Author: Phil Muncaster
The manufacturing sector is one of the driving forces behind the economy, contributing almost 12% of U.S. gross domestic product. And it's embracing emerging technologies like 5G, the Internet of Things (IoT) and edge computing to drive productivity and efficiency—the market for this smart factory technology is predicted to exceed $228 billion by 2027, a compound annual growth rate of 18.5% from 2022, according to MarketsandMarkets. Yet as with any new technology investment, cyber threat exposure must be considered. Capgemini Research Institute found that 79% of global organizations feel their cyber risk is higher in a smart factory than in a traditional manufacturing setting.1
Unfortunately, understanding there's a problem and doing something about it are often two different things. Capgemini highlighted persistent challenges in the sector with early threat detection, security budgets and engagement with chief security officers (CSOs). To ensure your organization maximizes the opportunities smart technologies present, security considerations should be considered at the start of every implementation.
The smart factory cyber threat environment
Few factories feature only next-gen technologies. Instead, the majority incorporate a blend of old and new, including potentially decades-old industrial control systems, supervisory control and data acquisition equipment, and other operational technology (OT). These legacy technologies are an attractive target for threat actors. Employees can also pose a security risk. According to the Verizon 2022 Data Breach Investigations Report (DBIR), the manufacturing industry is a "lucrative target," particularly for espionage. Here are some of the top smart factory security risks to watch out for.
OT vulnerabilities
The manufacturing sector was the most attacked in 2021, accounting for 26% of attempted compromises largely due to its use of OT, according to Forescout.2 As legacy equipment is fitted with connectivity and integrated into IT systems, it subsequently becomes a potential target for remote attackers, unless air-gapped from the public-facing internet. About 59% of manufacturers agree they need to upgrade legacy equipment to better secure themselves from cyber attacks.
The challenge here is that many such products can be insecure by design because they lack the necessary security controls to help reduce the risk of cyber breaches. For example, one study from Forescout found 56 vulnerabilities in software from 10 vendors, including some of the most popular producers of OT.3 These ranged from remote code execution to insecure firmware updates, weak cryptography and insecure engineering protocols. Vendors can be slow to update their software, and once available, factory owners may find it difficult to take critical systems offline to test patches.
IoT device issues
More modern endpoints may also lack firmware updates and feature easy-to-guess or crack password-based authentication. If not properly isolated or protected, IoT devices can be used to gain a foothold in corporate networks.
Asset visibility
Factory owners may also struggle to name all the OT endpoints in their environment because they can't afford the downtime needed to run full system scans. As the saying goes: You can't protect what you can't see. That may partly explain why vulnerability exploitation was the top infection vector at 52% of ransomware incidents in 2022.
User error
Phishing is another major attack vector that cyber attackers use. This is unsurprising: Users remain a top target for attackers and as long as static credentials for IT and OT systems remain in circulation, malicious actors will be motivated to steal them through social engineering.
Supply chains
Manufacturing organizations are a critical element of global supply chains, but they also have their own complex ecosystem of suppliers. Unfortunately, these can unwittingly increase manufacturing cyber security risk. Over half (51%) of global CSOs believe smart factory security threats primarily originate from partners and vendors. In particular, they may be using "non-standard" smart factory processes to repair or update OT and Industrial Internet of Things (IIoT) systems—something 77% of CSOs are concerned about.4
The main smart factory security threats
Unsurprisingly, threat actors are taking advantage of these security blind spots to steal data, monetize extortion and disrupt manufacturing operations. The Verizon 2022 DBIR ranks the sector fifth in terms of the number of incidents and breaches analyzed. Most breaches were down to external actors (88%) and were motivated by financial gain (88%) or espionage (11%).
Basic web application attacks and system intrusions, as well as complex attacks using malware and/or hacking, are on the rise and occur frequently in this sector, the report found. Along with social engineering, they comprise 88% of breaches in manufacturing. The study found the top action types in manufacturing breaches are:
- Stolen credentials (39%)
- Ransomware (24%)
- Phishing (11%)
This aligns broadly with the threat actor motivations of data theft and extortion. It also aligns with common security deficiencies like poor user awareness, vulnerable technology and visibility gaps.
The potential impact of smart factory attacks
A cyber attack on your organization can cause significant financial and reputational damage, such as:
- Disruption to production lines
- Potential physical safety risks to staff if OT is sabotaged
- Loss of competitive advantage due to IP data theft
- Significant reputational damage from regulatory action and negative publicity
How better smart factory security can mitigate risk
Capgemini explains that its work with manufacturing firms has highlighted the difference between those with a mature cyber security posture and the rest.5 The leaders in this regard focus on several fronts to deliver awareness, preparedness and implementation of security controls. This might involve:
- Performing a risk-based analysis of attack scenarios to assess the business's preparedness to deal with them. This would be built on careful asset discovery, inventory and tracking to deliver a clear picture of what IT and OT components the organization is running and where.
- Building awareness of cyber threats across the smart factory. This should come from the top down. Boardrooms must understand the scale of the threat and lack of preparedness to release funding for initiatives. Security leaders must have the tools to know where this money should be directed and how security can be enhanced day to day.
- Identifying cyber risk ownership in the smart factory environment. This will make for a more coordinated approach and ensure risks are recognized earlier.
- Establishing frameworks for smart factory security, such as governance programs that align with international protocols and frameworks. This will ensure organizations follow industry best practices, such as prompt patching.
- Incorporating cyber security resources for smart factories, including dedicated security operations specialists specifically focused on threats to these unique environments.
- Establishing a robust framework for communicating with IT, which allows decisions to be made at a local level where teams are closest to the action but also mandates regular updates to the enterprise IT function.
In terms of specific security controls, manufacturers could consider:
- Implementing a Zero Trust Strategy.
- Enhancing user awareness of cyber threats across the organization with improved training programs.
- Building resilience through vulnerability testing and risk-based patching of critical assets.
- Researching alternative measures, such as network segmentation and monitoring, where traditional patching isn't possible.
- Implementing IoT security credentialing to establish trust across the IIoT environment.
- Deploying managed detection and response to spot and contain threats before they escalate.
Discover how Verizon can help protect your intellectual property and industrial control systems.
The author of this content is a paid contributor for Verizon.
1 Capgemini Research Institute, Smart & Secure: Why Smart Factories Need to Prioritize Cybersecurity, page 2.
2 Forescout, OT:Icefall, page 3.
3 Forescout, OT:Icefall, page 3.
4 Capgemini Research Institute, page 29.
5 Capgemini Research Institute, page 4.