Manufacturing Insights
Managing Industry 4.0 Cybersecurity Risks
3 EXECUTIVE SUMMARY
5 INTRODUCTION
5 Changing attitudes about cybersecurity
6 Quantifying risk
7 Managing cyber risks
8 PART I: A GROWING GAP, INCREASING ATTACKS AND A SUPPLY PROBLEM
8 The digital transformation
9 Today’s threat landscape
9 Manufacturers face unique risks
10 Recent trends
11 The supply chain
11 A global shortage of cybersecurity professionals
12 PART II: BUILDING A CYBERSECURITY FOUNDATION
12 An effective governance structure
13 Metrics that matter
13 Operating timeframes
14 OPERATIONAL SECURITY CONSIDERATIONS
14 MANAGING SUPPLY CHAIN RISK
15 OUTSOURCING SECURITY OPERATIONS
15 What cybersecurity services does our organization need?
16 What are the solution provider’s qualifications?
16 Does the solution provider understand our organization?
16 How will we work together with the cybersecurity provider?
16 What related services does the solution provider offer?
17 EIGHT COMMON MISTAKES WHICH INCREASE RISK
20 CONCLUSIONS AND RECOMMENDATIONS
22 REFERENCES
Table of Contents
3Manufacturing Insights: Managing industry 4.0 Cybersecurity Risks — 2020
Executive Summary
As a motivated adopter of new technologies, the manufacturing sector has changed significantly in the last
decade. Automation, artificial intelligence, embedded sensors, cloud services and centralized management
systems have enabled new processes and products, greater efficiencies and higher revenues.
But while manufacturers look at facilities and see the manifestation of Industry 4.0, private and nation state threat
actors see a vast attack surface littered with vulnerable systems and valuable data—all belonging to companies
with much to lose.
Headline-grabbing breaches and shutdowns have put manufacturers of all sizes on notice that everyone
is vulnerable and no one—no matter how small or large—escapes the interest of attackers. As a result,
manufacturing firms recognize that cybersecurity is now a board level issue; however, security governance
competes for attention and resources with other aspects of the business which can often appear more
urgent or important.
As the rapid introduction of new operational technologies creates a widening security gap, boards must provide
the leadership and the commitment necessary to make protecting the organization a priority. Two foundations of
this leadership should be:
1. Shifting the executive mindset from one of security as an IT cost to one of business risk management
which offsets the financial losses associated with operational disruption, lost revenue, penalties/fines and
irreparable harm to brand reputation.
2. Recognizing that it is only a matter of time until an organization experiences a disruptive security
incident—even if the incident is the result of a vendor in the supply chain.
The former completely shifts how cybersecurity is viewed while the latter forces the organization to adapt its
security posture to include elements of detection and response (rather than the obsolete approach of placing
trust purely in perimeter-based defenses).
Additionally, company leaders should create a culture of cybersecurity awareness throughout the entire
organization by regularly referencing the subject and championing training initiatives and other investments.
4Manufacturing Insights: Managing industry 4.0 Cybersecurity Risks — 2020
Executive summary (cont.)
But creating an effective cybersecurity strategy is a real challenge. As a starting point, manufacturers of all sizes
should take steps to:
• Enable effective cybersecurity governance by creating reporting structures and adopting metrics which
enable the board to make informed and timely decisions.
• Understand operational security considerations to ensure cybersecurity thinking extends beyond the
traditional IT to encompass operational systems in industrial Internet of things (IIoT) environments.
• Manage supply chain risk with a combination of prevention, policies and promises (plus consequences).
• Outsource certain security operations as a strategic and cost-effective means to overcome a global
shortage of cybersecurity professionals.
• Avoid common mistakes which can undermine even the best-intentioned and well-funded
cybersecurity blueprints.
Managing cyber risk in a manufacturing organization is no simple task. It requires cooperation between those
responsible for operational technology (OT) and the IT group, under strong leadership from the board and
C-level executives.
However, managing cyber risk is a modern business imperative and with a disciplined approach it is possible for
manufacturing organizations to enjoy the benefits of Industry 4.0 without falling victim to debilitating, expensive
and public attacks.
5Manufacturing Insights: Managing industry 4.0 Cybersecurity Risks — 2020
IntroductionWhile financial management and legal compliance receive most of the risk management attention, the corporate
governance responsibilities of the board of directors extend well beyond those two realms to include cyber
risk as a critical component. For manufacturing firms, cybersecurity is still a relatively new board-level topic and
should be more than “just an IT problem to fix.”
Cybersecurity is frequently viewed as burdensome and it can be challenging to communicate the benefits
of proactive security investments unless a breach has already occurred. In fact, when eSentire surveyed
manufacturing customers, 46 percent of respondents cited “demonstrating the value of cybersecurity spend to
executives and boards” as a significant challenge.
Changing attitudes about cybersecurityCybersecurity is a complex, multi-disciplinary topic that covers user controls, processes and policies, competing
technology solutions and a growing list of emerging standards that often bring misunderstood risk. Decision
makers must have fundamental knowledge of this important business continuity engine. In particular, leaders
should have a grasp of risk management in the context of the criminal and political nature of today’s
cybersecurity environment.
