Digital technologies have had a positive impact on manufacturing in terms of productivity, efficiency, and inventiveness. Manufacturers are increasingly embracing IoT-enabled digitalisation and integration throughout their facilities and supply chains to maintain a competitive advantage in the global market.
However, as the Internet of Things (IoT) and remotely connected devices become more common in industrial settings, safety is at risk as there are more opportunities for cyber intrusions with a larger surface area to attack.
Moreover, the increased adoption of digital technologies in manufacturing has raised the risk of cyber threats, which can potentially compromise sensitive manufacturing data and disrupt production processes.
In light of these challenges, digital resilience has become a top priority for manufacturers as they seek to safeguard their operations against possible intrusions. Most companies are designing more robust strategies or are looking to bolster existing measures.
Cybersecurity threats to the manufacturing sector include phishing, ransomware, malware, supply chain disruptions and insider threats. Manufacturers must create a thorough cybersecurity plan that considers both operational technology (OT) and information technology (IT) systems to effectively tackle these dangers.
Given that many OT systems were developed without taking security precautions into account, manufacturers are extremely vulnerable to cyber threats. This is a matter of great concern, as it leaves their systems open to cyberattacks and increases the likelihood of their production processes being compromised.
The impact of cyber breaches on manufacturing operations
In an exclusive interview with OpenGov Asia, Jagathesh Rajavasagam, Risk & Cyber Security Officer, Abbott, Singapore acknowledges that the current cybersecurity landscape presents several challenges for the manufacturing industry and emphasised the need for a holistic approach to address them.
“One of the challenges is that manufacturing is not designed to focus on security but rather functionality. Secondly, Operation Technology (OT) devices are designed and developed for specific purposes by third-party vendors. Thirdly, people are trained to deliver results from an engineering perspective, but not to address cybersecurity challenges,” Jagathesh elaborates.
He recognises that the supply chain in the manufacturing industry involves multiple suppliers throughout the entire product lifecycle, from raw material suppliers to end consumers. A risk-based approach should be taken to safeguard it, with critical vendors identified and prioritised for attention.
The importance of managing cybersecurity risks in the supply chain, especially with external vendors, cannot be understated. Moreover, emerging regulatory expectations require businesses to report any cyber incidents within a specific period.
From an external perspective, businesses need to ensure that they have a well-thought-out system to manage the risks and enforce contract clauses related to data security and cybersecurity.
Internally, measures need to be put in place to mitigate inadvertent or malicious exposures to attacks. Account takeovers and Business Email Compromises (BEC) are commonly employed by hackers as means to breach systems. The attackers look at the extended nature of the OT network and IT interface and find the weakest link to get into the (Operational Technology) OT network.
“To address the entire spectrum of possibilities and issues, businesses need to focus on both inside-out and outside-in approaches,” Jagathesh suggests. “Overall, the goal is to ensure that the end-to-end supply chain is secure from a risk and cybersecurity perspective.”
The inside-out approach requires businesses to focus on their suppliers and ensure that they comply with cybersecurity requirements. The outside-in approach requires businesses to evaluate the cybersecurity practices of their vendors and the access they have to critical systems.
From Jagathesh’s observations, the current operating environment of the manufacturing industry has evolved from a people-centric to a process-centric to an automation-centric approach by leveraging data and technological advancements. Moving towards connected interfaces, the adoption of new technologies and IoT devices for automation and integration is inevitable in the near future.
However, the manufacturing industry challenges include, identifying critical assets, classifying IoT devices & understanding the business impacts with a legacy environment are considered significant security risks. Often, Emerging technological devices are deployed without being added to asset inventories and lack risk assessment, leading to unknown security risks. It is important to consider security from a device’s operational, security & Business impact standpoint.
To mitigate this, companies can collaborate closely with their business units to understand their needs and requirements, ensure that devices meet baseline security requirements from third-party vendors, and appropriately inventory the devices with the right security tools installed. Furthermore, automation capabilities can be utilised to address cybersecurity concerns, with visibility provided by a security operation centre (SOC).
Jagathesh agrees that there is a need to identify key risks before looking at ways to address them. Risks can be classified as known knowns, known unknowns and unknown unknowns. “The biggest challenge is the unknown unknowns, as many manufacturing systems were not designed with security in mind and may not be able to cope with the sophisticated attacks.”
He recommends a three-step approach: first, gain visibility of the environment; second, collect data and filter it into a data-centric model; and third, use a risk-based approach to develop mitigation strategies. Without these steps, it can be difficult to know where to focus efforts and what risks to address.
The financial performance and impact of a cyber-attack on a manufacturing company can be significant. Manufacturing availability is crucial, and a successful cyber-attack can disrupt the supply chain, leading to financial impacts on the business, and other economic, and environmental issues.
