While cybersecurity is an issue of concern for all companies, manufacturers face a considerable challenge in potentially having their whole production operation shut down because of a hacker.
That’s one major reason why manufacturers should take action to educate themselves and prevent threats from doing damage, according to a local expert.
“Industrial systems have become the focal point of cybercrime,” said Alex Greenzweig, lead SOC engineer and penetration tester Netizen Corp., a computer security firm in South Whitehall Township. “They can take down a whole production facility, like that, if they get in.”
On Wednesday, Greenzweig provided a presentation on “Cybersecurity and Industrial Control Systems” as part of the Manufacturers Resource Center’s breakfast and learn series.
With more sophisticated technology that manufacturers use to operate their facilities, that means more of these controls could be open to hackers.
The source of the break-ins could be state or nation-sponsored hackers, including those from any country looking to take down the U.S., including potentially Iran, Russia or China, or any malicious insider or whistleblower looking to do harm, he added.
Naturally, one of the barriers manufacturers face in having more secure operating systems is the cost.
Cybersecurity programs are expensive and the software could cost as high as $30,000 per year, he added.
However, the downside to not having a more secure system is the estimated $4 million to $10 million cost in damages that hackers do when breaking into the system and stealing data or shutting down operations, according to Greenzweig.
“Most companies pay that to overcome a cyber-security breach.”
And potentially, when companies get breached, particularly small ones, they’re out of business.
What leads to companies and manufacturers in particular to experience these attacks?
Two main elements are resource disparity and the outsourcing of more data to the cloud, he said.
Many of the devices manufacturers are using to power their facilities have open protocols, which makes them more vulnerable to attacks. Furthermore, smaller companies, in particular are unable to secure their infrastructure.
By next year, cyber security is estimated to cost the global economy up to 6 trillion, he added.
While no companies are 100 percent secure, there are ways to protect infrastructure, such as making sure to scan for open ports on devices and closing them. It also helps to run a vulnerability scanner and perform a penetration test, which involves hiring a third party to test the system so the company gets a true, honest report, he said.
Another strategy is to make sure computer numeric controlled (CNC) machines are separated from the corporate network so they are not directly connected to the internet.
“Build a culture of security,” Greenzweig said. “A lot of times you have to get everyone on board. Do workforce training campaigns.”
Companies should also perform monitoring and auditing of their systems and do a risk assessment, as well as have a backup server for data storage.
Planning for a breach is helpful as is collaborating with industry, academia and the government to gain new knowledge and insights on cybersecurity advances, he added.
“A hacker goes for the most easy target,” Greenzweig said.
Phishing emails, which are emails sent by a hacker disguised as legitimate emails, are often a way for hackers to get into a system to send malware or gain access to data, particularly for small to midsize companies.
A helpful hint is to always check the email address to ensure it’s accurate.
As a relatively new crime, cybercrime has also helped spark the emergence of cybersecurity insurance as a more prominent role in managing the loss of a data breach and helping with the recovery process.
Chip Buck, an insurance and risk management advisor for HMK Insurance, Hanover Township, Northampton County, gave a presentation on how cybersecurity can help manufacturers, while acknowledging its “Wild Wild West” nature for a sector of the insurance industry.
“The language they are using is not standardized, every carrier writes their own policy,” Buck said.
Many times, the language of the cybersecurity policy is outdated, he added.
“All of the policies out there are written by individual companies,” Buck said.
The catastrophic cost of a data breach is one reason to buy cybersecurity insurance, since a company has to tell the world it experienced a breach, and that will affect future business, he added.
The cost for this type of insurance starts at about $1,000 per year but depends on the type and size of the business.
Cybersecurity insurance is a classic case of “a new and breaking product,” he added.