It’s not the responsibility of the board to become IT experts, but the board must know what questions to ask
the Information Security and Information Technology (IS&IT) departments. Similarly, the IS&IT departments
must provide the board with meaningful metrics which can inform important decisions about cybersecurity
investments. Unfortunately, many struggle in this regard: in the same survey cited above, 42 percent of
respondents indicated that “measuring and reporting the status of security programs” was a major challenge.
Additionally, boards must provide the leadership and the commitment necessary—by proactively overseeing and
holding management and the C-suite accountable—to make protecting the organization a priority. Part of this
leadership is a change in attitude. While 50 percent of survey respondents suggested that “bearing the cost of
ever-increasing security demands” was a challenge, the reality is that investments in security are investments in
business continuity which preserve the ability to operate and deliver significant returns.
There are several good guides on the key pillars of risk management and board obligations, including the
National Association of Corporate Directors (NACD) Handbook on Cyber-Risk Oversight,1 the National Cyber
Security Centre board toolkit on Supply Chain Security Guidance,2 and Navigating the Digital Age.3 While each
resource provides differing levels of information, there are five common pillars:
• Awareness: understanding the impact of cyber risks and trends, experiencing the business impact of a
breach and exposing personal risks
• Risk: identifying nonpublic assets and protected data, and documenting regulatory and
contractual obligations
6Manufacturing Insights: Managing industry 4.0 Cybersecurity Risks — 2020
Changing attitudes about cybersecurity (cont.)
• Program: establishing budget, staffing and programs that align to overall business risk priorities
• Reporting: annual planning, quarterly reporting, dashboards and peer/industry comparisons
of performance
• Incidents: understanding incident response, board roles, critical business decisions and reporting to
authorities and crisis communications
Quantifying riskIn the 2018 Ponemon State of Endpoint Risk Study, 64 percent of survey respondents indicated that their
organizations suffered a data asset and/or IT infrastructure compromise, reflecting a 54 percent increase over the
previous year. Of those breached, 57 percent reported significant disruption to business operations with a loss of
more than 1,000 records containing sensitive or confidential information.4
Of course, one limitation of relying on a survey is that only respondents who know they have been compromised
can indicate that a compromise has occurred. This sample bias means that the Ponemon stats undercount
security incidents because many compromises go undetected.
It’s not a matter of if, but when
The most accurate way to inform predictions about risk is to study the real world. Using observational data
from our Security Operations Centers (SOCs), eSentire calculated the mean probability that a manufacturing
organization had at least one incident involving a bypass of existing endpoint security controls over a 12-month
period (Figure 1).5
One clear observation is that the more sites an organization has, the higher the risk, most likely due to a larger
threat surface and more opportunities for attackers. But don’t overlook the fact that even a manufacturing
organization with only a single location has an almost 40 percent chance of falling victim to a security incident.
The major takeaway from this empirical analysis is that it’s not a matter of if an organization will experience an
incident, but when. Using this fact as an operating assumption can influence an organization’s priorities and
expand the security conversation beyond perimeter defenses to include topics such as detection and response,
containment and incident response.
Probability of one or more incidents in a 12-month period, by locations
Figure 1—The probability of at least one breach in a 12-month period approaches near-certainty as an organization adds locations
100%
Locations1 2 3 4 5 6 7 8 9 10
75%
50%
25%
61%76%
85% 90% 94% 96% 98% 99% 99%
38%
7Manufacturing Insights: Managing industry 4.0 Cybersecurity Risks — 2020
Managing cyber risksBoards and the organizations they govern are recognizing the need for cybersecurity governance; plus, the
return on investing in cybersecurity solutions is becoming clearer with every headline-grabbing incident.
Unfortunately, cyber risk management within manufacturing organizations is a complex issue influenced by
several factors, which we examine in Part I.
In Part II, we shift attention from the requirements and challenges facing manufacturing organizations to provide
information and resources which can help in cybersecurity initiatives.
8Manufacturing Insights: Managing industry 4.0 Cybersecurity Risks — 2020
Part I: A Growing Gap, Increasing Attacks and a Supply Problem
For manufacturing organizations to effectively manage cyber risk, they first need to understand three factors
which shape the operating context:
• A digital transformation which is creating a widening security gap
• An ever-evolving threat landscape driven by motivated and well-financed attackers
• A global shortage in cybersecurity professionals
The digital transformationIndustry 4.0 is the interconnection of industrial equipment which accesses and analyzes centralized
operational data. In essence, it represents the next industrial revolution in advanced manufacturing and smart,
interconnected, collaborative factories.
This new paradigm is characterized by the action of the physical world becoming a type of information system
through sensors and actuators embedded in objects and linked through networks.
Beyond having the potential to completely change material and manufacturing processes, Industry 4.0 is
expected to contribute to more efficient operations by aggregating data across all your facilities, letting you
monitor, measure, and improve performance.
