Manufacturers are for the first time bearing the brunt of cyberattacks. Defending a company’s downstream supply chains is just as important as making the core business cybersecure.
By Stephen Phipson, Chief Executive of Make UK The vulnerability of supply chains has been thrust into the spotlight by a series of crises, from Russia’s invasion of Ukraine to the increasingly severe effects of climate change, coming on top of pandemic-related disruptions and shipping bottlenecks. But these are not the only threats that need tackling. Manufacturing companies are increasingly concerned about the significant risks to supply chains from cybercrime. Last year, manufacturers suffered the brunt of the attacks, overtaking financial services and insurance as the most targeted industry, according to IBM’s X-Force Threat Intelligence Index 2022. The stakes have been raised by the interconnectivity of global supply chains, with several big manufacturing groups suffering production bottlenecks because of cyber breaches in their wider supplier networks that hobbled their supply chains. And the risk to manufacturers has only been heightened by the rush to install digital technologies in order to improve productivity on the factory floor. Automation technologies, such as robotics and the Internet of Things (IoT), have increased the attack surface for hackers, introducing new points of vulnerability. In building up supply-chain resilience, company executives face numerous challenges — including how to introduce manufacturing technologies for automation securely, and how to evaluate and tackle weaknesses in their wider supplier networks. Cyberattacks are becoming a systemic risk, but organisations can take steps today to protect their supply chains as manufacturing becomes increasingly digitised. One of the major challenges that companies face is the management of third-party security threats, which are usually a weak point. Smaller suppliers do not have the financial resources of larger companies, making them easier targets for hackers. According to the Hiscox Cyber Readiness Report 2022, firms with revenues of $100,000 to $500,000 now suffer as many attacks as larger groups with income of between $1 million and $9 million. At the same time, the report notes that IT spending is down for smaller companies, leaving many exposed. For the small- and medium-sized firms that form the backbone of most developed economies, the challenge is getting the right level of support and expertise. And because a supply chain is only as strong as its weakest link, knocking out just one critical supplier can cripple an entire supply chain. A case in point is Toyota. Earlier this year, one of the automaker’s critical suppliers of plastic parts and electronic components suffered a suspected cyber breach. This forced the auto giant’s Japanese factories to shut for a day, hitting output of about 13,000 vehicles. For big producers like Toyota, part of the solution will be reviewing their supplier networks to unearth vulnerabilities in their cyber defenses. Information security should also become part of the screening process for new suppliers. Because these suppliers could number in the hundreds or even thousands, it can be difficult to assess all vendors, and firms tend to do a poor job of it. Usually, companies will require a prospective new supplier to present a cybersecurity certification. For example, ISO 27001 is one of the most popular information security standards, which enables suppliers to signify to their customers and partners that their firm’s infrastructure meets their expectations. This is a good starting point, but companies need to go much further in reviewing the cyber-resilience of their supplier networks. Very often, security certifications only protect operations that work independently of wider networks, but the emphasis must shift to protecting interconnected systems. Rarely are existing security standards comprehensive enough for the fourth industrial revolution, or Industry 4.0. As well as updating these certifications, best practice for manufacturing groups should include employing teams of security experts — or using external consultants — to qualify new vendors. This must include carrying out proper mapping of the factory floor to ensure there are robust security processes in place. Service providers, including law and consultancy firms, require the same due diligence that you would focus on suppliers involved in the making of a product. In particular, the legal sector holds vast quantities of sensitive corporate data that hackers can target, putting them at risk of a cyberattack. They are also often easy prey because many law firms use outdated IT systems and have been slow to adopt security policies. Likewise, manufacturing companies are behind the curve in terms of their cyber protections relative to other industries. The financial services and technology sectors have relied on connected IT systems for years, making them more attuned to — and better prepared for — cyberattacks. Manufacturing companies need to strengthen their defenses as they embrace Industry 4.0 and begin to link their operations to the internet to improve output and productivity. The other challenges are more conceptual. The dangers of cyberattacks are often under-appreciated, with executives bemoaning the high costs of security protections. One reason is that some breaches don’t have to be made public and therefore go unreported, creating a false sense of security among business leaders. This comes as the perpetrators of cybercrime are becoming increasingly sophisticated — ranging from private criminal groups to state-backed hackers, who can cause major disruptions and have a large financial impact on multinationals. This happened in 2017 when the two consumer goods giants, Mondelez International and Reckitt Benckiser, were hit by the Petya malware that infected their organisations and disrupted operations and earnings. Mondelez, which makes Oreo cookies and Cadbury chocolates, took a financial hit of more than $100m. Beyond that, a growing issue for manufacturers is intellectual property (IP) crime — when hackers steal and sell patents, trademarks, or industrial designs to third parties, or use them to make counterfeit goods for sale on the black market. The threat to IP can also come from within organisations: employees unintentionally sharing private data on unsecure networks, deliberately stealing data for commercial gain, or seeking revenge on an employer they resent. In this environment, companies need to create layers of defences around not only their technology but their people. Most breaches come down to human error, omission or negligence. In “smart factories”, special attention must be paid to production engineers, who are designing, building and maintaining all the systems, including automated machines. Every connected device on the factory floor should be linked securely to the on-site gateway that receives their data, in order to prevent network access from people without permission. Unfortunately, devices are rarely secured, with many owners continuing to use default passwords. Given that these are usually simple and publicly documented, default passwords give hackers a simple route into the corporate network. Clearly, strong cybersecurity education is a must. However, smaller suppliers seldom have the budget or expertise to deliver this training. So companies may need to support their supplier network by offering education themselves, in order to manage the upstream risk in the supply chain. As well as this, the providers of technologies for automation also have a role to play in advising customers about the right protections, so they can use their systems with confidence. In the years ahead, more manufacturing companies are likely to automate and digitise production processes to boost their competitiveness. But they will need the right protections in place to mitigate the growing cyber-risk to supply chains. Stephen Phipson became Chief Executive of Make UK in 2017, having previously held the position of Head of the Defense and Security Organization at the Department for International Trade. Before that, he was Director for Security Industry Engagement within the Office for Security and Counter Terrorism at the UK government’s Home Office, where he was the Senior Responsible Owner for the UK security industry. Article originated in Institute for Management Development ISO News is an aggregator of global media. All the content is available free on the internet, we have just arranged it in one platform for educational purposes only. In each article, the hyperlink to the primary source is included. All trademarks belong to their rightful owners, all materials to their authors. If you are the owner of the content and do not want us to publish your materials on our website, please contact us by email – allthingsbeingisos@gmail.com and the content will be deleted within 24 hours.
