Cybersecurity defenses found lacking for manufacturers

A report from global cybersecurity company Kaspersky Lab, Woburn, Mass., found that in the first half of 2017, manufacturing was the industry most susceptible to cyberthreats, with the industrial control system computers of manufacturers accounting for almost a third of all attacks. In total, Kaspersky Lab detected about 18,000 different modifications of malware on industrial automation systems in the first 6 months of 2017.

Sridhar Kota is the Herrick professor of engineering at the University of Michigan-Ann Arbor and a director of MForesight: Alliance for Manufacturing Foresight, a manufacturing-centered think tank. He noted several reasons why manufacturers are at special risk for cyberattacks. More than most sectors, manufacturing relies on flows of materials, parts, assemblies, energy, data and people from diverse, changing sources. Supply chains are hyperconnected systems of contractors and customers. Most factory floors run 24 hours a day and include complex combinations of cutting-edge equipment and decades-old machines, making it difficult to test and maintain systems or to rely on existing cybersecurity products and tools.

Sridhar Kota is the Herrick professor of engineering at the University of Michigan-Ann Arbor and a director of MForesight: Alliance for Manufacturing Foresight. Image courtesy of University of Michigan.

Organizations both inside and outside the U.S. government have been grappling with how to minimize the threat. The U.S. National Institute of Standards and Technology released a 56-page manufacturing profile (available at tinyurl.com/NIST-cyberthreat) in September that’s intended to serve as a road map for managing cybersecurity activities and reducing the risk to manufacturing systems.

Almost concurrently, MForesight and another think tank, the Computing Community Consortium, jointly issued a report (available at tinyurl.com/MForesight-CCC) detailing how government, industry and academia can come together to recognize and address the growing risk of cyberattacks.

Kota sees a parallel to events 3 decades ago, when a different kind of threat caused U.S. manufacturing to pick up its game. “Much like Japanese competition gave rise to a new quality culture in U.S. industry in the 1980s, the hacking threat can, and should, give rise to a new culture of care and vigilance today,” he said. “Cybersecurity defenses, including new cybersecurity certification programs, can help companies build their competitive advantage.”

The key recommendations in the MForesight/CCC report are:

• Create a public-private partnership focused on manufacturing supply chain cybersecurity.
• Establish a federal research initiative to address both near- and long-term cybersecurity challenges and opportunities. Fundamental research should address systems-engineering methodologies for cyber- physical systems with designed-in cybersecurity and resilience, treating cyberspace as a systems design/interface risk problem.
•  Establish manufacturing-industry-specific information sharing and analysis centers (ISACs), information sharing and analysis organizations (ISAOs), or similar organizations to facilitate fault-free, anonymous sharing of incidents, threats, vulnerabilities, best practices and solutions. Existing ISACs/ISAOs can serve as models.
• Establish an executive-level working group to provide a strong industry voice to advocate for cybersecurity and motivate industry action to strengthen cybersecurity.
• Develop a comprehensive framework specifically for manufacturing supply chain cybersecurity, similar to existing nonmanufacturing cybersecurity frameworks.

The nation’s industrial firms should heed warnings and adopt proven practices rather than waiting until it’s too late, according to Kota. “Of all the report’s findings, one is primary,” he said. “There’s no time to lose.”