Forbes estimates that the annual cost of cybercrime to the global economy will rise to as much as a staggering $2 trillion per year by 2019, and as many as one in every five companies has suffered a security breach leading to intellectual property loss according Kaspersky in 2014.
It's often hard for the manufacturing community to talk about its experiences – businesses have a multitude of reasons not to freely admit to security vulnerabilities.
Talking to manufacturing executives throughout EMEA, I’m at times pleasantly surprised and at times slightly concerned by the levels of security understanding I encounter.
Some companies have an established security strategy and embedded security culture, and their leaders want to talk to me about how our alliance with Cisco and The Connected Enterprise concept can help deliver some of the most secure networking protocols commercially available into the industrial space.
Other companies are less advanced and know that security is an issue but have very patchy understanding and knowledge –such as "don't use memory sticks."
That’s good advice of course – we all remember the Stuxnet virus that hit the headlines six years ago by attacking specific PLCs is widely thought to have propagated through USB sticks, but it’s a drop in the ocean of a proper defence-in-depth industrial security approach to counter the highly evolved methods used by cyber criminals today.
Let's quickly put to bed the notion that any manufacturer can realistically avoid security risk by keeping their businesses “offline.” The evolution towards more integrated and connected manufacturing won't go away.
The drivers for this are numerous – productivity, efficiency, maintenance, uptime, and supply chain benefits not only make it appealing, they make not embracing the new era an unsustainable approach. Some industries, such as pharmaceutical, are moving towards a legal requirement for data visibility to provide the serialisation and traceability information needed at point of sale for their products.
It's hard to think of a good analogy, but perhaps you could say trying to keep production “offline” would be like trying to run a business without email.
Yes, it was possible once, no, it's not possible now. Moreover, most manufacturers already have one foot through the door with IT and ERP systems online. It's vital that such businesses have an active strategy for industrial security.
For companies embracing the Industrie 4.0 principles, any point of weakness in either IT or OT potentially exposes the whole enterprise, so even if you have the latest patches and a state-of-the-art firewall, if the latest addition to the production line was installed with (cheaper) unmanaged network switches, for example, anyone could potentially plug in directly and gain access to your entire business.
So, what do I tell people to do? Well, no matter how developed your approach to industrial security, it’s a journey, not a destination. It requires constant vigilance and a security culture within the company.
Most importantly, the starting point is to assess where your security is and to adopt that layered, defence-in-depth approach I mentioned.
As more and more operational technology (OT) is connected to information technology (IT) there become more potential points of entry to business critical information.
Controlling the levels of access for employees and contract workers, actively managing security patch updates and using the full extent of physical and electronic mechanisms should be twinned with company policies, procedures and guidelines.
How safe is your enterprise? If you’re not sure, it’s definitely time to evaluate
your approach and look for the right technology allies.
Thomas Donato is President EMEA, Rockwell Automation