Cyber attacks on manufacturing firms are skyrocketing, according to new research, but fewer than half are prepared for a rising tide of threats.
A global survey carried out for telecoms firm Telstra found that eight-in-ten manufacturing firms experienced a significant increase in overall security incidents or breaches last year.
Behind the rise is a move towards technologies such as cloud, AI, and Internet of Things (IoT) as part of digital transformation. And while the convergence of IT with traditional OT has big benefits in terms of scale, resilience, and operational efficiency, it also increases the attack surface for cyber threats.
Critical industries are increasingly lucrative targets for ransomware; and manufacturers affected by a cyber attack reported resilience or availability issues that cost them between $200,000 and $2 million each.
The biggest hits came when incidents affected enterprise and corporate systems or production control.
"Greater connectivity between IT and OT is necessary to harness advanced technology for manufacturing innovation, but it increases the risks of a breach. However, very few firms are mature in protecting and defending against such cyber risks," said Geraldine Kor, Telstra International's head of global enterprise business.
"Our study also uncovered a fragmented approach to security responsibility, which can leave manufacturing businesses without a clear direction. This responsibility must be clear and integrated so that one group or person will have the authority to act on security challenges for mission-critical systems."
IT air gapping no longer effective
The manufacturing and other industrial sectors have historically relied on air gapping for security, separating OT systems from corporate IT systems to protect against external threats.
However, the report warned the convergence of IT and OT has expanded the threat surface significantly, meaning this approach is no longer sustainable.
Nearly nine-in-ten respondents said connecting IT with OT was important or very important to achieve positive business outcomes. Industry 4.0 was the top factor driving IT-OT convergence over the past two years, with 47% of respondents citing it alongside cybersecurity, and increasing resiliency and availability.
However, based on the NIST and ISA95 frameworks to assess the current maturity of organizations in securing IT/OT convergence, only 45% of all manufacturers were very prepared for IT/OT converged security across important areas such as networking, security awareness, supply chain risks, and cultural issues.
Cyber-to-physical security attacks accounted for three-quarters of incidents, the report found, with most taking place at the higher level of the IT/OT stack.
Advanced persistent threats (APT), malware, and distributed denial of service (DDoS) were the most prevalent type of attack on OT systems.
"IT and OT integration create enormous value for organisations across industries, although organisations must address risks to unlock its potential," said Ganesh Narayanan, Telstra International's global head of cybersecurity.
"Organizations should prioritize IT/OT and IoT security across six core areas: collaboration and planning, defining a strategy, bolstering technical expertise, assigning responsibility and accountability, leveraging the right tools, and expediting readiness with standards."
Responsibility for OT security is increasingly falling under the remit of CISOs and other executives from an IT security background. One-in-five respondents said their CISO was responsible for understanding and implementing IT/OT converged security in their organization.
But they reported challenges in finding skilled and experienced staff who understand both IT and OT from a security perspective, leading most firms to engage outside help.
MORE FROM ITPRO