This digital transformation introduces new generations of intelligent solutions and integrates these solutions
into existing manufacturing processes and technologies including SCADA/ICS and PLCs. In many cases,
this collection is controlled by a Manufacturing Execution System (MES) which is tightly integrated into the
manufacturing organization’s ERP system.
One result of this evolution is that every element is connected, centrally controlled and monitored.
Another—unintended—outcome is that the entire manufacturing process (and, by extension, the company which
depends on that process running effectively) is more vulnerable to cyberattacks.
A widening security gap
In manufacturing, investments are largely motivated by the pursuit of increased operational effectiveness
and efficiency: doing more for a lower per-unit cost. Often, these investments manifest as new operational
technology (OT), for instance to enable higher degrees of automation, accelerated assembly timelines and
improved real-time insights.
9Manufacturing Insights: Managing industry 4.0 Cybersecurity Risks — 2020
The digital transformation (cont.)
This OT gets added to a large information technology (IT) stack which has often been built over several decades;
in that time, the IT stack has become a complex mix of legacy, aging and modern solutions held together by
vulnerable protocols and a “don’t touch what isn’t broken” stability strategy.
Unfortunately, this pursuit of improved operations comes with a consequence: a widening security gap.
Operational motivations are about speed and efficiency, not security. Security was a distant priority when
vendors created their new OT solutions and security is at best a secondary priority for most manufacturing
organizations.
In fact, the rapid introduction of OT can create tension in the organization: IT understands the security risks and
best practices and wants to take the time to do things as safely as possible; OT is under pressure to hit targets
and can feel like IT is slowing them down by unnecessarily overstating the risks.
From the shadows, attackers see highly connected, unprotected systems built by vendors who know very little
about system security and who are content to pass risk to their customer—the manufacturing organization.
Today’s threat landscapeToday’s manufacturing organizations face a wide array of cyberthreats. From opportunistic attacks using
commodity malware as a service, to sophisticated hands-on-keyboard attacks which surgically evade defenses,
to advanced persistent threats which can operate for years undetected, to industrial espionage using legitimate
credentials harvested from phishing campaigns—the list is long and the consequences can be devastating.6
The rise of hands-on-keyboard ransomware, in particular, is a worrisome development. Headlines are full of high-
profile examples of downtime, disruption and—owing to a bug in the Ryuk ransomware decryptor—destruction.7
Modern threats can readily bypass legacy antivirus solutions and take advantage of vulnerability windows.
Organizations need solutions that can harden endpoints, prevent polymorphic malware and fileless attacks,
mitigate malicious code execution and provide investigation and remediation capabilities with dynamic response
to security incidents.
Manufacturers face unique risks
As manufacturing has become more connected, the threat surface—the collection of points an attacker can use
to try to gain access—has increased substantially and now extends from endpoints and networks into cloud
services. Here’s how David Broussell, vice president and executive director of the Manufacturing Leadership
Council sums up the situation:8
Manufacturers are using cutting-edge digital technology to a greater degree than ever before. We’re
putting sensors in equipment, digitizing supply chains and gathering data from customers to better the
customer experience, to name just a few examples. The number of electronic connections we’re making
is enormous—and the more you electronically link products and processes, the more vulnerable they
become to cyberattacks.
Plus, manufacturers must grapple with systemic vulnerabilities in operating systems and control systems. For
instance, it’s important to recognize that many industrial communication standards don’t even consider security
because they are based on the old firewall model of complete trust within the network.
10Manufacturing Insights: Managing industry 4.0 Cybersecurity Risks — 2020
Today's threat landscape (cont.) The 2018 Forrester SCADA survey indicated that 56 percent of organizations using SCADA or ICS systems
experienced a breach in the previous year. Only 11 percent indicated that they never experienced a breach.
A successful cyberattack against OT or a SCADA control system not only has the potential to damage the
business financially, but also could result in physical consequences to such things as infrastructure and services,
the environment, and possibly human life.
Unfortunately, we don’t have to look far for examples in which manufacturing and industrial organizations were
targeted by cybercriminals.
Perhaps the best-known example is the infamous 2019 ransomware attack which took Norsk Hydro’s facilities
offline, causing tens of millions of dollars of damage. Even though the damage inflicted was enormous, it’s
important to recognize that there wasn’t anything special about the attack itself—it employed commodity
malware against everyday business systems.
Recent trends
While malware specifically targeting industrial control systems has long been recognized as a threat, incidents
against commercial facilities have been quite rare—but that may be changing.
In February 2020, reports emerged of a new malware called EKANS which, in addition to encrypting data,
terminates 64 different software processes on victim computers—including many that are specific to ICS.9
EKANS (also called Snake) and its potential precursor, Megacortex, are likely portents of a future in which the soft
underbelly of manufacturing and industrial systems are mercilessly targeted. Wired’s coverage notes that:
Industrial firms have certainly been hit with run-of-the-mill Windows-focused ransomware in the past, such as
the disastrous cyberattack on Norwegian aluminum firm Hydro Norsk last year. But EKANS and Megacortex
go a step further, into the technical guts of industrial control systems. Among the dozens of processes
it terminates are those used by GE's Proficy software—a "data historian" program that keeps records of
operational information in industrial settings—as well as the mechanism that checks for a customer's paid
license for GE's Fanuc automation software, the monitoring and management software Thingworx, and a
control interface program sold by Honeywell.
