As “Mechanical” Becomes “Digital,” Manufacturers Turn to Cybersecurity

Brand Story: Aldrich Technology & PayneWest Insurance deep-dive into cyber threats and human solutions.

Over the past 10 years, mechanical processes have given way to digital hybrids that are transforming the manufacturing industry. Digitization and smart manufacturing heighten the role of data and the cybersecurity implications that come with it.

From a manufacturing perspective, data encompasses both the input that regulates equipment and the metrics gathered during production. For some companies, residual big-data accumulation could one day emerge as their most valuable business line.

While large manufacturers recognize the value of protecting their information against cyberthreats, small- and medium-sized organizations suffer from the misconception that they are not “important enough” to infiltrate or that they cannot afford to defend themselves.

SME vulnerability & hacking myths
The first fallacy aligns with pop culture’s picture of 90s-era hackers: disheveled computer geniuses working in smoke-filled basement apartments to bring down corporate giants and world leaders. Though greatly entertaining, it opposes the reality: office buildings of professional developers sending algorithms out to indiscriminately attack IP addresses.

“To a hacker, you’re just an IP address and all addresses get attacked with roughly the same frequency,” explains Peter Adams, vice president of business strategy at Aldrich Technology. “Two thousand attacks per minute is average for our clients. It doesn’t matter the company. It’s automated, it’s not somebody.”

JEK 2071Peter Adams of Aldrich Technology

If the information matters to a company, big or small, it possesses value for hackers. Ransomware attacks are on the rise, with hackers hijacking portions of a business’s system and blocking owner access, only unlocking it in exchange for a cryptocurrency payment — as was the case for the City of Baltimore this summer. Faced with an estimated $18 million in losses, officials recently approved $20 million in cyberinsurance.

For manufacturers, the potential risk of a hacker with access to control systems introduces uniquely high consequences — for example, someone with access to the controls of a piece of equipment operating at extreme temperatures could turn a simple silicon wafer machine into a 3,000-degree bomb by overriding controls and causing an explosion.

“Manufacturers don’t initially think of their facility as a cybersecurity issue,” says Andy Tucknott, Certified Insurance Counselor and sales executive at PayneWest Insurance. “But equipment is becoming more and more automated and connected. Carriers are seeing a huge uptick in claims for equipment being held ransom.”

The nature of supply chains makes the industry uniquely vulnerable.

“Manufacturers have a bigger than typical issue because of their suppliers — who they get their raw materials from and who they pass their products to,” he adds. “If there is an event that occurs on either end of that chain, their operations will be severely impacted.”

When working with manufacturers, Aldrich Technology assesses the entire supply chain, helping the client draft questions, run training programs, implement cyberinsurance policies and more.

Looking past IT to HR
Cyberinsurance, such as that offered by PayneWest, exists because guaranteed security does not…thanks to human error.

“Cybersecurity is mainly a human issue, which makes it much harder to control. Humans are more difficult to train, and when they don’t understand the ‘why’ they tend to default to the easiest or more expedient way to achieve the task,” Adams says. “So, it’s incumbent upon the organization to train them on how to spot attempts.”

The complexity of phishing attempts evolves to keep up with a tech-savvy society, combining social engineering, technological engineering and human behavior. At a recent Cybersecurity for Manufacturers panel held by Oregon Business, in partnership with Heritage Bank, Aldrich Technology and PayneWest, Adams gave the real-life example of apparent Facebook quizzes that collect the answers to account security questions.

“As a bank that handles billions of dollars of transactions for our commercial customers, we often have a front row seat to the challenges that cybersecurity risks present our customers,” says Emily Leach, commercial banking team leader at Heritage Bank. “The operational, financial and business continuity risks are very real. Vigilance on the part of our bank staff members and the staff members of our customers is of utmost and increasing importance.”

Because their success hinges on the human element, cybersecurity threats have grown extremely sophisticated — leveraging people’s trust, sense of safety, fears and behaviors to get the access they need.

Gone are the awkward, typo-ridden emails that fooled earlier generations. Instead, an incursion comes as an email apparently from a CEO in response to a requested lunch meeting, but with one additional point. One recent example of such an email went like this: “I’m just boarding a flight. I need you to wire $5,000 immediately. Thanks.” The hacker responded within an existing thread, knew the CEO was about to board a plane and adopted the necessary tone.   

JEK 2037Information warfare vulnerability expert John Bicknell presents during a recent conference on cybersecurity for manufacturers.

“Others in the tech space often approach cybersecurity like it’s the technology that matters: ‘If you just had better technology tools then these problems would go away,’” Adams explains. “We think it’s just a tiny piece of the problem. If I put in great technology and nobody uses it, what’s the return for the business? Negative returns are the norm for IT projects because they focus on the technology, not the people.”

He recommends that companies start employee and executive training by teaching personal security before corporate security since it hits closer to home, boosts engagement and still heightens their overall awareness.

Back to security basics
Before Aldrich Technology takes on a manufacturing client, Adams challenges them to tackle the basics, which cost next to nothing but often fall through the cracks: these include updating “anti” programs (antivirus, anti-spy, antimalware, antispam, etc.); two-factor or multi-factor authentication; employee training and implementing passphrases rather than passwords.

