Deloitte and MAPI study: Connected industrial control systems expose manufacturers to cyber threats

Nearly half of surveyed manufacturing executives lack confidence their assets are protected from external threats, according to a new study from Deloitte and the Manufacturers Alliance for Productivity and Innovation (MAPI) on “Cyber Risk in Advanced Manufacturing.”

Study results indicate nearly 40% of surveyed manufacturing companies were affected by cyber incidents in the past 12 months, and 38% of those impacted indicated cyber breaches resulted in damages in excess of $1 million.

“Manufacturers are innovating at an unprecedented rate, integrating cutting-edge technologies in products, automating the shop floor, connecting supply chains, and increasingly investing in valuable intellectual property,” said Trina Huelsman, vice chairman, Deloitte & Touche LLP and US industrial products and services leader. “While these advancements should position them for future growth, the industry is also likely to experience an acceleration in the velocity and sophistication of associated cyber threats. Cyber risk and innovation are closely linked, and through our study, we have identified leading practices manufacturers can implement to address these emerging risks and make their companies more secure, vigilant and resilient.”

Motives and means of attack
Surveyed manufacturers noted the top motives of cyberattacks to be financial theft, intellectual property theft, and targeted attacks on senior executives for financial gain or access to company strategies or investments. These manufacturers reported that in the past 12 months, the highest number of incidents originated within the organization (46%), while 39% came from external sources and 15% originated from vendors and business partners. Top threats arising from within the organization include phishing/pharming (32%), direct abuse of information technology systems (25%), errors/omissions (26%), and use of mobile devices (24%).

Intellectual property – the No. 1 risk to manufacturers
Intellectual property can constitute more than 80% of a company’s value according to Ocean Tomo’s “2015 annual study of intangible asset market value,” published March 5, 2015. In the study, 36% of manufacturing executives said that intellectual property tops the list of data protection concerns, followed by consumer data (32%) and accidental disclosure of personal information (29%). In addition, significant and increasing concern exists around more sophisticated state-sponsored attacks on intellectual property. Preventive and detective data protection strategies can help companies to secure their data from the inside out and capture the value of their investments in intellectual property.

“Cyber risk is a critical part of every manufacturing environment and demands attention from every employee, contractor, and business with whom a company interacts,” said Stephen Gold, president and CEO, MAPI. “The most effective approach will rely on more than the CIO or CISO by also engaging the board and C-suite. Company leadership needs to understand their comprehensive cyber risk profile to appropriately allocate resources to mitigate risk.”

Cyber risk on the shop floor
Industrial control systems operate highly automated manufacturing processes where employee safety, environmental protection, and operational efficiency are of paramount importance. Yet, 50% of surveyed companies indicate they perform vulnerability testing for industrial control systems less than once a month and 31% have never done an assessment. These are essential tools for identifying and mitigating cyber risks on the shop floor and clarifying organizational responsibilities between IT and operational technology employees. By implementing technologies to provide automated 24/7 cyber threat monitoring, manufacturers can become more vigilant in protecting critical manufacturing operations.

“To date, many companies have attempted to isolate the networks associated with their industrial control systems with an air gap, essentially a physical barrier between the industrial control systems networks, enterprise networks and the internet,” said Sean Peasley, partner, Deloitte & Touche LLP and cyber risk services consumer and industrial products leader. “However, if they haven’t actually tested the accessibility of these systems, they can miss hidden access points that could be vulnerable to attack. An air gap strategy is also contrary to industry trends in digital manufacturing, which are designed to generate cost-savings, automation and efficiency benefits.”

Connected products, exponential risks
Increasing reliance on technology-enabled connected products brings a new set of risks to manufacturers. Among executives surveyed, 45% said their organization uses mobile applications and 35% cited sensor controls. However, 40% of respondents said they have not yet incorporated connected products into the company’s cyber incident response plan. Planning ahead before a breach occurs — so the entire organization is prepared to respond and quickly neutralize threats — can help companies become more resilient. Leading companies design security into connected products and integrate them into the cyber program from the start. This is important because 76% of companies surveyed transmit product data using Wi-Fi, and 52% reported that their connected products store and/or transmit confidential data, including Social Security and banking information.

“Through the cyber risk in advanced manufacturing study, we identified both potential vulnerabilities and some great leading practices that manufacturers can leverage to deter attack and prevent loss of critical information and assets,” said Gold.

Click here for more information on Deloitte and MAPI’s study on Cyber Risk in Advanced Manufacturing.

Survey methodology
This study was conducted by Deloitte and MAPI. Responses were derived from 35 live executive interviews and industry organization interviews, an innovation lab, and in collaboration with Forbes Insights, MAPI collected 225 responses to an online survey.