Cyber-Risk – how can manufacturers reduce cyber-risk and recover following a cyber-attack?
Cyber-risk and the threat of cyber-attacks were highlighted by two major incidents in 2017; the WannaCry attack in May an...
Why is cyber-risk increasing?
Cyber-risk and the threat of cyber-attacks were highlighted by two major incidents in 2017; the WannaCry attack in May and the Petya hack in June. These cyber-attacks caused significant damage across multiple countries. Major organisations, such as the National Health Service (NHS) in the UK suffered severe difficulties. The threat from cyber is unlikely to subside in 2018. In fact, The World Economic Forum’s (WEF) 2018 Global Risks Report highlighted cyber-risk as the third most likely risk to cause damage to businesses in 2018.
The Internet of Things (IoT) and its subset, the Industrial Internet of Things (IIoT), represent a growing source of vulnerability for manufacturers, and both systems will continue to see major growth in scale over the foreseeable future. With approximately 8.4 billion internet connected devices already in existence, and with this number expected to rise to approximately 20 billion by 2020, there are myriad opportunities for malicious actors to gain access to networks and systems.
Given that the manufacturing sector is expected to be responsible for approximately 35% of the overall usage of the Industrial Internet of Things for the period ending in 2025; manufacturers need to remain acutely aware of the threats they face, as well as how their organisations could recover should they suffer a cyber-attack.
Unfortunately, many of the existing manufacturing systems were designed to increase efficiency and productivity and not with security in mind. As such, many of the legacy systems used by the manufacturing sector are very vulnerable to cyber-risk, and could suffer significant disruption and damage if an attack occurs.
What damage can cyber-attacks cause to manufacturing facilities?
The threat that cyber-attacks pose to manufacturing facilities can result in either physical and non-physical damage, or a combination of the two. A cyber-attack on a manufacturing facility could be purely data focused, designed to steal intellectual property, whether that is unique manufacturing processes or other trade secrets. Alternatively, a cyber-attack could be designed to create physical disruption to the industrial control systems, causing machinery to malfunction or grind to a halt completely. Both examples, illustrate how a cyber-attack could have a major impact on the assets and structure of a facility.
Another example of the potential damage a cyber-attack could inflict, is the risk of a boiler being remotely forced to overheat and explode at a facility, resulting in a large-scale fire– a non-physical threat resulting in real physical damage. In this example, the targeted company is exposed to the cost of repairing or replacing the exploded boiler and the fire-damage which resulted from the boiler explosion, as well as the cost of hiring cyber-security professionals to ensure that the security-breach and any necessary security upgrades are addressed. Indeed, research tells us that the average cost of a successful cyber-attack on a manufacturing facility can be estimated at $5 million USD. Given the scale of the physical damage that cyber-attacks can cause, FM Global has considered data to be property for many years, with the result that damage caused by a cyber threat to data triggers policy coverage in the same way that damage to property from a fire or natural hazard would trigger coverage.
What steps can manufacturers take to reduce cyber-risk in their facilities?
The ability to reduce risk and recover quickly following an attack can be improved when manufacturers build resilience within their organisations. Resilience is the greatest asset that any organisation can have, and in the context of cyber-risk is particularly important – cyber-risk evolves so quickly that it is almost impossible to protect against every single threat.
The benefits of building cyber resilience are multi-faceted. This is because increased scrutiny from the public and media will be present due to the upcoming implementation of the European Union’s (EU) General Data Protection Regulation (GDPR). This could potentially amplify any reputational loss suffered following a cyber-attack.
There are a variety of steps that manufacturers can take to reduce cyber-risk in their facilities. These include:
- Training employees to ensure they are aware of how to avoid phishing and other email-based attacks – phishing attacks are one of the most common methods for external actors to gain access to a system.
- Ensuring that computer systems and other internet-connected devices are always updated with the latest patches and security features. Malware programmes are often deployed once a security-weak device has been compromised, enabling programmes to gain control over facilities through only one network-connected device.
- Conducting a thorough review of physical security at facilities. Whilst unsophisticated, an unauthorised individual who gains access to a server room could use the opportunity to steal intellectual property or damage equipment. Only select, vetted, individuals should have access to sensitive systems, and all external contractors should undergo sufficient background checks before being allowed on-site.