Moreover, while earlier attacks against major manufacturers and industrial facilities were believed to be
sponsored by nation states, researchers believe these latest attacks are the work of cyber criminals motivated
purely by profit.
Of course, criminals don’t need to shut down a facility to extract payment. In many cases they exfiltrate sensitive
information (trade secrets, proprietary data and intellectual property, financial details, private emails, account
credentials) and then threaten to release it publicly if a ransom isn’t paid. In some cases attackers have even
weaponized regulations like GDPR which impose fines when breaches compromise personal information.
And attacks aren’t solely the act of private malware groups; nation states are also participants in this space. In
these scenarios, the nation states simply extract valuable intellectual property as discreetly as possible and then
use it to increase the competitiveness of local companies relative to the organizations which were compromised.
11Manufacturing Insights: Managing industry 4.0 Cybersecurity Risks — 2020
Today's threat landscape (cont.)
The supply chain
As trusted partners, third-party vendors often become the overlooked or unwitting accomplice in criminal
activities. A Spiceworks survey of 600 IT and security decision-makers which asked about supply chains
highlights this risk.
While the majority of respondents felt confident in their vendors to keep data safe, nearly half (44 percent) of
firms had experienced a significant, business-altering data breach caused by a vendor. Human error and stolen
passwords accounted for 26 percent of the breaches, while malware played a key role in half of the attacks.
As a recent example, in April 2020 reports emerged that the criminals behind the DoppelPaymer ransomware (a
variant of BitPaymer) had published data from the US Navy, Lockheed-Martin and SpaceX. The data appears to
have been taken from contractors working with those organizations.10
The Spiceworks survey showed that of the nearly 250 companies that experienced a breach, personally
identifiable data was impacted in 32 percent of cases, 29 percent included payment information, and 24 percent
exposed proprietary business data. What’s worse, only 15 percent of firms reported that their vendors provided
notification to them when a breach occurred.
Respondents indicated that third-party breaches resulted in disrupted operations (27 percent), increased
operational complexity and cost (52 percent), reputational damage (19 percent) and financial losses and
penalties (26 percent).
A global shortage of cybersecurity professionals
Unfortunately, the factors outlined above—a widening security gap, capable attackers and the need for
executive accountability—exist against a backdrop of a global shortage of cybersecurity professionals.
Just how large is the shortage? Non-profit IT security organization (ISC)2 estimates that “it would take another 4
million professionals to close the gap.”11
This shortage means that it can be very difficult for manufacturing organizations, even those which are
sophisticated and well-funded, to attract the cybersecurity expertise needed to harden defenses against attacks.
12Manufacturing Insights: Managing industry 4.0 Cybersecurity Risks — 2020
Part II: Building a Cybersecurity Foundation
Managing cyber risks within your manufacturing organization is a challenging and multifaceted—but extremely
worthwhile—endeavor.
To help organizations get started or recognize potential blind spots in existing plans, the following sections
present resources to help you:
• Enable effective cybersecurity governance
• Understand operational security considerations
• Manage supply chain risk
• Outsource security operations
• Avoid common mistakes
Cybersecurity governanceEnabling cybersecurity governance requires an effective governance structure, board visibility into the right
metrics and an appreciation of the relative dynamism of security needs.
Too many organizations have a misplaced satisfaction that the board is already receiving the information they
need to fulfill their cybersecurity governance obligations.
Business priorities, cyberthreats and the organization’s operational context change over time and sometimes
very suddenly. Metrics and information which were sufficient only a few months ago might have dangerous
blind spots today. To stay on top of cybersecurity and risk management, it’s important to regularly challenge
assumptions about what information the board needs.
An effective governance structure
The most effective governance structures come from a combination of top-down principles that define the
objectives and operational approach of a complementary bottom-up effort.
From a bottom-up perspective, the information security organization (whether the IT department or a well-staffed
security team) needs to be able to recommend the type of structural reporting they believe is necessary.
Cybersecurity reporting typically flows through the IT director into the CIO, who has ultimate responsibility for
the security elements of governance. Unfortunately, this structure can create conflicts of interest. Today, many
enterprises are adopting structures in which cybersecurity reporting goes to the COO, CSO, or Chief Risk Officer.
At the same time, the board needs to recognize the flaws and trade-offs inherent within any reporting structure
and consciously advocate for an approach which will provide them with the information and visibility they need.
13Manufacturing Insights: Managing industry 4.0 Cybersecurity Risks — 2020
Building a cybersecurity foundation (cont.)
Metrics that matter
In today’s information-rich manufacturing environments, producing data is straightforward; however, delivering
what’s needed to enable effective cybersecurity governance requires careful consideration.
Metrics have maximum value when they capture an operating reality and can be placed in context. When these
conditions are met, metrics reveal how you are performing today and how your performance is changing over
time in the operating context of your business and risk environment. These insights enable the board to make
decisions which help the business get to (or remain in) a desired state.