The regulatory environment and emerging reporting scrutiny expect organisations and responsible individuals to be prepared for a cyber event and predict and plan for how to manage a crisis. Most importantly the resilient nature of the business mitigates productivity loss and prevents supply chain destruction in the entire supply chain ecosystem.
The cybersecurity imperative for manufacturing companies
Jagathesh acknowledges the crucial role of network service providers in the digitally connected world and notes that attacks on them can result in the complete disruption of communication. He cited real-time examples of successful Distributed Denial of Service (DDoS) attacks on telco providers.
The manufacturing industry faces challenges in terms of cybersecurity and legal frameworks are still in the learning and evolving stage. “There are emerging legal/regulatory frameworks, but existing standards (ISO, IEC) and zero trust models can provide guidelines. Strong industry partnerships, consensus on baseline security and public-private partnerships are some evolving themes to address emerging cybersecurity trends,” Jagathesh is convinced.
Singapore has taken the lead in developing cybersecurity OT competency frameworks and cybersecurity master plans for the Critical Information Infrastructure, while other APAC countries are catching up. Some countries are leading the maturity focus in this area, while Europe and APAC are trying to address challenges through discussions and building capabilities.
The manufacturing industry is transforming from Industry 3.0 to 4.0, with strategic initiatives focused on dealing with the consequences of not incorporating security in innovation. The implications of failing to account for risk and cybersecurity can result in supply chain interruptions, reputation, and revenue loss.
Cybersecurity practitioners in the manufacturing industry must prioritise worker safety, reliability, and security. By leveraging technology, they can drive innovation and generate new business ideas while securing a disruption-free supply chain. Therefore, comprehending the manufacturing ecosystem and appropriate prioritisation is crucial.
The journey so far and the road ahead
Jagathesh has been in the IT industry for 20 years and has always had a focus on Risk management, information security and cybersecurity. He recounts his career path, which began with a focus on risk management and security in his initial job. He quickly realised the importance of cybersecurity and dedicated himself to developing his skills and understanding the various security products and technologies. He builds his Cyber career from a multi-dimensional perspective which includes technology, regulatory framework, consulting, and business skills to provide a trusted advisory solution to the enterprise.
His experience working in diverse industries such as Banking and Financial Services Industry (BFSI), Webhosting and Healthcare verticals with a razor-sharp focus on stakeholder engagement, program management, Enterprise Application Integration (EAI), Audit and regulatory engagement gave him an appreciation of the interdependence of cyber and risk management.
He was approached by headhunters who were looking for someone who can bring transferable skills in the areas of technology and translate tech jargon into business understanding language. Build relationships with internal and external stakeholders to strategise the risk and Cybersecurity program. He transitioned from banking and financial service industries (BFSI) to healthcare and manufacturing security, with a focus on building strong capabilities in critical information infrastructure.
The transition from BFSI to manufacturing and healthcare posed some challenges, but his transferable skills and new learning helped in shifting priorities. Indeed, his diverse experience has given him a wider and deeper appreciation of cyber resilience.
He explains that in the banking and financial industry, the focus is on a data-centric approach, while in the manufacturing and healthcare industries, safety is the primary concern followed by availability and security.
As a cybersecurity practitioner, he always prioritises the three fundamental principles of confidentiality, integrity, and availability. He also follows a three-pronged approach, which includes understanding the business, identifying how cybersecurity and risk management capabilities bring value to the business and understanding external factors like emerging trends, regulations, and cross-border issues impacting the business.
The manufacturing sector is a critical industry that operates continuously 24/7/365 days a year. The key challenge in manufacturing cybersecurity is to ensure that the business keeps running without downtime, while also addressing cyber threats like email compromises, PLC attacks, supply chain disruptions and account takeovers.
Jagathesh thinks the approach to cybersecurity in the manufacturing industry has evolved from a people-centric to a process-centric to a machine-centric model in the past. Moving forward the focus is on data-centric to autonomous models with the key focus on the automation capabilities. Building resilience is a multi-faceted methodology that requires addressing cybersecurity risks from a people-centric, process and technology-centric perspective.
A comprehensive paradigm that incorporates new technologies, process improvement, regulatory compliance and cybersecurity awareness can help organisations to develop and maintain a secure and efficient manufacturing operation.
“Building resilience requires addressing cybersecurity risks from both a people-centric and technology-centric approach. This means not only implementing technical controls such as firewalls and encryption but also training employees on cybersecurity best practices and creating a culture of security awareness,” Jagathesh concludes.
(Disclaimer: This interview is based on Jagathesh Rajavasagam’s personal views and has nothing to do with his current organisation)
