As I speak with manufacturers across the UK about implementing the Internet of Things and technology solutions to productivity challenges, one of their first questions is about how to safeguard their business and data with proper cybersecurity. It’s not surprising given that more UK businesses have expanded their ‘security footprint’ by going electronic with their data and industrial process. And the fact that half of UK businesses experienced a cyber attack in 2016, shows that it’s not just big organisations that are targets.
I recently sat down for a podcast with Nigel Mackie, Head of Business Development at MASS, a UK leader in cyber security consulting.
Vectors of security and cyber warfare
In the podcast, Nigel mentioned ‘vectors of security’, which are ways your electronic systems can be attacked – in other words, your business’ cyber vulnerabilities. The graphic below, supplied by MASS, shows the wide variety of ways hackers can gain access to your system (click on the image to enlarge it):
Threat vectors can vary widely in terms of purpose and the attacker. Here are just a few examples:
- An employee taking a hard drive or downloaded data with them to a competitor for compensation or a new job
- An employee making a change to a factory machine or system that unintentionally creates a vulnerability
- Ransomware takes advantage of data that isn’t properly stored and backed up.
- A hacker steals customer data, such as on the company website as what happened with the TalkTalk hack
- A foreign government or malicious individual/organisation engaging in industrial or inter-governmental warfare through cyberattacks on particular supply chains, infrastructure or industrial facilities
In fact, Nigel gave an alarming example, saying, “Cyber warfare sounds a little bit Hollywood, but 20 nations have openly declared they are building offensive cyber capability. That means they will be essentially using hacking to exploit vulnerabilities in critical national infrastructure and industrial control systems and then exploit them in the future. For example, when Russia attacked the Ukraine, they switched the power off in something called BlackEnergy. So this is the future we face.”
And it isn’t just large companies, utilities or governments that should be worried about cyber security when it comes to the warfare of the future. This threat can affect even those lower down on the supply chain.
Nigel explains, “If an SME that made bolts was attacked and their CAD drawings were changed. Then those bolts are supplied into a military aircraft and the attacker knew exactly what tolerances could be affected on those bolts to cause the aircraft windscreen to pop out at a particular speed and altitude. That’s what could happen.”
Steps to becoming digitally secure
Nigel explains that 80% of cyber security can be taken care of with simple best practices, such as ensuring passwords are changed regularly, aren’t written down and aren’t easy to guess. Customer information should be stored on two servers rather than just the web server and all stored data should be encrypted. He also says when MASS visits companies, most have many more digital ‘assets’ than they realise. This can include having subcontractors that have access to sub-systems, they have installed unbeknownst to most people at the company.
In terms of training, Nigel recommends running a disaster recovery workshop to ensure the issues have been thought through and the organisation knows what to do in the event of a cyber attack. Many do this for fire and floods but a cyber attack is far more likely and you will be surprised just how many issues these workshops raise for half a day of senior team effort, a good workshop will give you the plan as an output.
The business case for security
For some companies, cyber security has not been a priority, but this is increasingly a business critical issue. Here are just a few of the ways cyber security impacts the bottom line:
- With stringent new data protection regulations (GDPR) coming into force in 2018, companies will be responsible for ensuring their customer data is secure (or receive significant fines).
- Companies are already required to adhere to the government’s Cyber Essentials guide if they want to be a contractor for the Ministry of Defence. Expect to see similar supply chain requirements for other sectors of government and infrastructure as well as major companies in aerospace, automotive and beyond.
- Audits and cyber security certification (such as Cyber Essentials Plus or DCPP) will increasingly become expected practice for most companies. Nigel of MASS says that when they conduct audits for companies, about 85% fail between Cyber Essnetials and Cyber Essentials Plus. Chances are, your company has room to improve.
- During merger and acquisition discussions, a company without a strong cyber security, risk assessment and recovery plan will be valued at very low.
In a recent Twitter poll, EEF found that many are still unaware of the Cyber Essentials standard and guide from the government:
For companies starting from a low level of knowledge on cyber security, the first step is education. For example, the National Manufacturing Conference has a workshop on cyber security this February that will be useful for many companies.
Secondly, companies should consider working with a strategic partner to identify their risks now and as they move forward with 4IR-related changes.
Here are a few tools that can help your business ensure they’re doing the basics right when it comes to cyber security:
Also, EEF's own cybersecurity experts, NDI, are running cyber essentials sessions at three locations:
To listen to Martin and Nigel discuss cyber security in UK manufacturing in their podcast, click here. To discuss how to consider cyber security threats as part of your ongoing digitisation plans, get in touch with Martin.