Balancing Security and Interconnectivity in the Manufacturing Industry

Operations in the manufacturing industry used to be siloed according to location, with security focused on restricting physical access to machinery. Human/machine interface devices for controlling operations at a plant or factory were in the same location as the machinery itself, and each factory or plant was located within disconnected zones.

But those days are long gone, as machines are increasingly run by software and automated processes. And because business leaders need up-to-date, actionable information about machines and their physical environments to manage and improve global operations, factories must be connected to the internet.

There are several efficiency advantages to this new paradigm, including predictive maintenance, process standardization, and other forms of automation, but with those advantages come challenges. With the exponential growth of devices in the Internet of Things (IoT), ensuring interconnectivity between multiple sites must be balanced with machine uptime and smooth operations onsite.

This interconnectivity means that many of the guiding principles of enterprise security must now be applied to the manufacturing field. Even matters of jurisdiction are up for debate, as whether manufacturing technology falls under the purview of IT or OT depends on a number of factors. 

The manufacturing field is responsible for building the technology used in other fields. As that technology becomes more complex, so must the machinery used to build it. Adding in connections between machines across the globe opens an increasing number of attack vectors that can be exploited.

The stakes for manufacturing security couldn’t be higher: When a factory goes down, financial losses to the organization can be calculated in terms of time and output, so each potential data breach can often be given a concrete price tag.

Having operations and data spread over multiple locations—and even countries with differing levels of regulation—can cause difficulties for organizations attempting to implement a consistent approach to asset security, and bringing new partners into the mix adds another layer of complexity. Add the rapid migration to cloud-hosted software, and tightening security becomes job number one for any manufacturer.

With a huge amount of capital investment driving manufacturing toward more and more automation, potential security vulnerabilities often get overlooked, as many IIoT devices share information with control systems. According to the Cybersecurity and Infrastructure Security Agency (CISA), automation of industrial control systems brings a greater risk of vulnerabilities being exploited by threat actors. 

With many crucial functions now automated, there have been a number of successful attacks on manufacturing using a variety of methods, including denial of service and Man-in-the-Middle attacks. Many companies are completely unprepared, and some of them are still using unencrypted protocols, like FTP, Telnet, and HTTP.

According to some reports, manufacturing is the industry most targeted by cyberattacks, especially by ransomware. As production ramps up in response to the world’s post-pandemic economic recovery, we can expect that this trend will become even more pronounced.

The fallout from a data breach in manufacturing can often be more severe than that experienced by other industries. If a factory goes down in a cyberattack, it can immediately cost the company millions of dollars due not only to decreased worker productivity – as is the case with any organization – but also shutdown of the production process, which directly impacts the bottom line. Because of this direct, immediate connection to revenue, manufacturing systems are a lucrative target for ransomware.

So what can manufacturing organizations do to secure their industrial control systems in the face of an ever-increasing onslaught of security threats?

As the manufacturing industry catches up to a new threat landscape, security controls are often applied unevenly or in an ad hoc manner. This creates a patchwork quilt of controls that is bound to have vulnerabilities that can be exploited by threat actors.

For manufacturing organizations to fully secure their assets, they must implement security initiatives across the entire organization that adhere to industry and company standards. Whenever new threats arise, standardization enables company leadership to implement the necessary measures and tighten security before a cyberattack can take place.

Because industrial control systems are increasingly software-dependent and interconnected, manufacturers have to implement rigorous code-signing initiatives to ensure that any firmware-running control systems only allow code to execute if their authenticity is verified by secure certificates or private keys. 

Code should not be able to install or execute unless it is verified, from initial application deployment to software updates and patches. IT leaders in the manufacturing industry must perform their due diligence to determine what certificate sources are trusted, both internal and third-party.

In the code-signing conversation, there is some potential for the implementation of machine learning and artificial intelligence to detect and analyze changes to an environment that might not be immediately apparent to personnel. But while AI threat analytics can be a promising addition to your security structure, it is predominantly reactive in its current form, and it does not solve the problem of what sources of authentication to trust.

Many manufacturers build machines with only their primary function in mind, failing to address potential vulnerabilities until late in the design process or even after an exploit occurs. This not only creates a less secure product, but can also be much more expensive, as security controls have to be retrofitted to the machine in a way that maintains productivity.

To implement a Security by Design strategy where identity security, firmware protection, and patch management are implemented at each point of the design process, think about the following:

• • Make sure you understand top-level business drivers for the company (e.g., factory uptime, product quality) and design the machine toward those goals. 
  • Get to know your security representatives and involve them early in the design process. Don’t ask them to make the product secure after it’s almost finished.
  • Leverage proven tools around key management and code-signing. You don’t have to start from scratch.
  • Make sure the machine is able to adapt to new technology (e.g., quantum computing) and evolving cyber threats.

Taking this approach not only creates a more secure machine, but also one in which security controls are less likely to hinder productivity because they are more fully integrated in the machine’s function.

While automation in the manufacturing industry can be a huge source of risk, when properly implemented automation can be an asset. Humans can at times be the weakest link when it comes to security, and eliminating potential points of failure can significantly reduce your attack surface.

To get up to date on the challenges other manufacturers are dealing with and how they are handling them, check out the IoT Device Security in 2022 Survey by Pulse and Keyfactor. By understanding what other companies in your industry are doing (or not doing) to secure their critical IIoT systems from cyberthreats, you can start to put strategies in place to prevent outages, maintain production, and protect your company’s reputation.

For additional insights into how you can enable new digital business models with secure communication in the connected factory, watch our on-demand webinar: Securing the Connected Factory of Tomorrow.