Broadly, metrics can be divided into two categories:
• Lagging metrics look into the past and tell the board things like the number of incidents, the likelihood
that an incident results in a breach, the time to containment, the costs incurred and the effectiveness of an
organization’s incident response capability; these metrics are relatively easy to produce, as they tend to be
counting- and measurement-based, but it is important to normalize them to account for changing scales
• Leading metrics take a forward-looking approach and capture information like the threat surface, the
organization’s readiness to respond to an incident and how investments are going to be operationalized in
pursuit of cybersecurity goals; these metrics are more challenging to produce and for that reason they are
often overlooked or perpetually exist just beyond the to-do list
Both sets of metrics are valuable. Moreover, they are connected: for instance, an “Incident Prevention Score”
should have value as a predictor of an organization’s incident response capability. Care should be taken to
ensure leading metrics hold real meaning and aren’t simply vanity scores with little predictive value.
Operating timeframes
When it comes to cybersecurity, all manufacturing businesses—small, medium and large—must shift their
thinking regarding operating timeframes. Often, this thinking is shaped by annual planning cycles and long time
horizons, so it needs to be recalibrated to account for the dynamic nature of the risk environment in which the
business truly operates. For instance, requests for funding should be considered quickly (which may require new,
accelerated processes), as they may be in response to a threat which has only just materialized.
Likewise, the organization must be able to execute with velocity: there’s little point in quickly making the correct
decision if teams don’t have the resources to take action.
14Manufacturing Insights: Managing industry 4.0 Cybersecurity Risks — 2020
Building a cybersecurity foundation (cont.)
Operational security considerationsBuilding a strong cybersecurity foundation in a manufacturing organization requires careful consideration of
operational security. Table 1 provides a simple framework to organize different elements.
Managing supply chain riskBy implementing a three-pronged approach that brings together prevention, policies and promises,
manufacturers can strengthen their security posture, mitigate risk and maintain trust with customers.
Prevention is key
Most manufacturing organizations employ multi-step processes to evaluate vendors, but security is not always
part of the criteria. The best way to protect your company from a breach is to avoid one in the first place—by
doing all of the due diligence needed. Yet only about half of companies require a signed contract obligating
third-party suppliers to adhere to security and privacy practices and less than half review the written policies of
their third parties.
Supply chain risk becomes more manageable when an organization has company-wide policies in place that
specifically take security into consideration when it comes to bringing on third parties.
Consideration Intention Examples
Business Risk ManagementCapture high-level risks inherent to the organization’s operating context
• Data classification
• Regulatory / privacy obligations
• Client contractual commitments
• Geographic / industry risks
Threat Landscape Monitoring
Maintain awareness of the ever-changing
threat landscape as important risk
management context
• Broad cyberthreat trends
• Industry-specific threats
• Technology-specific vulnerabilities
• Tactics, techniques and procedures
OT Asset DiscoveryEnsure operational technology is included
in cybersecurity programs
• Discover L2 devices (workstations)
• Discover L2 devices (PLCs, controllers)
• Central mapping of OS, patches, etc.
Vulnerability Assessments
Provide proactive insight to quantify risk
and enable preventative actions to
reduce risk
• IT vulnerability assessments
• Vulnerability scanning
• Risk scoring and recommendations
Continuous Monitoring
Ensure the organization can identify
threats in real time and is prepared
to respond
• Threat and anomaly detection
• Event run books and responses
• OT operations run books and responses
Incident Response
Ensure the organization has thought
through challenging scenarios which
may necessitate decisions with
significant consequences
• Documented incident scenarios
• Team roles and responsibilities
• Simulations and red-blue team / table-top exercises
Table 1—A simple framework to organize operational security consideration
15Manufacturing Insights: Managing industry 4.0 Cybersecurity Risks — 2020
Building a cybersecurity foundation (cont.)
Policies are a must-have
Most IT and security teams apply a multi-step approach to evaluate third parties, but formalized data policies
and senior management support for third-party risk assessment are often lacking. In fact, many organizations
have third-party data risk management policies in place, but simply fail to execute policies completely owing to
competing priorities.
eSentire’s research has shown that the strong majority of manufacturing organizations consider their policies to
be effective, but this result conflicts with reported breaches attributed to vendors. While companies consider
their policies effective, only a quarter of firms completely agree that their company allocates sufficient resources
to manage third-party relationships.
However, most keep an up-to-date inventory of all third parties with whom they share data.
Promises and consequences
While the majority of organizations include in their contracts legal or monetary consequences in the event of a
third-party data breach, far fewer discontinue their relationships with guilty vendors and distressingly few change
their risk policies as a result of the incident.
When a customer agrees to do business with you, there is a tacit promise of trust that must be kept. Taking
action is part of that promise, which must be kept in order to continue as a successful company. Consequences
include immediately firing the third party, legal actions including lawsuits and financial reimbursement to cover
breach costs (technical, legal and PR) and extra damages. These actions show that your company takes
security seriously.
Ask the tough questions
Finally, manufacturers should not be shy about asking their suppliers the same tough security questions that the
manufacturers should be asking themselves.
