How to automate critical functions safely without increasing cyber risk
The success of your manufacturing operations – from production to packaging to shipping and supply chains – depend on the seamless operation of your mission-critical infrastructure and operational technology (OT), including your marking and coding solutions. With cloud computing and IoT/IIoT now in regular use as part of digital transformation initiatives under the umbrella of Industry 4.0, the manufacturing industry has emerged as the most vulnerable to attacks on networked infrastructure, according to the Netwrix 2022 Cloud Data Security Report.
In the rush to transform and modernize production lines have manufacturers gone too far too quickly at the risk of increasing their exposure to cyberattacks? With more than half of manufacturing companies having experienced an attack on their cloud-connected networks and systems in the past year alone, sadly, that appears to be the case. But with a more measured approach, it doesn’t have to be that way.
Protect mission-critical infrastructure first and foremost!
If, as a society, we’ve learned anything from the recent supply chain challenges of COVID-19 and the war in Ukraine, it’s that manufacturing, packaging and shipping of goods truly is mission-critical for the global economy as well as every individual consumer. In this context, it is important to consider risk exposure vs. benefit to keep production lines running – even if the broader organization has been hit with a cyber-attack of some sort. Critical to these decisions is having a better understanding of how to safeguard critical OT and industrial control systems (ICS) while still reaping the benefits of highly networked technologies.
A big reason for why manufacturing is so vulnerable to cyber criminals links back to the inherent timescale difference between manufacturing and the breakneck speed of technological advancements. For the most part, OT was designed to operate with limited connectivity to other machines in a closed network – largely walled off from outside access. Now that the “air-gap” between the corporate network and the manufacturing floor has been removed in the headlong rush toward Industry 4.0, OT represents an easy high-value target for cyber criminals. This means every manufacturer must carefully consider where, when and how the efficiencies promised by digital transformation and Industry 4.0 – including marking and coding operations – can be realized most effectively without placing critical manufacturing systems at risk.
How real are the cybersecurity risks for manufacturing?
According to Future Market Insights’ Industrial Cybersecurity Market Outlook (2022-2032):
“Cyberattacks are growing more common in supply chains, the healthcare industry, and the manufacturing sectors…To carry out their core operations, the majority of firms around the world have chosen cloud-based and connection equipment. This shift has put significant strain on cybersecurity operations, as well as raised the risk of cyberattacks.”
Governments and industry groups around the world are taking these risks very seriously. According to NIST:
“These new [Industry 4.0] technologies will serve to advance manufacturing, but they also introduce risk. Company-sensitive data may be streamed across a network of small, power-sensitive and deeply embedded devices, which is a completely different threat landscape than the PC-based approach most SMMs use today…Before implementing new technologies, a cyber risk assessment should be performed to provide a full understanding of the company’s cybersecurity needs and capabilities.”
The Cybersecurity and Infrastructure Security Agency (CISA.gov) advises the following related to industrial control systems and OT:
“As ICS owners and operators adopt new technologies to improve operational efficiencies, they should be aware of the additional cybersecurity risk of connecting operational technology (OT) to enterprise information technology (IT) systems and Internet of Things (IoT) devices.”
CISA has also published a useful infographic outlining Recommended Cybersecurity Practices for Industrial Control Systems. Specifically, two of the areas it highlights are “Boundary Protection” and “Principle of Least Functionality,” outlined in more detail below.
Boundary Protection: The idea of boundary protection relates to the ever-expanding number of OT cyberattack surfaces – that is, systems that are connected to other systems mean that the entire network is only as secure as the least secure device on it. The more connected systems you have, and if you have weak guardrails between your OT and enterprise systems, the higher your risk of unauthorized activity in mission critical systems.
Let’s explore the scary part for a moment. An injection of malware, ransomware or other cyberattack could bring your entire production and shipping operations to a full stop. On average, organizations pay $1,197 per employee yearly to address cyber incidents across email, cloud collaboration apps or services and web browsers, according to new research. This means a 500-employee company can expect to spend $600,000 annually just to address cybersecurity incidents, without factoring in additional costs.