- Creating back-ups of valuable data off-site may help facilities to recover and begin operating normally as quickly as possible if data is corrupted or destroyed in a cyber-attack.
- Installing manual overrides for valuable pieces of machinery, so that if a cyber-attack does occur, the machinery could be de-activated before it causes damage to itself or other pieces of equipment, or employees.
Additionally, manufacturers should also create business continuity plans detailing the preferred response processes in the event of a cyber-attack. Continuity plans should highlight how relevant stakeholders, such as suppliers and customers, are contacted, how necessary back-up machinery should be acquired or utilised, as well as how employees should react. An appropriate plan could help the manufacturer create resilience, reducing the recovery time required following a cyber-attack.
Finally, manufacturers should partner with an insurer with the understanding of the risks faced within manufacturing facilities. Ideally, the insurer should be able to assess and process claims quickly to help to ensure that policyholders have the required capital to recover from a cyber breach – something that is particularly important when the cyber-attack has caused property damage and resulted in business interruption.
Benedict McKenna is the Vice President and Operations Claims Manager of London Operations at FM Global.
At FM Global we believe that resilient businesses are successful ones. Whilst cyber-attacks are evolving quickly, manufacturers should be aware that there are many steps that can be taken to mitigate the damage these attacks can cause. These steps will build resilience, allowing the manufacturer to recover quickly, minimising disruption, loss of revenue, and reputational shock over the long-term.
First Solar to Invest US$684mn in Indian Energy Sector
First Solar is about to set up a new photovoltaic (PV) thin-film solar manufacturing facility in Tamil Nadu, India. The 3.3GW factory will create 1,000 skilled jobs and is expected to launch its operations in Q3 of 2023. According to the company, India needs 25+ gigawatts of solar energy to be deployed each year for the next nine years. This means that many of First Solar’s Indian clients will jump at the chance to have access to the company’s advanced PV.
Said Mark Widmar, First Solar’s CEO: ‘India is an attractive market for First Solar not simply because our module technology is advantageous in its hot, humid climate. It’s an inherently sustainable market, underpinned by a growing economy and appetite for energy’.
A Bit of Background
First Solar is a leading global provider of photovoltaic systems. It uses advanced technology to generate clear, reliable energy around the world. And even though it’s headquartered in the US, the company has invested in storage facilities around the world. It displaced energy requirements for a desalination plant in Australia, launched a source of reliable energy in the Middle East (Dubai, UAE), and deployed over 4.5GW of energy across Europe with its First Solar modules.
The company is also known for its solar innovation, reporting that it sees gains in efficiency three times faster than multi-crystalline silicon technology. First Solar holds world records in thin-film cell conversion efficiency (22.1%) and module conversion efficiency (18.2%). Finally, it helps its partners develop, finance, design, construct, and operate PV power plants—which is exactly what we’re talking about.
How Will The Tamil Nadu Plant Work?
Tamil Nadu will use the same manufacturing template as First Solar’s new Ohio factory. According to the Times of India, the factory will combine skilled workers, artificial intelligence, machine-to-machine communication, and IoT connectivity. In addition, its operations will adhere to First Solar’s Responsible Sourcing Solar Principles, produce modules with a 2.5x lower carbon footprint, and help India become energy-independent. Said Widmar: ‘Our advanced PV module will be made in India, for India’.
After all, we must mention that part of First Solar’s motivation in Tamil Nadu is to ensure that India doesn’t rely on Chinese solar. ‘India stands apart in the decisiveness of its response to China’s strategy of state-subsidised global dominance of the crystalline silicon supply chain’, Widmar explained. ‘That’s precisely the kind of level playing field needed for non-Chinese solar manufacturers to compete on their own merits’.
According to First Solar, India’s model should be a template for like-minded nations. Widmar added: ‘We’re pleased to support the sustainable energy ambitions of a major US ally in the Asia-Pacific region—with American-designed solar technology’. To sum up: Indian solar power is yet the next development in the China-US trade war. Let the PV manufacturing begin.