First, the good news: An increasing number of manufacturers are awakening to the threat of cybersecurity. This is a pretty big deal considering that, just a few years ago, most manufacturers outside of critical industries did not perceive themselves to be a potential target for cybersecurity attacks. According to a recent study conducted by Deloitte and the Manufacturers Alliance for Productivity and Innovation (MAPI), two-thirds of manufacturers have conducted a cyber risk assessment of their industrial control systems (ICS).
Now, the bad news: Nearly one-third of manufacturers have not performed any cyber risk assessments of their ICS. Potentially more concerning is the fact that nearly two-thirds of the manufacturers responding to the Deloitte/MAPI survey indicating that they had performed ICS cyber risk assessments, did so by using internal resources. This leaves their assessments open to an array of internal biases.
The results of the Deloitte/MAPI survey are worthy of notice considering that the results are based on responses from 225 cyber risk executives at manufacturing firms ranging from industrial equipment, computer hardware and electronics manufacturers to suppliers of automation technology and consumer appliances. In addition, 39 percent of respondents had experienced a cyber incident in the last 12 months—meaning that cybersecurity issues are not an abstract threat for many of them.
Other results from the survey that indicate the high level of cybersecurity protection work that remains for most manufacturers include:
* 43 percent of manufacturing executives said they rely on air gapping to isolate their facilities from outside networks. The Deloitte/MAPI survey report notes, “Although air-gapping is a common approach to ICS security, when companies actually take the next step to test that strategy, they often find it is a fallacy. Since many manufacturers have not tested or monitored this control or conducted a thorough inventory of connected assets, live network access points, especially easy-to-install wireless access points, can remain hidden from view.”
* Half of the respondents perform targeted vulnerability or penetration tests on their ICS less than once a month.
* More than one-quarter of respondents note that their incident response programs do not include operational technology (OT) in those plans. In other words, their cybersecurity response programs only address front office IT systems and not the plant floor.
* 25 percent of responding companies do not develop, implement or document ICS-specific policies and procedures.
The takeaway for readers is to realize that, although a lot of positive work has been done to address industrial cybersecurity issues, much work remains—especially when it comes to plant floor automation and control systems. See the Automation World articles below for more information about how your peers are addressing their cybersecurity concerns.