Look around you. Unless you’re reading this in the middle of the Sahara Desert or Amazon Jungle, it’s a safe bet that there are at least three different electronic devices and applications close to you that have, or can have, some kind of connection to the internet.
Gone are the days when having the internet on everyday items was seen as something out of science fiction.
Take your smartphone, for example. When you break it down, it is basically a global encyclopaedia, television, games console, camera, calendar, telephone box, pager and more, crammed into a small handset. Can you imagine not having such a device and having to lug all those items around with you? The internet and connected devices, such as smartphones, are a great aid for us as human beings, as are the various machines and devices that are used within our manufacturing plants and workshops everyday.
However, as has always been the case, there are people out there that manage to take a positive and turn it negative, and in the 21st century these people are commonly known as hackers – people who aim to use computers and other electronic devices to gain unauthorised access to data and machines.
In recent years, hackers, cyber-attacks, and data breaches have been cast into the spotlight by companies and the media alike – often defined as one of the next big threats that the world is dealing with. But should UK manufacturers be worried?
Data says do more
The Department for Digital, Culture, Media & Sport warned in August that the UK’s top firms and charities urgently need to do more to protect themselves from online threats.
A survey (http://bit.ly/2uXEDri) of the UK’s 350 biggest companies found that more than two-thirds of boards had not received training to deal with a cyber incident (68%), despite more than half stating that cyber threats are a top risk to their businesses (54%).
In addition, one in ten FTSE 350 companies said they operate without a response plan for a cyber incident and less than a third of boards receive comprehensive cyber risk information (31%).
Matt Hancock, minister for digital, commented: “Recent cyber-attacks have shown the devastating effects of not getting our approach to cyber security right. These new reports show we have a long way to go until all our organisations are adopting best practice and I urge all senior executives to work with the National Cyber Security Centre and take up the government’s advice and training.”
Separate research (http://bit.ly/2zPCtsG) released in the same month by specialist business continuity and disaster recovery provider Databarracks also warned that there is a continuing failure to prepare for cyber-attacks.
It found that 31% of the 400 organisations surveyed have been affected by cyber-crime in the past 12 months and 41% haven’t invested in any safeguards over the last year.
Meanwhile, just 34% of organisations said they have invested in cyber awareness training and only 11% of organisations have certified to a cyber security framework.
So, we know that cyber-attacks are a big concern and companies are failing to prepare and invest, but what steps can manufacturers take, in order to stop and mitigate against them?
Cyber awareness training
Cyber security breaches are often well documented, most notably the ‘WannaCry’ ransomware attack that crippled the globe earlier this year and demanded payment in return for access to files.
Although it made many organisations and companies go into panic mode as they were brought to a standstill, it did highlight that many companies and organisation are, and clearly were, not prepared to deal with such an attack and had no plan of action once an attack took place.
Peter Groucutt, managing director at Databarracks, says that ongoing cyber awareness training is an “integral element” in an organisation’s defence against cyber-attacks. He recommends that organisations which only carry out awareness training once a year – typically as part of an initial employee induction – should increase this to at least twice annually, as well as provide employees with frequent security refreshers.
“The rate of change in cyber threats means that we all need to constantly adapt our methods of protection,” he explains. “It is no longer acceptable for cyber awareness training to be a five-minute warning given to new starters – the entire workforce needs to be informed and up to date on new threats.
“Additionally, this approach needs to be supported by the IT department which, when an incident occurs, needs to communicate this to the entire business, providing insight as to why an incident took place, what the implications were and, most importantly, what can be done to prevent this from happening again.
“Protecting your organisation from threats is not just about preventative technology, it’s also about building a culture of information security. An employee’s understanding of security is one of the most important and effective security measures that organisations should be investing in, not least because unwitting employees are often the unknowing accomplices within an attack. While good security habits take time, it is better to invest in good practices now than pay the price later.”
Identify your status
There are also other steps that UK manufacturing firms can take. Paul Hingley, business manager of data services, MindSphere, safety, plant analytics and industrial cyber security at Siemens UK & Ireland, says that the first step UK manufacturers need to take, in order to prepare for a cyber-attack, is to understand what their “status” is – what is their footprint with regards to protection against an actual cyber-attack.
“The biggest issue we see with companies is that they don’t really understand where the attack will come from,” he explains. “They don’t understand what is actually connected to their operational technology (OT). What actually is their status with regards to security – understanding what is actually connected to your networks – is the first step and what you generally find is the surprise in what
is connected.”
Once companies have identified their status, Hingley says that they should then seek input from those relevant to their industry. “From an automation perspective, for example, if they are primarily a Siemens user, then speak to Siemens and ask for advice around their product, the utilisation of the product and what security steps can be taken around the products themselves. That would be the same with any vendor – gathering as much information as possible around the implementation of the products that are on their OT network.”
