Manufacturing firms have become a top target of cybercriminals, extortionists, and nation-state groups, with 61% of companies experiencing a cybersecurity incident affecting their factories and three-quarters of those incidents taking production offline, according to a report published by cybersecurity firm Trend Micro on Monday.
The report, based on a survey of 250 IT departments and 250 operational technology (OT) departments, states that OT groups have more challenges with security across the board, with technology presenting the most difficulty for both groups but with people and process posing a greater security problem for OT groups. Among the challenges for OT groups are a lack of visibility into assets and associated cyber threats, and a lack of set goals for cybersecurity maturity.
The different challenges and viewpoints mean that IT and OT groups should be collaborating on cybersecurity, but only 12% of groups are working together, says William Malik, vice president of infrastructure strategies at Trend Micro.
"OT systems generally are not overbuilt, so they are chronically short of available processing power, memory, [and] network bandwidth," Malik says. "On the other hand, IT people tend to do a better job at understanding attacks. So, working together they can get better protection and trustworthiness without risking crucial functionality."
The survey is the latest to identify manufacturing as an industry sector in the crosshairs of cyber attackers. Manufacturing along with healthcare, information technology, and construction are the top industries targeted by ransomware groups, according to a recent report by network security firm Palo Alto Networks. A November report found that multiple ransomware development teams had started adding features to the malware to manipulate industrial control systems.
The survey revealed that the average manufacturing firm has experienced a cyber incident, and 75% of those companies had suffered a production outage as a result. In 43% of the outage cases — about 20% of all manufacturing firms — had production stopped for more than four days after a cyberattack.
"Factory cybersecurity is in the developing phase," the Trend Micro report states. "Cyber incidents have not been rare, and many companies are making progress in both organizational and technical approaches and most of them aware the risks attached. As factory cybersecurity evolves in the next few years, this survey shows that it is difficult to select appropriate technical measures."
Because the survey only asked if a company had ever experienced a cyber incident, the data is not an indication of increasing threat and may indicate severe past incidents, such as NotPetya or WannaCry, both of which cause significant manufacturing outages and damages.
The survey data also shows differences in companies based in the United States versus Germany and Japan, the two other countries surveyed. The US firms saw fewer challenges with securing people, processes, and technology than Germany or Japan.
"US manufacturers may have done a better job of deploying that 1990s approach to information security — build a perimeter to keep the bad actors outside," says Malik. "The current interest in 'zero trust' emphasizes the need for a deeper understanding of what traffic occurs within the corporate network."
Yet unique OT challenges mean that collaboration with IT security groups is even more important. Take the example of medical equipment. While IT groups are used to pushing for faster patching, many medical devices are approved by the Food and Drug Administration and cannot easily have the software changed after certification, says Malik.
"Given the inaccessibility of some OT systems, remote maintenance is crucial — and difficult to design," he says. "OT systems are usually constrained, so installing additional software to manage potential problems usually is not possible."
Overall, while 89% of companies have built operational processes for cybersecurity, and 88% have created an incident response process, both OT and IT teams have done so separately. Only 12% of respondents actively collaborated with their counterparts in designing either process, according to the survey.
Companies whose OT and IT groups collaborated had much greater adoption of cybersecurity technology and cybersecurity strategies, such as segmentation and asset discovery.
"[I]f both IT and OT teams participate in the selection of technical measures and the decision-making process in factory cybersecurity, the implementation of technical measures will be easier," the report states. "In particular, there are significant differences in [the rate of adoption of] measures such as firewalls, IPS, and network segmentation."