In addition to the cost of cleaning up cyber breaches or ransomware attacks, there’s the significant risk of theft of your intellectual property. Other impacts for manufacturers and packagers could include loss of visibility over your production and safety systems – putting health and safety of employees at risk – and potential damage of equipment that requires costly repairs. Longer-term, and often less considered, are the potential costs of unplanned labor to solve the resulting problems, overtime, idle equipment costs and even increased or denied insurance. And if the production shut down impacts your supply chain in any way (how could it not?) then you may also be at risk for fees from partners and retailers or lawsuits for non-compliance – not to mention the bad publicity and potential loss of customers the longer a hacker holds your systems hostage.
How can you make the most of Industry 4.0 while limiting cyber exposure?
Here is where it is wise to embrace the value of “abundance of caution.” That is, taking a measured approach that takes advantage of cloud technologies in ways that enhance your visibility into operations, streamline processes and/or enhance your customer service – but always with an eye toward cost-benefit while keeping your operations secure.
There are many levels of risk and myriad solutions to help you mitigate them, but if experience is a guide, it’s unlikely you will be able to completely shut down all cyber risk. There are also published guidelines on how to make sure your OT architecture is resilient against cyberattacks, such as the UK National Cyber Security Centre’s (NCSC) Secure Design Principles and Operational Technology. If you use robust ERP software, like SAP for example, those systems are subject to ongoing security updates and maintenance to ensure that your critical systems are better protected from vulnerabilities. But what about those weaker boundaries and other control systems that integrate with the cloud or the corporate network as part of automation initiatives? Remember, you’re only as safe as your weakest link.
Principle of Least Functionality: One way to take a measured approach is to consider the Principle of Least Functionality, as outlined by CISA. Georgetown University’s Information Security Services describe this concept well:
“The principle of least functionality provides that information systems are configured to provide only essential capabilities and to prohibit or restrict the use of non-essential functions, such as ports, protocols, and/or services that are not integral to the operation of that information system.”
For any organization, particularly manufacturing companies that use a variety of technologies to manage various aspects of the production process, restricting which functions are connected to the internet reduces the number of potential vectors for malicious parties to access their critical systems.
As you evaluate adding cloud-connected IoT/IIoT to your OT systems, make sure your evaluation goes beyond the “cool factor” to equally consider the potential risks to your operations. Is this an essential function? Will connecting this system to the cloud deliver significant enough benefits to justify the risks? Dig deeper to make sure your vendors have proven security such as encryption and two-factor authentication in place. And don’t just do cloud for cloud’s sake – you’re meticulous about every other aspect of your manufacturing operations, so it’s just as important to be meticulous about your cyber-security.
For us at Matthews Marking Systems, we work closely with customers to implement marking and coding automation solutions that integrate with IT and cloud-based systems without increasing cybersecurity risks. For example, our MPERIA platform offers an integration technique called netFolder that provides a secure and powerful way for a print controller to communicate with your enterprise system without the need for risky integrations, specialized servers, software, middleware or hardware, or direct connection to the internet. It works by reading messages and other information that the ERP or other systems place in a centralized folder that MPERIA can access. There simply is no chance for injection of malware or other attacks, allowing organizations to keep the air gap between OT/ICS and IT.
Using this integration approach, MPERIA can work natively with virtually any cloud-based or enterprise system. You can update messaging to all printheads from the enterprise level and even update messaging on multiple lines from a single location. This keeps your data secure while reducing coding errors. And it securely provides your cloud/ERP and other firewalled systems with data, providing full visibility from product to pallet. Implementing integration strategies along these lines across your operation can go a long-way to improving cyber resilience while still moving your Industry 4.0 efforts forward.
We look forward to the day when the “stand out” statistics for the manufacturing industry have nothing to do with problems like vulnerability to cyber-attacks. Using innovative integration approaches, there are ways to take advantage of the efficiency and automation advantages of Industry 4.0 today, while ensuring that safety is a top concern as manufacturing companies connect their OT to the cloud.