A 14-character passcode takes roughly one million years to crack, compared to an 8-character code, which takes five hours, with or without symbols.

Weak internal security structures are a common fixture within small manufacturing companies where everyone has access to nearly everything. Any breach compromises the entire system.

Segmented architecture
“I believe in compartmentalized security on the inside where you set up the architecture of the system so that people have access to what they need to get the job done and nothing else,” Adams says.

By splitting the system up into different sections, companies can tailor the appropriate level of security and users. Manufacturer networks and critical control systems take priority, demanding different treatment than a corporate network. Highly sensitive information gets the consolidated, sophisticated protection too excessive for marketing material.

Often integrated retroactively, cybersecurity works best when considered during the development phase, making it easier to install segmented architecture.

JEK 2157Recent conference on cybersecurity for manufacturers

“The majority of people reach out when they’re having a problem that’s manifesting like a tech issue: high turnover of IT staff, delayed projects, a cybersecurity breach,” Adams notes. “Typically, the problem they’re describing is actually the symptom, so we try to figure out the root cause.”

When it comes to mergers and acquisitions, the transitioning of IT systems presents an overlooked but pivotal part of the process, and companies often only call a year or two later when they fail to reach their target ROI.

Aldrich Technology — born in early 2019 when Aldrich acquired long-running tech services company Lighthouse Information Systems — has a reputation for increasing company value pre-M&A and optimizing systems post-transaction. Aldrich recognized the value of acquiring a team dedicated to helping companies be more successful by aligning IT in the direction of their business strategy.

“This in particular is where bringing in this technology line of business made sense,” says Peggy Kitzmiller, managing director of Aldrich Technology. “We do M&A transactions in manufacturing and we’re here to help create value for companies, but we didn’t yet have the expertise on the technology side.”

IT as a business driver
Aldrich Technology begins each project by understanding the executive vision.
“The hallmark of what we do is a deep level of engagement with the executive team and the rest of employees,” explains Adams, a believer in small, quick, high-ROI projects. “If you understand their vision, then IT needs to be designed to drive the business in that direction so it’s coherent. Most IT groups handle it tactically. The actual technology anyone can do, but most are missing the business part.”
 
Digital transformation, cloud migration and Aldrich Technology’s other high-profile tech overhauls exist in the context of business objectives, not for their own sake. IT then transforms from a necessary evil into a business driver.

Because many manufacturers lack robust IT departments, Aldrich provides a managed IT service calibrated to the company’s business strategy, either integrating with, partnering with or replacing existing IT teams.

Human error & invisible threats
Despite the best safety efforts, cybersecurity risks are here to stay.

“You can never 100 percent prevent human error. People make mistakes, so there is always a level of exposure,” Tucknott notes. “This is not going away. We have clients who have declined cyber insurance coverage for the last eight years and most of them are looking into buying it now.”

JEK 2138Andy Tucknott of PayneWest Insurance

To illustrate how the coverage has developed & become affordable, it was once uncommon to quote cyberinsurance for companies with fewer than 150 employees. PayneWest presents cyber insurance proposals to 10-person companies due to the coverage’s affordability and the equal likelihood of attacks.

Manufacturers can secure a very robust cyber insurance policy  for as little as $2,000 a year. Their resistance, rather than a financial restriction, stems from a perceived inability to quantify the risk.

The notion of an invisible threat overwhelms teams in a way that traditional risks do not: “When there’s a conventional type of insurance-related loss, like a pipe burst, they, through experience or intuition, know what to do: shut the water off, clean it up as much as possible, call a mitigation company, hire contractors. They don’t have trouble navigating that process,” Tucknott says.

Cyber events prove far more disorienting to manufacturers which spend relatively little time focusing on IT. The PayneWest team usually recommends a policy that comes with a cyber coach who helps them navigate the entire process in the wake of an attack, from confirming a breach to mitigating risks.

The emergence of the Internet of Things ushers in a new type of cyber insurance particularly relevant to manufacturers: coverage for bodily injury and property damage. Though once the stuff of science fiction, hacked connected devices could soon mean faulty stoplights, overheating HVAC systems and more.

Boosting cybersecurity awareness
In recognition of National Cybersecurity Awareness Month — a joint government-industry initiative that takes place in October — events like Cybersecurity for Manufacturers highlight both the vulnerability of every individual, company and industry to cyberattacks and, more importantly, their ability to take action.

“Companies don’t need to become experts in cybersecurity to protect themselves,” Tucknott concludes. “What they do need is to assemble the right team around them to help them understand the landscape and navigate the right path.”


Click here to view a video of the recent Cybersecurity for Manufacturers panel held by Oregon Business, in partnership with Heritage Bank, Aldrich Technology and PayneWest.


 

Brand stories are paid content articles that allow Oregon Business advertisers to share news about their organizations and engage with readers on business and public policy issues.  The stories are produced in house by the Oregon Business marketing department. For more information, contact associate publisher Courtney Kutzman.

Leave a comment

Make sure you enter all the required information, indicated by an asterisk (*). HTML code is not allowed.