The next step is to then understand where you are with regards to the operating systems – have they been patch managed? Hingley says: “In some businesses, they are running on firmware that hasn’t been patched and that’s a major problem. So, in the audit element of security, firms need to identify what’s on the network, the network history (applied patches) and if the software has been updated. It’s almost like doing a risk threat or vulnerability analysis where you bring all the elements together in a document that identifies how to mitigate all the issues you’ve found.”
Loss of data
Tony Mannion, sales development manager at SolutionsPT, agrees that unpatched systems are a big problem. “Many attacks are not targeted, meaning all systems, including unpatched systems, Windows systems and the aforementioned legacy systems, are vulnerable to infection, he says. “Similarly, if a ransomware attack can infect your systems, for networks that suffer from a lack of visibility, knowing what the malware is targeting and what damage it is doing is almost impossible.
“But perhaps the biggest threat to manufacturers lies in the loss of data. This is a huge issue for manufacturers, because, as well as being enormously disruptive to operations, the loss of key data often carries with it legal implications, as some industries are required to provide information to government agencies, such as the Environment Agency, and failure to do so will result in substantial fines. Likewise, for manufacturers in regulated industries that are unable to sell their products into certain markets, unless they have a complete set of production data, such as the pharmaceutical industry, the loss of data can be catastrophic.
“Manufacturers need to ensure they are protected against ransomware attacks by having a protective strategy in place which can identify an infection early. Manufacturers need to develop an architecture that is inherently secure by design and ensure they have a plan in place to protect them against the threat of multiple types of cyber-attacks.
“This is a cultural issue and the biggest victory a company can achieve against cyber criminals is for a shift in mindset around the OT environment. A disaster resilience provision should be the cornerstone of every manufacturer’s cyber security strategy, as this will ensure they are able to function in the event of an attack, even when it’s impossible to prevent the attack from occurring in the first place.”
Continuous monitoring
Hingley also recommends looking at 62443 (International Electrotechnical Commission standards). Although not fully released yet, they give a good understanding of how to design a protection level for your plant.
In addition, he says that firms should also continuously monitor security as only with continuous monitoring can you have continuous validation. “One of the biggest issues is that you put these systems in place and walk away, and then it turns unsecure,” he warns. “You may have mitigated, but then a new virus comes and it hasn’t been recognised.”
Don’t ignore the threat
The risk to manufacturers has never been higher.
Ransomware and other cyber-attacks have become a major problem, and with its ability to spread quickly and force unscheduled downtime, manufacturers can no longer afford to ignore the threat it poses. Data shows that we know it is a big threat, but are still lagging behind where we need to be. Could 2018 be the year when cyber security sits at the top of the manufacturing priority list? I certainly hope so.
Box out: WannaCry attack
Earlier this year, what was described as the ‘biggest ransomware attack in history’ took place, infecting some 150 countries.
In the UK, the NHS was the worst hit by the computer virus, also known as ‘WannaCry’, which encrypts data on infected computers and demands ransom payment to allow users access.
In the manufacturing world, it was also reported that Nissan’s Sunderland car factory was hit by the cyber-attack, with a spokesman stating that “like many organisations, our UK plant was subject to a ransomware attack affecting some of our systems”.
Following the attack, the National Audit Office (NAO) launched an investigation that focused on the ransomware impact on the NHS and
its patients. The report findings were released at the end of October this year, but why was the NHS so badly affected and what steps were taken in response to the attack?
The investigation found:
● The Department was warned about the risks of cyber-attacks on the NHS a year before WannaCry and, although it had work underway, it did not formally respond with a written report until July 2017.
● The attack led to disruption in at least 34% of trusts in England, although the Department and NHS England do not know the full extent of the disruption.
● Thousands of appointments and operations were cancelled and in five areas patients had to travel further to accident and emergency departments.
● The Department, NHS England and the National Crime Agency said that no NHS organisation paid the ransom, but the Department does not know how much the disruption to services cost the NHS.
● The cyber-attack could have caused more disruption, if it had not been stopped by a cyber researcher activating a ‘kill switch’, so that WannaCry stopped locking devices.
● The Department had developed a plan that included roles and responsibilities of national and local organisations for responding to an attack, but had not tested the plan at a local level.
● NHS England initially focused on maintaining emergency care.
● NHS Digital said that all organisations infected by WannaCry shared the same vulnerability and could have taken relatively simple action to protect themselves. Infected organisations had unpatched, or unsupported, Windows operating systems, so they were susceptible to the ransomware.
● The NHS has accepted that there are lessons to learn from WannaCry and is taking action.
“The WannaCry cyber-attack had potentially serious implications for the NHS and its ability to provide care to patients. It was a relatively unsophisticated attack and could have been prevented by the NHS following basic IT security best practice. There are more sophisticated cyber threats out there than WannaCry, so the Department and the NHS need to get their act together to ensure the NHS is better protected against future attacks.” Amyas Morse, head of the National Audit Office