A plan for defending US manufacturers from cyberattacks

From Equifax to Target to Britain’s National Health System, major players in finance, retail, and government are reeling from cyberattacks. The threats aren’t just to consumer-facing companies or traditionally IT-driven organizations. Today, some of the biggest hacking risks are to physical producers. The recent “WannaCry” virus forced a Honda plant in Japan to halt production. This summer, about half of the organizations targeted by the sweeping Petya cyberattack were manufacturers.

As the manufacturing sector gets increasingly interwoven with information technology and the Internet of Things, industrial firms are increasingly at risk. Beyond the scale and intensity of the threat, there’s another issue: lack of awareness. Too few manufacturing firms in the United States acknowledge the need for action. 

Two think tanks, MForesight: The Alliance for Manufacturing Foresight and the Computing Community Consortium, just issued a new report detailing how government, industry, and academia can come together to recognize and address the situation. Of all the report’s findings, one is primary: There’s no time to lose.

{mosads}An estimated 400 companies were targeted in cyberattacks every single day in 2016, resulting in more than $3 billion in losses. The risks to manufacturers specifically are growing — from sophisticated Stuxnet-style attacks to now-commonplace ransomware risks. Manufacturers must reckon with attempts to corrupt data, steal intellectual property, sabotage industrial equipment, and disable communications. There are all kinds of motives behind these attacks. But they’re all costly.

There are several reasons why manufacturers are at special risk. More than most sectors, modern manufacturing relies on flows of materials, parts, assemblies, energy, data, and people from diverse and changing sources. Modern supply chains are hyperconnected systems of contractors and customers. Most factory floors run 24-hours a day and include complex combinations of cutting-edge equipment and decades-old machines — making it difficult to test and maintain systems or to rely on existing cybersecurity products and tools. 

Cybersecurity needs to become a deeply ingrained part of every manufacturing company’s culture — embedded in management decisions, workforce training, and investment calculations. Much like Japanese competition gave rise to a new quality culture in US industry in the 1980s, the hacking threat can and should give rise to a new culture of care and vigilance today. Cybersecurity defenses — including new cybersecurity certification programs—can help companies build their competitive advantage.

The new report demonstrates that there’s no shortage of options. Policymakers, business leaders, and academics should consider the following steps:

1) Build partnerships. There’s a need for new third-party partners to coordinate better sector-wide strategic planning and training programs, including new “boot camps” for preventative action and crisis management.

2) Invest in R&D. There’s a need for research around near-term needs (like automated risk assessment tools, tools to audit the extent of attacks, and effective validation programs for parts and data) as well as long-term needs (like defining Information Technology and Operational Technology functions and consistent standards and integration requirements for diverse players in a supply chain).

3) Share information. Manufacturers need an Information Security Advisory Council (ISAC) or similar mechanism to facilitate fault-free, anonymous sharing on incidents, threats, vulnerabilities, best practices, and solutions. Existing ISACs can provide useful models.

The bottom line is simple: Business and government need to get together and think strategically about cyber defense.

This summer’s Equifax hack was a wakeup call to millions of Americans about the rising challenge of data insecurity. The nation’s industrial firms should heed warnings and adopt proven practices rather than waiting until it’s too late.

Cybersecurity is a serious challenge for the manufacturing sector. But — with foresight — it’s surmountable.

Sridhar Kota is the Herrick Professor of Engineering at the University of Michigan-Ann Arbor and a director at MForesight. He served as the assistant director for advanced manufacturing at the White House Office of Science and Technology Policy from 2009-2012.