A cloud of mystique often surrounds cyber security, however, there need not be. Today, business cyber security should be considered another core business function, like sales, finance or procurement. In this article, we explore why cyber security is important to manufacturers and our top ten cyber security tips for manufacturers.
Why is cyber security important to manufacturers?
Cybercriminals are drawn to the most vulnerable and profitable sectors. Manufacturers typically have high-value data, a digitised manufacturing plant and connected supply chain. These are connected to IT systems to access monitoring systems, designs, intellectual property (IP) and procurement data. Extensive damage can be caused if these IT systems are hijacked and production lines stopped. It is this down-time and threats of high-value data leaks that provide cybercriminals great leverage.
This makes manufacturing and engineering businesses an attractive target to cybercriminals. While digitalisation and new connected technologies like IoT, digital twin and connective and autonomous vehicles means there are more points-of-entry at which a business or product can be penetrated.
Cyber security is about identifying those points-of-entry, protecting them, but also preparing for the worse case scenario. Manufacturers should expect a cyber-attack at some point.
Cyber security risks
Unless cyber security is on your radar, its devastating and disruptive nature can be underestimated.
Cyber-attacks have serious consequences
After analysis of major cyber-attacks, it is widely accepted that the next global financial recession could realistically be caused by a cyber-attack.
Cyber-attacks are already wide-spread
Make UK report that 47% of manufacturing businesses have been hit by a cyber-attack in the past 12 months.
Cyber security is suppressed
Make UK report that one-third of businesses would not report a cyber-attack. Often, we speak to peers and networks about issues and challenges. If cyber security isn’t discussed, then learning, knowledge and progress is much slower, which is worrying for the sector. There are a number of ways manufacturers can remove the mystique surrounding cyber security and take control to prevent or prepare for an inevitable cyber-attack.
Top 10 cyber security tips for manufacturers
1) Add cyber security to your boardroom agenda
To normalise security and encourage continuous improvement and focus, add cyber security to your management team’s monthly agenda. Remember to treat cyber security as a business focus like finance.
2) Follow GDPR
GDPR legislation was the first step by the UK Government to ensure a base level of data security within organisations. Remember to maintain and review your processes to prevent receiving heavy fines from the Information Commissioner's Office (ICO) should there ever be a serious data breach. If you do suffer a breach, remember to inform the ICO within 72 hours, otherwise, you will be fined.
3) Gain Cyber Essentials
If there is one thing I would recommend for any manufacturing or engineering business to do, it is to achieve Cyber Essentials accreditation. It provides a fantastic base level of protection that prevents 80% of all cyber incidents. Most cyber-attacks are simple in nature and can easily be prevented by having Cyber Essential’s framework in place. This is the reason why so many supply chain security requirements stipulate having Cyber Essentials certification. Those businesses wanting further accreditation can obtain Cyber Essentials Plus or one of the ISO 27000 series of security standards to impress prospects and clients.
4) Secure manufacturing equipment
The manufacturing and engineering industry is capital intensive, with facilities and equipment that last decades. When machinery or any high-value asset has a computer, over time, its security rapidly declines.
Consider a laptop. It has regular security updates, but after five years the technology is outdated and a security risk once support from the manufacturer or the operating system ends. For example, Windows 7 is no longer supported by Microsoft and does not get important security updates, so that laptop should be quickly replaced.
The computer within an asset does not typically have any security updates, ever. The computer will still be out of date in 5 years, yet the asset has a 20-30 lifespan. There are huge security and IT implications. Machinery, facilities and equipment needs to be carefully managed and essentially isolated from all other IT systems.
Manufacturing assets can be easily hacked when IT networks are not properly managed. What setting could a hacker or competitor access or change in your business? Sabotage is a huge risk.
5) Consider your supply chain security
The very nature of manufacturing and engineering supply chains means that they are digitally interconnected. Cybercriminals are targeting small businesses within complex supply chains because SMEs typically have fewer security controls. The small organisation is used as an entry point to infiltrate the larger organisation. This is why Cyber Essentials has become such a popular supply chain security requirement.
But what if you’re not an OEM, prime or large business? Are you reviewing your own suppliers? All businesses should routinely audit their suppliers’ security, particularly those holding sensitive data, for example, solicitors, accountants and IT companies, but this could extend to all of your suppliers that have access to your data.
First, audit your suppliers by simply asking ‘what security measures do you have?’ Later, you may stipulate or show preference to suppliers that hold Cyber Essentials certification.
6) Secure your Intellectual property (IP)
The nature of designing and creating products within manufacturing and engineering industries means that IP’s are a prime target to cybercriminals. UK Government stats suggest a significant proportion of cyber-crime cost is from the theft of IP from UK businesses, estimated at £9.2bn every year. The issue arises when highly sensitive IP data is encrypted, and the victim is asked to pay a ransom for the IP not to be released into the public domain.
Always limit access to sensitive documents. People are often the weakest link in security; for example opening a spam attachment that contains malware or losing a phone or laptop. The fewer people that have access, the less likely that information can be stolen. Also, enable two-factor authentication. This is where a user name and password is required, but also an extra verification method is needed such as entering a code that’s sent via SMS or email.
7) Secure IOT devices
Identify and list your businesses IoT devices - secure those entry points and keep devices updated with important security updates. Also, research IoT devices before purchasing – consider what security controls the IoT device has. Look out for the IoT Security Assured certification in the future, which demonstrates that manufacturers have proved that their devices meet UK and EU legislative requirements.
8) Expect more legislation changes
Cyber security legislation is continually changing. The 2021 Queen's Speech confirmed that the Product Security and Telecommunications Infrastructure Bill would be brought before Parliament in the next parliamentary session. This will require manufacturers, importers and distributors to ensure that consumer connected products meet minimum security standards.
But it won’t stop there. Expect more legislation. Government report to be disappointed in the uptake of cyber security within businesses generally. Legislation will be quickly introduced to take control of industry’s lack of action to reduce the national security risk.
9) Outsource where in-house cyber knowledge ends
Be realistic about your in-house knowledge, skill-set and time. Just like an accountant, it’s likely that you will need to partner with a cyber security business.
Also, it is worth noting, in the worst case scenario, victims of serious cyber-attacks often required outsourced security expertise. Consider appointing a long-term security partner sooner rather than later. Don’t wait until a cyber-attack and in desperate need of expert help. Like with all suppliers, make a planned and considered decision.
10) Utilise free Government resources
The National Cyber Security Centre holds key information for businesses about cyber security. Ensure their free guides and advice are utilised by your team. Also, it is worthwhile gaining a free or paid membership to one of the five Regional Cyber Security Centres located around the country. The centres help businesses of all sizes to become cyber secure, holding regular, helpful webinars, but also providing free and heavily discounted cyber security tools.
Cyber security does not have to be mysterious or complicated, but it does need to be considered a key business function today, where manufacturers:
- Treat cyber security as fundamental as finance: add security to the board agenda and outsource specialists, like you would an accountant.
- Maintain GDPR legislation
- Gain Cyber Essentials to gain a base level of cyber security
- Secure your own supply chain and IoT devices
- Expect more legislation, and adhere to changes in UK cyber security law
- Utilise free resources available from the UK Government
By implementing these core security controls, manufacturing businesses can mitigate against most security threats and be prepared for the future.
Guest blog by James Cash, founder and MD of Birmingham IT support company, Superfast IT.