Manufacturing – Internet Security Alliance

CYBERSECURITY IN THE Manufacturing Sector

WHAT MAKES THE MANUFACTURING SECTOR UNIQUE
Manufacturers are the creators, users, servicers, and installers of the Internet of Things. This technology is creating enormous opportunity and driving transformative change. It has made all manufacturers into technology companies.

The days of interacting with the customer only during a single transaction are over. Connected technology enables manufacturers to provide real-time performance monitoring and usage patterns for their customers throughout the entire lifespan of a product. A tire manufacturer won’t just sell tires but a package to reduce costs through sensors that collect data on fuel consumption and tire pressure.

While connected technology drives innovation in the manufacturing sector, it also creates new challenges. Manufacturers are now the first line of defense in securing our nation’s most critical online assets. They place cybersecurity at the highest priority level.

One of the primary targets for cyberattack inside the manufacturing ecosystem is industrial control systems. This is the class of computers that help manage the shop floor. ICS are configured in growing numbers to be reachable through the Internet, including systems retrofitted with modern networking capabilities.

Even when companies take measures to secure their Internet addressable ICS, they often link their factory production and enterprise
information technology networks. That connection results in benefits such as increased productivity, but a new class of malware is exploiting those links to target ICS, likely for espionage.

CHALLENGES FACING THE NEW ADMINISTRATION

THE IOT IS GOING FASTER THAN SECURITY CAN KEEP UP
Many IoT devices will possess minimal processing power. That is the nature of the thing—ubiquitous and cheap devices everywhere whose power comes through networking. As a result, many devices may not have capability for basic cybersecurity best practices, such as encryption and operating system updates. Even where capacity exists, manufacturers might not find it economical to patch devices made on a slim margin in a market relentlessly focused on the next generation of products.

CYBER ESPIONAGE
Only the government tops the manufacturing sector as a victim of cyber espionage. Espionage isn’t just a matter of lost revenue. It’s a threat to economic security with implications for national security.

INDUSTRIAL CONTROL SYSTEM SECURITY IS UNDERRATED
Attackers seeking to disrupt industrial processes don’t need to exploit an underlying software vulnerability, the way that sophisticated hackers do when attacking enterprise IT systems. They simply need to gain access to the ICS (perhaps through the corporate IT network) and use the exposed digital controls to manipulate the system into failure. No further hacking required.

The Department of Homeland Security stood up in 2009 the Industrial Control Systems Cyber Emergency Response Team in recognition of this challenge, but the years since have proved disappointing. Its main output is further transmitting alerts already widely available to industry.

RECOMMENDATIONS

INCENTIVES FOR IMPROVING CYBERSECURITY
Small- and medium-sized manufacturers in particular face bad economics when it comes to achieving a level of cybersecurity robust enough to stand up to nation-states, manufacturing’s main cyber threat. This gap between commercially sustainable levels of cybersecurity and what’s necessary to counteract foreign adversaries isn’t just a market failure. It’s the space that federal government was designed to fill by dint of its constitutional charge to provide for the common defense.

What’s necessary is a public-private partnership that uses economic tools to encourage investment beyond ordinary levels of commercial cybersecurity spending. Specifically, the government should complete the task begun with creation of the National Institute of Standards and Technology Cybersecurity Framework in determining what the most cost-effective elements of cyber defense are.

FUND IOT SECURITY RESEARCH
No amount of incentives can overcome a key characteristic of the Internet of Things: ubiquity of cheap computers with minimal computing power. The ability to seed the environment with cheap computers is what makes the IoT possible.

This is an irreducible problem that requires a different approach to cybersecurity, one premised on building secure systems from insecure components. This isn’t a new notion, but it’s one that’s needs urgent revitalization. The National Science Foundation, the Defense Advanced Research Projects Agency, and the research arm of the Department of Homeland Security should make funding research into this a priority.

ICS-CERT SHOULD BE STRENGTHENED
The Industrial Controls Systems Cyber Emergency Response Team performance needs to enhance its focus on development of best practices and on research. The organization’s outreach to the manufacturing sector should also be improved.

“We tend to count things—how many alerts, how many advisories, how many incidents do you respond to,” said ICS-CERT director Marty Edwards in May 2016. “I think we have to get to the point of measuring what impact did we make inside of a company, or how is a sector improving or degrading over time in the cybersecurity area,” he added. The manufacturing sector concurs.