Nearly half of surveyed manufacturing executives lack confidence their assets are protected from cyber and other external threats, according to a new study from Deloitte and the Manufacturers Alliance for Productivity and Innovation.
The study, Cyber Risk in Advanced Manufacturing, indicates nearly 40% of surveyed manufacturing companies were affected by cyber incidents in the past 12 months, and 38% of those indicated cyber breaches resulted in damages in excess of $1 million.
Respondents noted the top motives of cyber attacks to be financial theft, intellectual property theft, and targeted attacks on senior executives for financial gain or access to company strategies or investments.
These manufacturers reported that in the past 12 months, the highest number of incidents originated within the organization (46%), while 39% came from external sources, and 15% originated from vendors and business partners.
Top threats arising from within the organization include phishing/pharming (32%), direct abuse of information technology systems (25%), errors/omissions (26%), and use of mobile devices (24%).
Intellectual Property: the Number One Risk
Intellectual property can constitute more than 80% of a company’s value according to Ocean Tomo’s Intangible Asset Market Value Study, published in 2015.
In that study, 36% of manufacturing executives said that intellectual property tops the list of data protection concerns, followed by consumer data (32%) and accidental disclosure of personal information (29%).
In addition, significant and increasing concern exists around more sophisticated state-sponsored attacks on intellectual property.
Preventive and detective data protection strategies can help companies secure their data from the inside out and capture the value of their investments in intellectual property.
Cyber Risk on the Shop Floor
Industrial control systems operate highly automated manufacturing processes where employee safety, environmental protection, and operational efficiency are of paramount importance.
Yet, 50% of surveyed companies indicate they perform vulnerability testing for industrial control systems less than once a month, and 31% have never done an assessment.
These are essential tools for identifying and mitigating cyber risks on the shop floor and clarifying organizational responsibilities between IT and operational technology employees.
By implementing technologies to provide automated 24/7 cyber threat monitoring, manufacturers can become more vigilant in protecting critical manufacturing operations.
“To date, many companies have attempted to isolate the networks associated with their industrial control systems with an air gap, essentially a physical barrier between the industrial control systems networks, enterprise networks, and the internet,” says Sean Peasley, partner, Deloitte & Touche LLP and cyber risk services consumer and industrial products leader.
“However, if they haven’t actually tested the accessibility of these systems, they can miss hidden access points that could be vulnerable to attack.
An air gap strategy is also contrary to industry trends in digital manufacturing, which are designed to generate cost-savings, automation, and efficiency benefits.”
Connected Products, Exponential Risks
Increasing reliance on technology-enabled connected products brings a new set of risks to manufacturers.
Among executives surveyed, 45% said their organization uses mobile applications and 35% cited sensor controls.
However, 40% of respondents said they have not yet incorporated connected products into the company’s cyber incident response plan.
Planning ahead before a breach occurs—so the entire organization is prepared to respond and quickly neutralize threats—can help companies become more resilient.
Leading companies design security into connected products and integrate them into the cyber program from the start.
This is important because 76% of companies surveyed transmit product data using Wi-Fi, and 52% reported that their connected products store and/or transmit confidential data, including Social Security and banking information.