Earlier this year, IT consulting company CGI released its 2020 CGI Client Global Insights report. Among the reports many insights were a number of findings related to the world of smart factories.
The report includes the results of more than 1,400 interviews with executives around the globe about how business and IT priorities are evolving. According to those interviews, 69 percent of executives in the manufacturing industry indicate they face cybersecurity challenges in implementing their digital transformation strategies. That’s a 10 percent increase from 59 percent in 2019.
Digital transformation in manufacturing or Industry 4.0, has become a major priority, but securing smart factories remains a significant hurdle. According to CGI, production facilities are increasingly integrating Internet of Things devices to monitor and control production systems, while brownfield plants are being upgraded to smart factories with the use of wireless IoT devices.
“This transformation is driving innovation in new products and services, digitization of business processes and the creation of new business models and ecosystems,” CGI said in a recent whitepaper. “This fourth wave is very exciting, yet it also comes with significant challenges for manufacturers as it makes operations across the enterprise and supply chain more vulnerable to cyber threats.”
By 2025, the total installed base of IoT connected devices is expected to reach 75.44 billion worldwide. In smart factories, this includes wireless connected sensors, networks and mobile devices like smartphones, tablets and wearables.
As a result, industrial control systems can now be fully automated and virtually unmanned. Supervisory control and data acquisition systems, distributed control systems and manufacturing execution systems now can now be equipped with mobile human machine interfaces and wireless communication facilities that enable operators and engineers to control equipment from physical locations both within and outside the plant.
“With digital factories and a digitally connected value chain, there is a need for increased security, and traditional IT security is not enough to protect manufacturing organizations,” CGI says in the whitepaper. “Manufacturers need to take a holistic end-to-end approach—one that addresses people, processes, and technology—to adequately defend against growing cyber risks.
“Achieving this requires a multi-pronged approach—one where cybersecurity policies, procedures, and controls are in place, there is greater awareness of cyber risks among employees, internal training programs are conducted regularly to stay current on skills and evolving threats, and there is access to the best cybersecurity talent and intelligence.”
In order to secure smart factories, CGI recommends a three-prong approach. Organizations should identify potential security risks from an organizational and technical point of view; effectively monitor the industrial environment, assets and connections; and mitigate identified security risks related to people, processes and technology.
“In the past, manufacturers viewed cybersecurity as a separate endeavor. Today, we see enterprises increasingly seeing it as an integrated activity as they implement and operationalize more digital transformation strategies, including adopting Industry 4.0. In this era, only a holistic approach across people, processes, technology and governance can provide the best defense against the increasing speed and array of cyber threats,” CGI said. “To stay ahead of cyber crime, manufacturers need to stay vigilant and be resilient. Assessing, securing and monitoring OT systems on a regular basis is key to adequately protecting against today’s and tomorrow’s risks.”
In 2019, professional services firm Deloitte conducted a survey of manufacturers about cybersecurity efforts at their smart factories. According to Deloitte’s report, 48 percent of manufacturers surveyed identified operational risks, which include cybersecurity, as the greatest danger to smart factory initiatives.
“These cyber issues can interrupt operations or compromise safety. The methods include denial-of-service attacks or adversaries using administrative privileges to execute new code,” the report says. “In short, the threat landscape for the systems that control operations of a production facility has proliferated rapidly with the increase in digitization and advanced technologies.”
The study found that 8 in 10 manufacturers have at least some capabilities to detect and respond to cyber threats. Four in 10 manufacturers surveyed indicated that their operations were affected by a cyber incident in the past 12 months. And $330,000 was the average financial impact from an IoT-focused cyber incident.
“As smart factory initiatives continue to proliferate across the global footprint of manufacturers, cyber risks are expected to continue to increase,” the report says. “As the 2019 Deloitte and MAPI Smart Factory Study reveals, the cyber preparedness of many manufacturers is less mature than likely necessary to protect against not only current threats, but also new threats and vulnerabilities that digital technologies create. Manufacturing organizations should invest in a holistic cyber management program that extends across the enterprise (IT and OT) to identify, protect, respond to and recover from cyberattacks.”
Earlier this year, IT security company Trend Micro released a security analysis of smart manufacturing systems. The report highlights security-sensitive areas in a typical smart manufacturing system.
According to the report, industrial software delivered as packaged add-ins, extensions, or apps are powerful attack vectors. Trend Micro indicates that if delivery platforms like app stores aren’t properly secured, they can indirectly infect critical endpoints such as engineering workstations. From there, attacks can spread down to the production floor and persist.
Custom industrial IoT devices are becoming more popular in smart factories. They allow engineers to run fully custom automation logic on the production floor. But the report shows that this flexibility and lowered access bar for developers can be detrimental to security.
“Instead of trusting one vendor that develops the software running on these devices — usually the devices’ vendor — the users (e.g., system integrators) will have to manage an oft-intricate chain of trust, with many third-party libraries imported in the final software,” the report says. “Given that attackers have recently been targeting such libraries to compromise software at its origin, we deem it important to raise awareness of the very same risk in industrial settings, where it is likely to have a greater impact.”
Another key element of smart factories are human-machine interfaces, which have a wide attack surface. HMIs are general-purpose computers with many interfaces and software vulnerabilities. They also aren’t upgraded often.
“The complexity of HMIs is also growing. We show that current mobile HMIs suffer from the typical issues found in unsecure mobile apps — a sign that they might not be ready for widespread use,” the report says. “Some are deployed via sideloading, use unsecure protocols to communicate with the back-end, and are shipped with hard-coded credentials, all of which position them as one of the weak links in this complex ecosystem.
Smart factories also include manufacturing execution systems. According to Trend Micro these are the most sensitive endpoints in a smart manufacturing system because they act as a trusted bridge between the production floor and the rest of the corporate network.
“MESs are highly customized products that revolve around one or more databases that contain complex automation logic and work plans,” the report says. “We show the consequences of a slight alteration in one of the databases, which could result in damaged manufactured goods if the MES was not designed with security in mind and with specific countermeasures.”
Trend Micro’s report identifies industrial robots as another vulnerable component of smart factories. These programmable manufacturing machines possess computational power that can go beyond performing physical movements
“Nowadays, they can run general-purpose computing tasks, which not only can be a source of vulnerabilities, but can also be abused by an attacker to hide malicious logic that could evade current endpoint protection solutions since it will be considered as valid machine automation code,” the report says.