Manufacturing under attack: The five steps to cyber security in manufacturing

Nearly half of British manufacturers suffered cyber-attacks last year, according to a survey by Make UK. And a quarter of those companies reported losses ranging from £50,000 to £250,000.

But a financial hit was only part of the story. The research found that 65% experienced production downtime and 43% took a knock to their reputations.

Earlier this year, for example, a cyber-attack cost Morgan Advanced Materials up to £12m to tackle. Systems had to be switched to manual, there were delays in restarting production and shipping and some of the company’s IT systems were irreparable.

Engineering company Vesuvius, which produces ceramics for steelmaking, had to call in cyber security experts and shut down processes after unauthorised access to their systems. Their shares fell 3.8%.

Ironically, while nearly 95% of survey respondents said cyber security measures were necessary for their company, 54% had taken no action, even if they’d adopted new production-boosting technologies.

Many small and medium-sized enterprises (SMEs) assume cyber-criminals are interested only in major companies. But they are also at risk. In fact, smaller companies can be easier pickings for criminals, with vulnerable connections along the supply chain often used as a route to bigger players or wider attacks. Even when they do recognise this threat, SMEs may not have the immediate budget or time to invest in security. So, it’s understandable that some companies concerned about cyber-crime take an ultimately damaging tack when it comes to reducing the risk. A third of respondents in the Make UK survey had decided against smart technologies for fear of cyber-crime – a decision that could ultimately stunt their productivity and growth.

If we skip ahead 10 years, we predict that advanced technology will be so much a part of how we make things that ‘digital’ will go without saying. In the here and now, digital technologies help manufacturers cut waste and cost, produce innovative new products and remain competitive in global markets. So, it’s important to embrace digital manufacturing and get your cyber security right, right now.

Your guide to cyber security

In a bid to help SMEs get cyber security right, we produced the Cyber Security Risk Assessment for Advanced Manufacturing, a practical guide for manufacturers looking for advice on analysing and mitigating their risk. The guide sets out five steps to keep systems and production operating securely.

For those with little or no knowledge of cyber security, it’s a starting point from which you can consider threats to your company and assess whether those threats can be tackled in-house or need external expertise.

For companies already experienced in cyber security, the guide is a checklist for ensuring you’ve covered all bases, and for considering the implications of introducing new systems or processes.

Step 1:  Understand your manufacturing systems

The first step is to identify which of your systems and parts of those systems to assess, along with the points at which they can be accessed.

The aim is a map of the ‘attack surface’ – the set of interfacing points between a user and a piece of software or hardware that an attacker could use to access or compromise an asset.

It includes anything that could go wrong with devices, network infrastructure, apps, endpoints, Internet of Things, cloud computing and supply chains.

Assets within a system could include:

• Hardware, such as servers, network equipment, workstations and mobile devices
• Bought or bespoke software
• Information or data in any format – physical and digital
• Services provided to end-users, such as database systems and e-mail
• Locations and buildings
• Employees, temporary staff, contractors, trainees, volunteers and staff who are leaving

The system owner should identify existing cyber security procedures, then each asset owner should list them from least to most vulnerable to create a security rating.

Step 2: Identify your cyber security threats

A cyber security threat is any circumstance that could have an impact on your operations, assets, employees, reputation or partner organisations. It could be through unauthorised access, destruction, disclosure or modification of information, or denial of service.

Cyber security threats range from simple employee error through to complex attacks. In 2022, the top three cyber security vulnerabilities were legacy IT (45%), a lack of cyber-skills in the company (38%), and providing access to third parties for monitoring and maintenance (33%).1

The threat source could be a person, action or situation that either accidentally triggers or intentionally exploits vulnerability. These can include hostile cyber or physical attacks, human error, a structural failure of your hardware, software or environmental controls, natural and man-made disasters, accidents, and failures beyond your control.

• Confidentiality – Attackers can access, manipulate or steal data about industrial processes, intellectual property, and corporate or product information. They can do this by analysing network traffic, injecting code to steal security credentials or corrupting control measurements.
• Integrity – Sabotage can alter or delay network traffic or industrial communication protocols. Such vulnerabilities can attract advanced persistent threats, where attackers infiltrate a network for as long as possible, while modifying the system’s function, collecting data or gaining access to more devices.
• Availability – Attackers can make a system unavailable by overloading it, either through the machinery or network access. A distributed denial of service (DDoS) is a common attack that either floods the bandwidth with requests, passes malformed data to crash a process, or uses a virus to destroy or disable a sensor.
• Authentication – Attackers often use phishing or spam email that, if acted on, can give them access to strategic information, protected data or other physical and digital resources.

Step 3: Identify your cyber security vulnerabilities

Most system vulnerabilities tend to be around security controls that have weaknesses or haven’t been applied. A smart manufacturing system may have vulnerabilities because of the complexity of connections between the equipment within a system, remote access to them or issues with software, hardware and networks. Whilst great at improving business performance, adding in new equipment or processes can add in new vulnerabilities to your production. So, there’s a need for continual monitoring and risk assessment.

Some vulnerabilities are easy to identify – such as factories in flood zones or closed systems with no external connections. Others, though, are more complex – like gaps in contingency plans, outdated technologies or system back-up flaws.

One method for checking vulnerabilities is penetration testing, which involves trying to breach the system using the tools and techniques an attacker might employ. Testing might specifically look at vulnerabilities in software, or it might check scenarios – such as a lost laptop or an unauthorised device connected to the network.

Step 4: Quantify your cyber security risks

It’s hard to imagine any company that could find no vulnerability or risk at all, but trying to plan for every eventuality can be counter-productive. Step four is about assessing the likelihood and severity of impacts so that you can prioritise. This likelihood is a weighted risk factor based on the probability of a threat source actually exploiting vulnerabilities.

The end point should be a risk register that collates all the information for easy reference, along with a management strategy that takes account of the costs of preventative measures and the value of the company’s reputation.

Step 5: Manage cyber security risks and plug the gaps

Human error is the cause of 88% of security breaches, according to a new study by Stanford University. That could be leaving a laptop on a train, making a bank transfer without the proper checks or clicking on links in emails.

As so many threat events are accidental and can originate within the company, cyber security awareness and training is a priority. All employees should understand the policies (using personal devices, for example), their responsibilities (such as reporting incidents) and threats (such as malware or phishing).

Without this company-wide awareness, the best-protected systems are still at risk. For example, passwords are simple, low-cost security measures, but they can be stolen by cyber-criminals through phishing attacks, or employees failing to change passwords from the default setting.

Almost every UK business has at least one security rule or control in place:

• Data back-ups (87%)
• Malware protection (83%)
• Password policies (75%)
• Network firewalls (74%)
• Restricted IT administration rights (72%)
• Secure cloud service data backup (71%)
• Two-factor authentication (37%)
• Monitoring user activity (33%)
• Providing separate Wi-Fi for staff and visitors (33%)
• Using virtual private networks (32%)

Get your cyber security right, right now

Complete security is unattainable. As manufacturing gets smarter, so do the cyber attackers. But this doesn’t mean you need to avoid digital technologies at all costs. These technologies are becoming increasingly common and for good reason: the insights you can gain through data can massively improve your performance, giving you an advantage in global markets.

As our processes and systems become more complex and connected, constant monitoring vulnerabilities becomes more imperative. Every company should have a response and recovery plan that reduces downtime, prevents loss and enables fast investigation of the incident.

Read more in our full Cyber Security Risk Assessment for Advanced Manufacturing guide.

This article is part of a series featuring key insights on digital manufacturing for SMEs. Find out more about the revolution in digital manufacturing here.