Outsourcing security operationsMost small and medium manufacturers—but also many large, sophisticated ones—lack the specialized expertise
required to appropriately manage cybersecurity risk. Additionally, as noted previously, there is a major dearth of
cybersecurity talent in the global pool.
For these reasons, many organizations turn to third-party solution providers as a cost-effective means of
managing risk through outsourced security operations.
Choosing a cybersecurity provider isn’t easy and it’s a decision you want to get right. With that goal in mind, here
are some questions which can help you choose the best solution provider for your needs.
What cybersecurity services does our organization need?
Like many decisions, choosing the right cybersecurity provider—for your organization—begins with
understanding your own needs. Of course, even this internal assessment can be challenging because it still
requires substantial knowledge of the subject. Thankfully, a consultative solution provider can help you identify
functional gaps and make you aware of needs that you otherwise may have overlooked.
16Manufacturing Insights: Managing industry 4.0 Cybersecurity Risks — 2020
Building a cybersecurity foundation (cont.)
What are the solution provider’s qualifications?
When looking for a cybersecurity provider, be sure to ask about specific qualifications and experience.
Detection and response are specialized fields; broad cybersecurity is more general. This distinction is akin to the difference between a neurosurgeon and a general practitioner: both are important and both have qualifications, but you would approach each for different reasons. Potential solution providers should be ready and willing to
provide you with a list of certifications.
Next, go beyond qualifications and ask about practical matters and experience: How many cases has the
provider handled? What references can they provide? Where are their team members based?
Does the solution provider understand our organization?
It’s important that your cybersecurity provider understands your organization; that way, you can jointly develop
effective plans, agree upon division of responsibilities, and—most importantly—assist each other effectively
during an incident.
To that end, your potential solution providers should be very curious about how your organization operates, what tools you use, your risk profile, and so on. Additionally, you should ask potential providers if they have worked with other manufacturing clients, if they are well-versed in the regulations governing your organization’s activities and operating geographies, if they are familiar with the tools and technologies your organization employs—including specialized industrial systems—and other questions to determine the degree to which they truly
understand your organization and your operational context.
How will we work together with the cybersecurity provider?
From knowing when to contact your solution provider to understanding the operational details of detection and
response, it’s vitally important that both parties understand the working relationship.
In reality, this question can only be answered by speaking with each potential solution provider and then
by working with your chosen provider to precisely define your policies, plans and procedures. As timely
communication is critical during an incident, be sure to designate within your organization a point of contact and
at least one backup.
What related services does the solution provider offer?
There are many services related to detection and response and there is considerable benefit to finding partners
who can offer such services. For example, doing so reduces the number of third parties involved, avoids
complications relating to information sharing and maintains expediency.
You should inquire about:
• Training and awareness programs and resources (many of which are freely available)
• Insider threat assessment and program development
• Cybersecurity framework assessment and program development
• Data privacy/compliance assessment
• Cloud cybersecurity assessment
• Penetration testing, which pits your defenses against a human adversary emulating the actions and
techniques used by advanced threat actors
• Incident response
17Manufacturing Insights: Managing industry 4.0 Cybersecurity Risks — 2020
Building a cybersecurity foundation (cont.)
Eight common mistakes which increase riskFor a manufacturing organization to best address their cybersecurity needs, it’s important to avoid mistakes.
Here are eight of the most common mistakes which increase risk.
Keeping employees in the dark and not talking about cybersecurity
Whether due to a lack of domain expertise, discomfort with the subject matter in general—or some other
reason—too many organizations don’t talk with their teams about cybersecurity.
While awareness alone isn’t a substitute for investments and processes, the more your employees are aware that
cyberthreats exist the better prepared they are to understand the risks and embrace new initiatives.
Simple steps to increase awareness include addressing cybersecurity (in general or specific initiatives) during
company meetings and within internal communications, conducting training sessions, directing employees to
third-party resources and including cybersecurity goals among the company’s guiding objectives.
Thinking cybersecurity is an IT problem
Information technology has evolved faster than perhaps any other domain in human history. Where once
“computer” referred to a human job, now the term almost lacks specific meaning as all manner of devices include
embedded computational capabilities.
Desktop computers which kept workers tethered to a single location are becoming a relic of the past—an
intermediate stage of the evolution of business between manual desk-based labor and the cloud-hosted,
increasingly mobile, ever-more-interconnected reality of today.
In the early days of the Internet revolution, cybersecurity was largely limited to client-based antivirus and
firewalls. Over time, intrusion detection and prevention devices appeared. Crude port- and signature-based
solutions gave way to behavioral recognition powered by machine learning.
This IT-oriented past shaped the thinking of a whole generation of executives, but it is already dangerously
outdated. When the environment around us changes, changing with it is the key to survival.
Thinking about cybersecurity as only an IT issue fails to recognize the degree to which modern business relies
on information as its lifeblood.
