, or internal breaches?
Remember, there is a lack of preparation throughout the manufacturing sector as the industry uses systems that were never intended to relate to the outside world. And, manufacturing supply chains are long, with many interconnected companies that can represent points of failures. Hackers can access systems by using names of management employees they can impersonate. Fragmented systems across different departments make it difficult to apply a single security framework to detect wrongdoing, whether it be equipment sabotage, IP theft, or another type of breach.
Next, identify specific cybersecurity vulnerabilities. Risks come in all types of shapes and sizes.
For instance, installation of an IoT system can create four primary portals where breaches can gain a foothold. First, smart sensors and actuators that allow the IoT to operate in an autonomous fashion can be manipulated to gain access to the IoT network. A second vulnerability is the communication systems that allow IoT devices to talk to one another. Another potential portal is the computer platform used to store and manage the data. Finally, the software that interprets the data for actionable insights is yet another risk.
Behaviors and policies that can increase the threat level include:
- Failure to inform employees of threats
- Insufficiently secured equipment (both virtually and physically)
- Missing software and security patches
- Bring Your Own Device (BYOD) policies
- Lack of a corporate security program (Traditionally focused on IT managed systems)
- Not addressing disgruntled employees (access from both past and present)
Be proactive. Protecting against external malicious actors or other cybersecurity breaches is critical, but incomplete if a company erects or maintains barriers to digital transformation.
Making cybersecurity an “IT problem” rather than a corporate and financial planning responsibility is a mistake. To fully integrate cybersecurity in the Manufacturing 4.0 environment, organizational silos must be broken down and an investment into the skills and talent to manage complex Industry 4.0 structures across the business is needed.
Companies need to place security high in the priority lists for capital expenditure. Digital infrastructure, for instance, needs thoughtful but significant investment.
Finally, one of the greatest ways to protect the enterprise is to inform everyone about the breadth, potential and risks that come with this new era. A lack of knowledge of how digitalization can help the business can be a fierce enemy of success.