Manufacturing in the Digital World: Identifying & Mitigating Cyber Risks
More than four-hundred billion dollars: this is the staggering cost of cybercrime to the global economy, according to a new study released by McAfee and the Center for Strategic and International Studies. In fact, the United States, Germany and China together lost more than $200 billion dollars to cybercrime in 2013, according to the report. And when the global economy suffers, so do jobs and manufacturers.
“In the United States alone, studies of how employment varies with export growth suggest that the losses from cybercrime could cost as many as 200,000 American jobs, roughly a third of 1% decrease in employment for the U.S.,” the study says.
Countries with robust economies, like the U.S., are more likely to be impacted because the value of its exports is dependent upon innovation, the report said. Stolen intellectual property reduces exports, as well as overall GDP, and even small changes to GDP impacts employment. For example, if lost jobs are in manufacturing or other high-paying sectors, the effect of cybercrime is to shift workers from high-paying to low-paying jobs, or unemployment.
While job loss is a concern as cybercrime rates increase, the study concluded the most significant damage comes from its effect on trade, competitiveness, innovation, and global economic growth.
According to Larry Clinton, president and CEO of Internet Security Alliance—a multi-sector trade association that focuses on cybersecurity economics and policy—even the most locked-down company can be subject to attacks due to vulnerabilities within the company’s supply chain. No longer is it enough to ensure your own computer networks are secure; it’s essential to understand the security level of your suppliers and vendors. Companies with deep supply chains, like manufacturers, can be among the most vulnerable.
“For economic reasons, many companies manufacture through the use of these long international supply chains,” said Clinton. “The problem with that is the longer your supply chain is, the harder it is to secure it.”
Clinton says there are a number of ways a manufacturer’s supply chain can be compromised, but the most common attack comes through interconnected software systems.
“We did a project a number of years ago specifically looking at the threats to the supply chain that was focused on hardware, but we found that in the commercial sectors, hardware supply chain attacks were of comparatively low risk,” he said. “Attacks on the software side were of a higher likelihood because they were cheaper.”
Another challenging area for manufacturers is protecting old and outdated software systems from data breaches, says Chester Wisniewski, senior security advisor with IT security product company Sophos, Inc. For example, if a robotics system on a manufacturing floor runs on an old version of Windows, it inherently will have fewer built-in security features to thwart modern-day attacks.
“This is a challenge in manufacturing because the timeframe for which you purchased your capital equipment is usually quite long,” said Wisniewski. “Whereas, most of the computers being built today are expected to have a lifetime of two or three years. So there’s a big conflict as manufacturing has moved to more mechanized processes and more computerized operations.”
But what these experts cite as the most significant security risk to manufacturers has nothing really to do with manufacturing at all, but rather is inherit to all sizable businesses: a vast network of people interacting on company-wide systems that are often interconnected with personal devices, like cell phones, laptops and tablets.
According to an article published in an April issue of The New York Times, a large oil company (whose identity has been kept confidential) was breached when hackers infected the online menu of a Chinese restaurant with malware that was popular with employees.
“When the workers browsed the menu, they inadvertently downloaded code that gave the attackers a foothold in the oil company’s vast computer network,” the article stated. “People tend to think this is an IT problem—it’s not,” said Clinton. “It’s an enterprise-wide risk management problem. In fact, the number one vulnerability for companies isn’t the technology, it’s the people. And human resource management within the organization is just as important as IT management. Most people really haven’t thought through this in that sense. They still think as long as I update my software and do some best practices, I’ll be okay. That’s not the case.”
Clinton says companies that allow employees to use their own devices in order to cut costs and create efficiencies are putting their systems at risk.
“Thousands of employees walking around with your corporate data on their iPhones, that are probably not protected, really undermines your security,” he said.
The transition to cloud-based technology that many companies are making adds another layer of complexity to cybersecurity. A recent study by computer scientists at Johns Hopkins University suggests that even the most cutting-edge cloud storage providers may be putting company data at risk. The study asserts that cloud providers who claim to employ a “zero-knowledge” approach—one that is thought to be virtually impenetrable—remain vulnerable to attack when data is shared with vendors.
Experts recently gathered at the RSA Conference to discuss global information security. John Pescatore, director of research at the SANS Institute, indicated that cloud adoption is inevitable even with potential concerns. In fact, the panel of experts concluded that cloud security concerns are overblown. According to Pescatore, “A vast majority of enterprise breaches involving cloud providers stemmed from enterprise failures and not cloud provider faults.”
Whether or not there are risks associated with the use of cloud technology, Clinton says companies will largely continue this practice due to the enormous cost savings. In large part, Clinton says companies are not thoughtfully weighing the benefits of making additional investments in cybersecurity, nor are they assessing the risk to their businesses if they fail to do so.
“Those are the types of sophisticated decisions that are not being raised to the board or senior-management level in most industries, including manufacturing. But that’s what needs to happen to solve this.”
Wisniewski concurs, adding that cybersecurity investments are an important part of any risk management plan.
“What businesses should do when they’re making any kind of security investment, whether it’s physical or technological, is assess the risk to the business if these computers are down, or if this information is compromised, and what it’s going to cost to protect our data and lower that risk,” he said. “Because you’re really buying insurance, aren’t you? If you’re manufacturing hardware for defense contractors, it would seem obvious that your business would come to an end if those blueprints were stolen from you. Nobody’s going to ask you to make something again if you can’t keep those plans secret.”
Wisniewski believes these security investments may not be prioritized because, unlike retailers who handle massive amounts of consumer data every day, manufacturers may not assign a similar value to the data they possess.
“Anything that’s of value, the attack community will attack,” he said. “Intellectual property? Absolutely! But not just your intellectual property—your business processes as well. If you’ve been running an auto plant for 100 years, and during those 100 years, you’ve really learned how to build cars in a way that nobody else knows, and you’ve got proprietary processes that you use to create efficiencies, that’s valuable stuff. People are liable to come in and attack it. If you are thinking of merging with an organization, people are interested in that information. Your merger/acquisition plans, your financial plans. All these things have great value in the wrong hands, and all of it is subject to attack.”