Having incomplete preventative measures in place
Cybersecurity requires specialized expertise, organizational commitment, disciplined personnel and layers of
modern tools to provide defense in depth—but even sophisticated organizations who understand the necessities
make mistakes like failing to consider and cover the entire threat surface, unnecessarily keeping some devices
out of scope, keeping services externally exposed, treating insecure behavior from executives as necessary
exceptions or simply introducing defense solutions too slowly. Incomplete implementations of tools and allowing
exceptions without compensating controls leads to issues within environments.
18Manufacturing Insights: Managing industry 4.0 Cybersecurity Risks — 2020
Building a cybersecurity foundation (cont.)
Believing an incident won’t happen
The unfortunate reality is that—at some point—an incident will happen: maybe configuration or patching issues
will leave gaps, a laptop will be misplaced, a phishing attempt will succeed or a sophisticated attack will
break through.
The prudent approach to risk management is to accept this unwelcome truth and prepare your organization,
because with the right processes and systems in place you can at least limit the frequency, reduce the
magnitude and be aware of incidents (what you don’t know most definitely can hurt you).
Not knowing how to respond to an incident
Time is of the essence when an incident occurs; delays negatively impact containment and recovery activities
and can give threat actors time to destroy evidence.
Plus, delays can also have an enormous impact on commercial productivity. For example, consider an attack
which forces a company to rebuild their domain controllers: following a defined method of procedure might limit
production disruption to one day, versus days or even weeks if no procedure is in place.
Two major causes of delays which impact an organization’s ability to manage risk are decision paralysis and
failing to have a detection and response provider at the ready.
First, subscribing to a cybersecurity service ensures you have around-the-clock protection and someone to
call when an incident occurs—or better yet, they call you at the first sign of an anomaly or possible intrusion.
The alternative requires you to pick up the phone to reach out to different providers to initiate conversations
and negotiate contracts and legal terms—during a period of time characterized by chaos, panic and a need
for expediency.
Second, it is crucial during a security incident to designate someone within your organization with sufficient
decision-making authority to enable and enforce timely responses. Seriously explore different scenarios and
capture decisions in written policies. For instance, ask what happens if an industrial controller is found to be
infected—should you shut down the assembly line? What criteria should go into this decision?
Avoid committees, as they create dangerous delays and lead to very conservative, least-objectionable thinking
at a time when decisiveness is paramount.
Additionally, ensure the designated person is willing to make potentially tough decisions (for instance, taking an
assembly facility offline to contain an incident) and has real authority within the organization. A security incident
is not the time to debate power dynamics and to get pulled into political discussions, nor is it the time to discover
that people feel empowered to disobey the instructions because they came from the ‘wrong’ person.
Not knowing your regulatory and contractual obligations
Regulations and contracts impose specific obligations upon your organization and it’s crucial you understand them.
A “breach” has specific legal/contractual meaning and implications, and an incident should not be labelled
as such until the specific conditions are met. Again, it’s important to understand regulatory and contractual
details so you can reserve the term “breach” for incidents which meet the criteria, thereby avoiding
unnecessary consequences.
19Manufacturing Insights: Managing industry 4.0 Cybersecurity Risks — 2020
Building a cybersecurity foundation (cont.)
Furthermore, your incident response plan should clearly identify who within your organization has the authority to
label an incident a “breach.”
Failing to properly understand your notification requirements can lead to two follow-on mistakes:
1. Failing to send a notification when you were obligated to do so
2. Sending a notification when you were not obligated to do so
Both can cause significant damage. To avoid such errors, your organization needs to be keenly familiar with two
sets of notification requirements relating to cybersecurity incidents:
• Government regulations: bloc-, federal-, and state- or provincial-level laws and statutes (for example, GDPR
and PIPEDA) governing notification requirements and timelines, including when you are required to notify or
involve law enforcement agencies
• Contractual obligations: upstream and downstream commitments to notify suppliers and customers
While many breach notification regulations and requirements contain similar components, there can be important
differences. Moreover, as breaches rise in frequency and prominence, regulations and contractual obligations
are changing, which require organizations to stay up to date.
Believing that compliance guarantees security
Most businesses today have a well-developed understanding of the regulatory environment in which they
operate and their degree of compliance. However, compliance is no guarantee of security.
First, some companies make the mistake of assuming that compliance in one area (for example, PCI) is
suggestive of competence in another (for example, cyber risk management) when, in reality, the two areas are
very different and have little correlation.
Second—and likely much more common—many companies conclude that compliance in an area equates to a
validation of security in that area. Unfortunately, compliance requirements are often little more than outdated
checklists of minutia and do not meaningfully assess security capabilities.
Both scenarios can lead to well-intentioned, but mistaken, reports to the board which suggest a stronger
cybersecurity posture than is warranted.
Thinking that there’s a single best approach to managing cyber risks
If only it were this simple. The reality is that there are countless risks, every manufacturing organization has
unique exposure and risk tolerance and resources vary enormously from company-to-company.
The board must help management to identify which risks should be avoided, which should be accepted, which
should be mitigated, and which should be transferred.
In most cases in general, but especially for manufacturers, managing cyber risk involves leveraging a
combination of internal resources and third-party solution providers, plus purchasing insurance.
