State and federal governments, along with the private companies that make up the manufacturing sector, should prioritize cybersecurity through training programs, policy initiatives and communication channels. The future of the industry relies on new technologies that can, and have, created the risk of catastrophic breaches.
It’s not just financial companies with piles of confidential data that are falling victim to cyber-attacks in this new era of connectivity. The manufacturing industry is a hot new target for sophisticated ransomware and phishing schemes that can shut down entire operations, leaving firms vulnerable to extortion or worse.
Advancements within this sector require the prioritization of cybersecurity measures to combat new, ever-evolving sophisticated means of attack. Public-private partnerships can ensure the safety and well-being of a targeted manufacturer as well as their customers and vendors.
Manufacturers in the Crosshairs
Mondelez International, Inc., a U.S. multinational food and snack manufacturing company, was just one of several companies attacked by malware nicknamed NotPetya in 2017. The attack wound up costing its targets more than $10 billion in total damages when accounting for business down time and repair. The severity of the damage left some of the companies obligated to report the damage to the SEC.
Another example came when Norsk Hydro, an aluminum company headquartered in Norway, was attacked by a strain of ransomware called LockerGoga. The virus infected multiple systems across the organization.*
With the growth of the IIoT, the situation will only get worse if this industry doesn’t prioritize robust cybersecurity hygiene.
Cyber Priorities for Manufacturers
Statistics show that most often cyber-attacks are based on human error. Employee training is a simple and cost-effective way to ensure that firms of all sizes are adequately enforcing best cybersecurity practices from within.
While cyber-attacks ought to be seen as a risk that must be primarily managed at the company level, there can also be a role for both state and federal governments.
While most pieces of legislation that have been enacted or introduced to help mitigate these types of issues have been punitive, most notably the General Data Protection Regulation in the European Union, others such as the Ohio Data Protection Act offer incentives such as a legal safe harbor for meeting certain cybersecurity thresholds.
Incentive-based legislation can be a win-win for both the government and the manufacturing firms that must remain compliant. For instance, setting minimum thresholds—such as the completion of baseline training programs geared toward the manufacturing industry in exchange for a tax credit or legal safe harbor—will help to protect the advancement of local economies while giving firms a competitive edge.
Other avenues for constructive government involvement can include government grant programs that could provide either financial assistance for cyber-awareness training programs or government experts who visit manufacturing firms to provide tutorials on best practices to provide insight that goes beyond the standard employee training programs offered today.
For example, representatives from the National Institute of Standards and Technology could conduct site visits at manufacturing firms not only to explain cybersecurity trends that the government is privy to, but also to answer questions that companies might have on compliance.
A well-managed government grant program can yield strong public outcomes when manufacturing firms are able to protect themselves from attacks that can directly influence state employment rates and tax bases.
National security is yet another argument for government support. Foreign adversaries have on numerous occasions attempted to leverage an attack on private companies in the U.S. as an attempt to garner access to the government information they hold.
The industry itself has opportunities to strengthen cyber defenses among members. Manufacturing firms can share their experiences regarding cybersecurity with others in their industry in a productive way. Whether at organized forums or conferences, these types of communication channels are essential to helping the industry work together to anticipate the ever evolving cyber threat landscape.
For instance, the Illinois Manufacturing Excellence Center has held Cybersecurity Forums presented by the National Association of Manufacturers. At these forums, CISOs, CIOs, CTOs and manufacturing technology leaders come together for a day of learning around the cyber-threat landscape and cybersecurity trends.
Investors and operators need to have confidence in the manufacturing industry and its ability to protect themselves from potential attacks—leading to growth for the individual company at one level, and the American economy at another.
Lessons need to be shared within the industry, support needs to be offered where it can, and most importantly, one of our country’s most important sectors needs to be protected.
The manufacturing industry of today isn’t the same as it was five, 10 or 20 years ago, and that’s a good thing. However, the risks that accompany that growth can’t be ignored.
Rick Lazio is a senior vice president with alliantgroup, serving on its Strategic Advisory Board. He is a former U.S. Representative from New York serving in Congress from 1993-2001, where he became a strong advocate for small businesses by sponsoring the successful Small Business Tax Fairness Act. After Congress, Rick moved to the private sector, working for JP Morgan Chase as a managing director and then executive vice president.
*Correction: A short passage in the original version with erroneous information about the Norsk Hydro attack has been taken out.