Cyber-Risk – how can manufacturers reduce cyber-risk and recover following a cyber-attack?
Cyber-risk and the threat of cyber-attacks were highlighted by two major incidents in 2017; the WannaCry attack in May an...
Why is cyber-risk increasing?
Cyber-risk and the threat of cyber-attacks were highlighted by two major incidents in 2017; the WannaCry attack in May and the Petya hack in June. These cyber-attacks caused significant damage across multiple countries. Major organisations, such as the National Health Service (NHS) in the UK suffered severe difficulties. The threat from cyber is unlikely to subside in 2018. In fact, The World Economic Forum’s (WEF) 2018 Global Risks Report highlighted cyber-risk as the third most likely risk to cause damage to businesses in 2018.
The Internet of Things (IoT) and its subset, the Industrial Internet of Things (IIoT), represent a growing source of vulnerability for manufacturers, and both systems will continue to see major growth in scale over the foreseeable future. With approximately 8.4 billion internet connected devices already in existence, and with this number expected to rise to approximately 20 billion by 2020, there are myriad opportunities for malicious actors to gain access to networks and systems.
Given that the manufacturing sector is expected to be responsible for approximately 35% of the overall usage of the Industrial Internet of Things for the period ending in 2025; manufacturers need to remain acutely aware of the threats they face, as well as how their organisations could recover should they suffer a cyber-attack.
Unfortunately, many of the existing manufacturing systems were designed to increase efficiency and productivity and not with security in mind. As such, many of the legacy systems used by the manufacturing sector are very vulnerable to cyber-risk, and could suffer significant disruption and damage if an attack occurs.
What damage can cyber-attacks cause to manufacturing facilities?
The threat that cyber-attacks pose to manufacturing facilities can result in either physical and non-physical damage, or a combination of the two. A cyber-attack on a manufacturing facility could be purely data focused, designed to steal intellectual property, whether that is unique manufacturing processes or other trade secrets. Alternatively, a cyber-attack could be designed to create physical disruption to the industrial control systems, causing machinery to malfunction or grind to a halt completely. Both examples, illustrate how a cyber-attack could have a major impact on the assets and structure of a facility.
Another example of the potential damage a cyber-attack could inflict, is the risk of a boiler being remotely forced to overheat and explode at a facility, resulting in a large-scale fire– a non-physical threat resulting in real physical damage. In this example, the targeted company is exposed to the cost of repairing or replacing the exploded boiler and the fire-damage which resulted from the boiler explosion, as well as the cost of hiring cyber-security professionals to ensure that the security-breach and any necessary security upgrades are addressed. Indeed, research tells us that the average cost of a successful cyber-attack on a manufacturing facility can be estimated at $5 million USD. Given the scale of the physical damage that cyber-attacks can cause, FM Global has considered data to be property for many years, with the result that damage caused by a cyber threat to data triggers policy coverage in the same way that damage to property from a fire or natural hazard would trigger coverage.
What steps can manufacturers take to reduce cyber-risk in their facilities?
The ability to reduce risk and recover quickly following an attack can be improved when manufacturers build resilience within their organisations. Resilience is the greatest asset that any organisation can have, and in the context of cyber-risk is particularly important – cyber-risk evolves so quickly that it is almost impossible to protect against every single threat.
The benefits of building cyber resilience are multi-faceted. This is because increased scrutiny from the public and media will be present due to the upcoming implementation of the European Union’s (EU) General Data Protection Regulation (GDPR). This could potentially amplify any reputational loss suffered following a cyber-attack.
There are a variety of steps that manufacturers can take to reduce cyber-risk in their facilities. These include:
- Training employees to ensure they are aware of how to avoid phishing and other email-based attacks – phishing attacks are one of the most common methods for external actors to gain access to a system.
- Ensuring that computer systems and other internet-connected devices are always updated with the latest patches and security features. Malware programmes are often deployed once a security-weak device has been compromised, enabling programmes to gain control over facilities through only one network-connected device.
- Conducting a thorough review of physical security at facilities. Whilst unsophisticated, an unauthorised individual who gains access to a server room could use the opportunity to steal intellectual property or damage equipment. Only select, vetted, individuals should have access to sensitive systems, and all external contractors should undergo sufficient background checks before being allowed on-site.
