The more networked and data-centric manufacturing becomes, the more manufacturing leaders ought not consider cybersecurity as something that only concerns the IT department. New SEC reporting rules and high-profile hacks against manufacturers with multimillion-dollar price tags last year curtly demonstrate the point.
Org-wide planning provides the best defense against cyberattack. Knowing what to expect in 2024 and taking proactive steps against threat actors may make the difference between publicly admitting your company wasn’t prepared and accordingly losing money and prestige, or not.
Educate Your Workforce
Human beings decidedly provide the weak links in cybersecurity hygiene. Erecting digital gates and demanding identification checks do nothing if your employees hand over virtual ID cards without realizing they’ve done it.
“Cyberattacks in 2024 will look EXACTLY as they have in the previous three-to-four decades. Most will involve social engineering. About a third will involve unpatched software or firmware. About 10-to20 percent will involve weak password issues. Those three root attack methods will make up 99% of the attacks against most people and organizations,” says Roger Grimes, data-driven defense evangelist at KnowBe4.
“To defend against them, aggressively focus more on preventing social engineering,” he adds. “This means deploying technical cyber defenses that prevent social engineering from reaching users. Because technical defenses will never be perfect, you must train your users in how to recognize the signs of social engineering, how to defeat it, and how to appropriately report it.”
Recognize OT as an Attack Surface
In addition to the best practice, general cybersecurity hygiene pertinent to any business, manufacturers must contend with the vulnerability of their operational technology (OT). Every networked machine on the floor provides a possible avenue for intrusion into your larger IT system.
“Lack of segmentation between IT and OT environments and lack of awareness into these systems provide key avenues for threat actors to cause impacts and outages. Organizations need to mitigate as much risk as possible by focusing on quality backups of not just corporate data, but OT configurations and data needed to restore systems, all with secure encryption,” says Tom Marsland, VP of technology at Cloud Range.
Read More: Bridging IT and OT: Enhancing Cybersecurity in Manufacturing
The question of whether to place responsibility for OT cybersecurity within the IT department, or instead to spin out a separate OT group, is not just organizational says Marty Edwards, Deputy CTO for OT/IoT at Tenable.
“CFOs and CISOs will look at the cost-benefit analysis of investing in IT vs. OT security, and they’ll see there’s more benefit to investing in OT than IT in 2024 that at any point until now. For every $1 spent in OT, organizations get more than what they get with $1 in IT security investment. OT investments buy down your risk much more so than IT security,” Edwards says.
Amir Hirsh, head of Tenable OT Security, wants manufacturers to acknowledge how green initiatives that involve OT monitoring can increase cybersecurity risks.
“With the growing attention and increase of costs and penalties around energy usage and carbon emissions, companies will turn to smarter management of their operations, which will increase OT-based sensor deployment and controls. We’ll see more and more IoT and OT devices in smart buildings, factory management and building management systems. These trends will expose companies to further risk as they will expand their attack surface and often connect these environments to the internet,” Hirsh says.
AI: Cybersecurity, Friend and Foe
Integrating AI into OT carries specific risks and benefits, says Chaz Lever, senior director of security research at Devo.
“As we move into 2024, it’s imperative for manufacturers to place a strong emphasis on the security of their AI implementations. AI represents a new attack surface, and in the case of OT, attacks on AI systems could result in impacts that cross the cyber-physical barrier. Great care needs to be undertaken to make sure AI interacting with OT systems guards against the myriad of potential AI threats (e.g., prompt injection, adversarial examples, model inversion, etc.),” Lever says.
AI also has the potential to help protect OT systems through its integration into security operations. AI’s capability of sifting through massive quantities of security data and isolating high-priority alerts is becoming increasingly sophisticated. This enables AI to augment the capabilities of analysts in monitoring systems, conducting forensic investigations and proactive threat hunting,” Lever adds.
Kurt Markley, managing director for the Americas at Apricorn, points out that bad actors may also use AI to create ransomware tools, the most popular avenues for attack against manufacturers. Generative AI-powered ransomware attacks doubled against healthcare, municipalities and education orgs between August 2022 and July 2023, says Markley.
Manufacturers could be next on the list. Protecting critical data mitigates the risk.
“While almost all IT leaders say they factor in data backups as part of their cyber security strategies, research we conducted [in 2023] found that only one-in-four follow a best practice called the 3-2-1 rule, in which they keep three copies of data on two different formats, one of which is stored offsite and encrypted. Furthermore, this same research found that more than half of respondents kept their backups for 120 days or less, far shorter than the average 287 days it takes to detect a breach,” says Markley.
“The likelihood that AI-driven ransomware will impact far-higher numbers of organizations, it will be more important than ever in 2024 that organizations have a strong cyber resiliency plan in place that relies on two things: encryption of data and storage of it for an appropriate amount of time. IT leaders need to embrace the 3-2-1 rule and must encrypt their own data before bad actors steal it and encrypt it against them,” Markley adds.
Beware the Cloud?
Touted for many years for scalable data architectures and cost effectiveness compared to on-premises infrastructures, manufacturers like Nissan have learned the cloud also carries cybersecurity risks. Don’t think that offloading data to the cloud means offloading related cybersecurity concerns to your cloud technology provider.
“It’s estimated that 30% of cloud data assets contain sensitive information. All that data makes the cloud a juicy target and we expect that 2024 will continue to show that bad actors are cunning, clever and hard-working when it comes to pursuing data. The industry has seen triple the number of hacking groups attacking the cloud, with high-profile successes against VMware servers and the U.S. Pentagon taking place [in 2023],” Markley says.
Read More: Why Manufacturing Remains a Prime Target for Cybercrime
As IT teams spend more on moving and storing data in the cloud, organizations must spend the next 12-to-24 months auditing, categorizing and storing it accordingly. They need to gain deeper visibility into what data they have stored in the cloud, how data relates to each other, and if it is still meaningful to the operations of the organization. In doing so, they are advised to create specific security policies about how, where and for how long they store their data. These policies, when actively enforced, will help organizations better protect their most valuable asset – their data,” he adds.
Think Forward for Best Protection
Effective cybersecurity’s layered, multi-faceted structure and accompanying price tag make it attractive for manufacturers to deprioritize, but the sooner they get on board with proper cybersecurity hygiene the sooner they can stop worrying about ever cutting a fat ransomware demand check…or what they’re going to tell the SEC in the annual 10-K filing.
“Ultimately, it’s crucial for security teams to collaborate closely with their organizational leadership to find an optimal equilibrium between security, user convenience, and technological innovation,” says Lever.
Grimes provides a checklist for basic, first cybersecurity steps:
- Patch all software and firmware, especially anything on CISA’s Known Exploited Vulnerability Catalog list.
- Use phishing-resistant multifactor authentication (MFA).
- If you can’t use MFA, use a password manager which will create and use long and complex, different passwords for every site and service you use.
“The organizations that focus on these core, necessary defenses correctly and don’t get sidetracked by a hundred other less useful shiny objects will significantly decrease cybersecurity risk,” Grimes says.
“The organizations that don’t, will likely be hacked.”