How Secure Is Manufacturing?

Study finds that manufacturing industries struggle to find skilled cybersecurity staff and are underspending on training – but it's not all bad news...

Manufacturing has not attracted a lot of the security glitz afforded to other sectors. Yet prior research has found manufacturing to be the most targeted sector for coordinated cyber espionage.

The Information Systems Audit and Control Association (ISACA) and the Digital Manufacturing and Design Innovation Institute (DMDII) partnered to survey the global manufacturing sector and see what was going on. The survey involved 167 participants from across ISACA, DMDII and the Manufacturing Extension Partnership stakeholders.

The organizers admit the survey had a small sample size, but say they have "plans to expand this research with a larger-scale survey in the future."

The results from the study found that manufacturers are still involved with security concerns including those related to Internet of Things (IoT)-integrated devices along with employee security and errors those employees may cause. Respondents also continue their struggle to deal with finding skilled cybersecurity staff and are probably underspending on security training.

However, positive results were found on many fronts compared to other sectors.

  • 78% of manufacturing organizations have a formal process for dealing with cybersecurity incidents, and 68% have one for ransomware attacks.
  • 77% expressed confidence in their security team's abilities to detect and respond to advanced persistent threats (APTs).
  • 34% noted they were experiencing more cybersecurity attacks today than a year ago, compared to 62% across all industries from ISACA's 2018 State of Cybersecurity survey.
  • 74% indicated they believed their organization's cybersecurity training budgets would either increase or at least be maintained at current levels; only 4% anticipated a decrease in the coming year.

There were still areas that needed attention paid to them.

  • 75% of manufacturing organizations have a program in place to promote cybersecurity awareness among their employees, but only 37% believe that their programs are very to completely effective.
  • 47% of manufacturing organizations are spending less than US $1,000 on average each year on continuing education opportunities for their staff -- versus 25% in other industries -- and nearly 1 in ten reported that their enterprises spent nothing on average each year on these educational opportunities.
  • 81% of manufacturing organizations are somewhat to very concerned about the potential cybersecurity risks with personal, Internet-connected devices. Fifty-eight percent don't allow those devices to connect to the corporate network and 72% don't allow those devices to connect to the corporate network on the manufacturing floor. BYOD is not in fashion in the manufacturing sector, it seems.

Finding skilled cybersecurity staff remains a problem for manufacturers. Respondents indicated it takes an average of five months to fill open positions and 61% of hiring managers said less than half of applicants are qualified.

Frank Downs, director of cybersecurity practices at ISACA, said in a prepared statement that, "Though the manufacturing industry has made great strides in addressing security issues, this research illustrates the need for organizations to elevate cybersecurity as a priority to build the foundation of its cybersecurity culture, better secure their operations, and strengthen the global digital economic ecosystem."

— Larry Loeb has written for many of the last century's major "dead tree" computer magazines, having been, among other things, a consulting editor for BYTE magazine and senior editor for the launch of WebWeek.