- Creating back-ups of valuable data off-site may help facilities to recover and begin operating normally as quickly as possible if data is corrupted or destroyed in a cyber-attack.
- Installing manual overrides for valuable pieces of machinery, so that if a cyber-attack does occur, the machinery could be de-activated before it causes damage to itself or other pieces of equipment, or employees.
Additionally, manufacturers should also create business continuity plans detailing the preferred response processes in the event of a cyber-attack. Continuity plans should highlight how relevant stakeholders, such as suppliers and customers, are contacted, how necessary back-up machinery should be acquired or utilised, as well as how employees should react. An appropriate plan could help the manufacturer create resilience, reducing the recovery time required following a cyber-attack.
Finally, manufacturers should partner with an insurer with the understanding of the risks faced within manufacturing facilities. Ideally, the insurer should be able to assess and process claims quickly to help to ensure that policyholders have the required capital to recover from a cyber breach – something that is particularly important when the cyber-attack has caused property damage and resulted in business interruption.
Benedict McKenna is the Vice President and Operations Claims Manager of London Operations at FM Global.
At FM Global we believe that resilient businesses are successful ones. Whilst cyber-attacks are evolving quickly, manufacturers should be aware that there are many steps that can be taken to mitigate the damage these attacks can cause. These steps will build resilience, allowing the manufacturer to recover quickly, minimising disruption, loss of revenue, and reputational shock over the long-term.
IMF: Variants Can Still Hurt Manufacturing Recovery
After a year of on-and-off manufacturing in the US, UK, and the eurozone, demand for goods surged early last week. Factories set growth records in April and May, suppliers started to recover, and US crude hit its highest price point since pre-COVID. As vaccination efforts immunise much of the US and UK populations, manufacturers are now able to fully ramp up their supply chains. In fact, GDP growth could approach double-digits by 2022.
Now, the ISM productivity measure has surpassed the 50-point mark that separates industry expansion from contraction. Since U.S. president Biden passed his US$1.9tn stimulus package and the UK purchasing managers index (PMI) increased to 65.6, both sides of the Atlantic are facing a much-welcomed manufacturing recovery.
Lingering Concerns Over COVID
Even as Spain, France, Italy, and Germany race to catch up, and mining companies pushed the FTSE 100 index of list shares to a monthly high of 7,129, some say that UK and US markets still suffer from a lack of confidence in raw material supplies. Yes, the Dow Jones has made up its 19,173-point crash of March 2020, and MSCI’s global stock index is at an all-time high.
Yet manufacturers around the world realise that these wins will be short-lived until pandemic supply chain bottlenecks are solved. If we keep the status quo, consumers will pay the price. In April, inflation in Germany reached 2.4%, and across the EU’s 19 member countries, overall prices have increased at an unusual pace. Some ask: Is this true recovery?
IMF: Current Boom Could Falter
Even as Elon Musk tweeted about chip shortages forcing Tesla to raise its prices, UK mining demand skyrocketed; housing markets lifted; and the pound sterling gained value. The International Monetary Fund (IMF), however, cautioned that manufacturing recovery won’t last long if COVID mutates into forms our vaccinations can’t touch. Kristalina Georgieva, Washington’s IMF director, noted that fewer than 1% of African citizens have been vaccinated: “Worldwide access to vaccines offers the best hope for stopping the coronavirus pandemic, saving lives, and securing a broad-based economic recovery”.
Across the globe, manufacturing companies are keeping a watchful eye on new developments in the spread of COVID. Though US FDA officials don’t think we’ll have to “start at square one” with new vaccines, the March 2021 World Economic Outlook states that “high uncertainty” surrounds the projected 6% global growth. Continued manufacturing success will in large part depend on “the path of the pandemic, the effectiveness of policy support, and the evolution of financial conditions”.
Mathias Cormann, secretary-general of the Organisation for Economic Co-Operation and Development (OECD) concurred—without global immunisation, the estimated economic boom expected by 2025 could go kaput. “We need to...pursue an all-out effort to reach the entire world population”, Australia’s finance minister added. US$50bn to end COVID across the world, they imply, is a small investment to restart our economies.