20Manufacturing Insights: Managing industry 4.0 Cybersecurity Risks — 2020
Conclusions and Recommendations
Attacks on manufacturing firms will only continue to increase as operational technology and information
technology systems converge and blend into one ecosystem.
Company leaders should create a culture of cybersecurity awareness throughout the entire organization by
regularly referencing the subject and championing training initiatives and other investments.
There are no magic bullets, but manufacturers of all sizes and resourcing can follow this list of security “must
haves” to reduce the risk and improve their ability to respond and recover from an attack:
1. Identify and audit critical systems and data. Protect what matters.
2. Understand your obligations (legal, regulatory, supply-chain, and client).
3. Establish cybersecurity policies, procedures, and executive reporting mechanisms.
4. Conduct an annual risk assessment and security readiness exam (penetration testing, red-blue
team exercises).
5. Require encryption of stored data (mobile devices, laptops, servers, etc.).
6. Use VPN security to protect data and user credentials in motion through a virtual private network.
7. Establish mobile and bring your own device (BYOD) rules and controls to enforce strong passwords and
limit access to corporate assets.
8. Establish back-up systems and services. Pay particular attention to domain controllers, as they are prize
targets of threat actors.
9. Establish an incident response plan and team, and practice fire drills to hone your program.
10. Consider cyber insurance to cover investigation, disruption, lost revenue, and other costs not covered in
non-cyber specific policies.
Beyond those best practices, manufacturers of all sizes should take steps to:
• Enable effective cybersecurity governance by creating reporting structures and adopting metrics which
enable the board to make informed and timely decisions.
• Understand operational security considerations to ensure cybersecurity thinking extends beyond the
traditional IT to encompass operational systems in industrial Internet of things (IIoT) environments.
21Manufacturing Insights: Managing industry 4.0 Cybersecurity Risks — 2020
• Manage supply chain risk with a combination of prevention, policies and promises (plus consequences).
• Outsource certain security operations as a strategic and cost-effective means to overcome a global
shortage of cybersecurity professionals.
• Avoid common mistakes which can undermine even the best-intentioned and well-funded cybersecurity
blueprints.
While cybersecurity is a complex and intimidating subject, it is also a modern business imperative. Thankfully,
there are many resources available from governmental organizations, industry associations and third parties to
help manufacturers manage risks.
22Manufacturing Insights: Managing industry 4.0 Cybersecurity Risks — 2020
References
[1] “NACD Director’s Handbook on Cyber-Risk Oversight,” NACD, February 25, 2020, https://www.nacdonline.
org/insights/publications.cfm?ItemNumber=67298.
[2] “Supply Chain Security Guidance,” National Cyber Security Centre, January 28, 2018, https://www.ncsc.gov.
uk/collection/supply-chain-security.
[3] [[three author names]] et al. Navigating the Digital Age: The Definitive Cybersecurity Guide for Directors
and Officers, second edition ([[city of publisher]]: Caxton Business and Legal Inc., 2015), https://www.
securityroundtable.org/navigating-the-digital-age-2nd-edition/.
[4] Ponemon: 2018 State of Endpoint Security Risk Study
[5] And note that this examination is limited to bypasses of endpoint security controls; that is, it doesn’t even
account for network or cloud intrusion, impersonation attacks and other threats; for more analysis, including
calculations of financial risk and operational savings, plus example scenarios, please see Making the Case
for Outsourcing Endpoint Protection
[6] For a snapshot of the contemporary threat environment, please see eSentire’s 2019 Annual Threat
Intelligence Report
[7] See the Emsisoft post Caution! Ryuk Ransomware decryptor damages larger files, even if you pay
[8] Extracted from Manufacturers Make Cybersecurity Central to Industry Culture
[9] For a digestible summary, see Wired’s coverage in Mysterious New Ransomware Targets Industrial Control
Systems
[10] See Ransomware Gang Releases Secret Industrial Documents
[11] See (ISC)² Estimates Cybersecurity Workforce at 2.8 Million
Manufacturing Insights: Managing industry 4.0 Cybersecurity Risks — 2020
eSentire, Inc., the global leader in Managed Detection and Response (MDR), keeps organizations safe from constantly evolving cyberattacks
that technology alone cannot prevent. Its 24x7 Security Operations Center (SOC), staffed by elite security analysts, hunts, investigates and
responds in real-time to known and unknown threats before they become business disrupting events. Protecting more than $6 trillion AUM,
eSentire absorbs the complexity of cybersecurity, delivering enterprise-grade protection and the ability to comply with growing regulatory
requirements. For more information, visit www.esentire.com and follow @eSentire.
The National Association of Manufacturers is the largest manufacturing association in the United States, representing small and large
manufacturers in every industrial sector and in all 50 states. Manufacturing employs more than 12.8 million men and women, contributes
$2.37 trillion to the U.S. economy annually and has the largest economic multiplier of any major sector and accounts for 63% of private-sector
research and development. The NAM is the powerful voice of the manufacturing community and the leading advocate for a policy agenda that
helps manufacturers compete in the global economy and create jobs across the United States. For more information about the Manufacturers
or to follow us on Twitter and Facebook, please visit www.nam.org.