Manufacturers have long faced challenges as to how to best manage supply chains and maintain supply continuity during such disruptive events as trade wars and geopolitics. “The coronavirus (COVID-19) pandemic shot a bright spotlight on the fragility of the supply chain as well,” says Brian Gerritsen, senior director, commercial accounts at Travelers in the San Francisco Bay area.
But another risk is challenging manufacturing supply and operational continuity: cybersecurity. According to cybersecurity technology company CrowdStrike, the quantity and sophistication of manufacturing cyber threats increased during the first half of 2020.
The 2020 Travelers Risk Index found that although the majority of manufacturing-company decision makers believe strong cyber-prevention tools are critical, there are gaps in the execution of such tools. About a third of respondents say they don’t require routine password updates, while only 36 percent have simulated a cyber breach to see where there might be vulnerabilities, says Kirstin Simonson, global technology cyber lead at Travelers in St. Paul, Minnesota.
The reasons are multifold. “Manufacturers are quite often focused on running a lean and efficient business,” she says, “and a just-in-time approach.” A manufacturer’s business objectives might not include an in-depth understanding of cybersecurity, she says. “I’ve seen where there is heavy reliance on older cyber tools, saying they have anti-virus software and firewalls installed and ‘we don’t collect data about others, and we feel good about our business.’ So, I think there’s a little bit of disconnect of what the full ramifications of a cyber event might look like.”
Like other companies, many manufacturers don’t see themselves as being affected by cyberattacks because they aren’t in a group typically targeted — like government agencies or IT companies that have experienced breaches in the past and get written up in the news, Simonson says. They don’t realize that if an employee opens a phishing email, malware could potentially spread through the organization, shutting it down, she says. “Or conversely, they don’t consider what happens if a supplier is shut down completely because of a ransomware event and it can’t deliver whatever component they’re reliant on,” Simonson says. “Looking at a full-blown assessment related to that type of event may not always be top of mind for these types of organizations.”
There also can be a financial component about where an organization should invest its resources. That’s where a cost-benefit analysis to determine ROI can be helpful, Simonson says: “Aligning the IT security needs and the investment dollars with a business objective is critical to get buy-in from the board or C-suite.”
As the manufacturing industry innovates and invests in advanced technologies like artificial intelligence, robotics and the Industrial Internet of Things, Gerritsen says, complicated cyber-risk questions arise that companies must address. Those technologies can be additional end points (access points) of attack. “It’s not just about computers and passwords anymore. Now, it’s about are my robots safe?” he says.
Everything connected to the internet, directly or indirectly, can be an access point, Simonson says. For manufacturers, she and Gerritsen say, cyber threat concerns often center around (1) production-line disruption, (2) customers’ proprietary information and intellectual property, and/or (3) corporate espionage.
Operational changes — such as those seen during the pandemic — also can create opportunities for cyberattacks, Gerritsen says. For example, many food manufacturers have ramped up production or run additional shifts to keep up with demand and textile manufacturers have shifted to producing personal protective equipment (PPE). “So, there has been quite a lot of change due to the pandemic,” he says.
What actions can manufacturing companies take?
Risk management is key, Simonson says. First, conduct a risk assessment to identify potential vulnerabilities. She says, “Ask questions such as: What could a hacker monetize that I need to protect? If I can’t protect those things, what are the options so I can avoid a significant business disruption?”
Next, look at the security of end points. These can pertain to people (employees or suppliers, for example) or be operational, Simonson says. Determine who needs access to critical information versus who doesn’t, she says: “We continue to see passwords like ‘123456’ being used, even for administrative and privileged access. Companies need to take a stronger approach to make sure that’s not happening. Require strong passwords and updates to those passwords. Require multifactor authentication for all remote access and privileged and administrative access.”
Additionally, consider monitoring tools like end-point detection, which detect unusual activity, enabling companies to determine whether they need to respond, Simonson says. “Unfortunately, the antivirus software and firewalls aren’t as nimble to respond to the unknown as some of the newer tools,” she says.
Other tools include:
Training. Training can help employees learn where their actions could lead to potential cyber threats. Such training can delve into identifying email phishing attempts and how to handle them. “Some of the emails are really slick; they’re not as easy to identify as they were in the past,” Simonson says. One measure is to identify external emails.
“You can’t overspend on information-technology (IT) security,” she says. “Companies must work with their business objectives, asking, to meet our production goals, we need to make sure the entire production facility is protected. How do we do that?”
Cyber insurance. “This isn’t a product that’s only going to help with the risk-transfer component,” Simonson says. Carriers typically offer pre-breach and post-breach services that can help support a company’s cybersecurity initiative, and these services can include training resources and access to security providers, she says.
Supplier management. What if a cyber threat hits a supplier? That’s something most manufacturers aren’t considering; they are more focused on their own plants, Gerritsen says. But it’s important to vet the suppliers’ cybersecurity and controls to maintain business continuity, he says. “Maybe it’s thinking differently about supply chain management,” he says. “Maybe it’s having a backup supplier or specific contractual requirements for the manufacturer to protect themselves.”
When working with suppliers, manufacturers should make sure their suppliers’ cybersecurity protocols match or exceed their own, Simonson says. Not doing so is akin to not checking the supplier’s quality or whether they met the specifications, she says.
For manufacturers, the evolution of cybersecurity exposures is causing a new way of thinking about supply chains, Gerritsen says. “When partnering with suppliers, the cyber component needs to be part of that now,” he says.