Mumbai: Manufacturing shop floors may look futuristic these days, with industrial robots, wireless connectivity and large-data operations driving efficiencies.
However, it has potentially created a crippling problem — unsecured resources.
Metals, capital goods, chemicals and electronics industries are fast becoming prone to cyber security risks as investments in manufacturing systems that incorporate connected devices, or Internet of Things (IoT), increase.
As a result, manufacturers are rushing to prioritize cyber security in their overall information technology spending.
Threat actors are “increasingly targeting non-information technology industries, such as automobile or manufacturing, because such industries give secondary preference to cyber security,” according to Seqrite, the enterprise security arm of Pune-headquartered Quick Heal Technologies.
Indian manufacturing companies detected the most malware among the sectors surveyed, at more than 28%, Seqrite noted in a recent report on cyber security trends during the second quarter of the ongoing financial year.
Manufacturers have become more vulnerable to cyber-attacks after shifting to Cloud infrastructure and services, analysts said. Increased digital connectivity means manufacturers face threats from various quarters, they said.
“The threat has now become very apparent to the manufacturing sector, which faces risks from the malevolent hacking of their IoT investments to the intellectual IP theft from China and other rogue states,” said Peter Bendor-Samuel, chief executive officer, Everest Group, an IT advisory and research firm.
According to a recent study by IT services provider WiproNSE 3.04 %, of the total critical resources or assets offered on the Dark Web, 14% were from the manufacturing sector, with the rest from banking and finance, and healthcare, among others.
The assets ranged from industrial designs, blueprints for new projects and even operating parameters of a manufacturer, it said, not just pure financial information or details on monthly production numbers.
Awareness around cyber security has traditionally been higher across highly regulated industries such as pharmaceuticals, and those like retail where there is increased customer interaction, said Abhijit Katkar, Partner, Cyber Risk Services, Deloitte.
Traditional sectors are, however, starting to pay more attention to cyber threats, Katkar said.
“There is an increasing awareness that security isn’t a one-time affair. Companies understand that it is not only about securing and monitoring their assets but also about building resilience,” he said.
Tata Steel has increased allocation to cyber security within its larger IT expenditure, according to Mrinal K Pal, the head of information technology.
The company’s annual spending on cyber security has gone up to 15% of its annual IT budget, compared to 8% two years ago, and is set to increase further.
“Depending on the new evolving threats and perceived threats, there will be an increase in spends…Once you have established the framework, it needs to be sustained and scaled up; new businesses cannot be unattended in terms of security protection,” Pal said.
The company has also invested in cyber insurance and deployed a Security Operations Centre to protect data and applications, and analyze up to 30,000 events per second to immediately detect and defend cyber-attacks.
JSW Group, the $14 billion conglomerate led by Sajjan Jindal that is into steel, energy, cement and infrastructure, has been re-evaluating its approach to its vast security needs. The focus has shifted from securing the perimeters of machines that contain critical information, to securing the information itself.
Digital technologies such as sensors, probes and high-velocity hybrid data from connected devices (IoTs) have made cyber security more complex and the stakes have moved beyond basic hygiene security, said Dheeraj Sinha, Group Chief Information Officer, JSW Group.
“We now think of threats — both from external as well as internal users because of lack of awareness. While we continue to harden our posture on the external side, we are creating awareness within the organization about cyber security through internal campaigns and learning initiatives,” he said.
Internal awareness typically includes workshops on how to protect company information with various practices. Identifying and alerting the company against malware or phishing mails, ensuring that data remains safe while sharing files on third-party cloud storage platforms and minimizing the use of public WiFi networks when viewing critical information — these are some of the ways through which employees are sensitized to critical company data.
Given the speed with which AI can be used to break into even the most secure assets, companies are also looking at ‘hacker bots’ to plug potential gaps faster than humans, analysts said.
Defending IoT assets is the most challenging, as they have disparate functions and abilities.
Many IoT devices are created to perform specific functions, with only a few operations.
For instance, a sensor detects specific metrics on an assembly line. Other devices only deliver information by the second, while yet others act as static storing units of information which become active only when some kind of anomaly is detected.
This means it is important to understand how data flows through all these devices in order to secure information.
“Data flow in IoT networks is extremely important to understand how, when and where to secure data,” Sinha said.
This has resulted in higher spending on security in areas like threat hunting, incident detection and response.
“The cyber security spends continue to increase, not only in terms of value but also as a percentage of the overall budgetary allocations…Within a rapidly growing organization like JSW Group, with constantly evolving technology landscape and organizational goals, cyber security will continue to require considerable spends,” Sinha said.
IT service providers, however, said they have not been surprised by the rising urgency to attend to security needs.
Manufacturers now view cyber security as critical to their operations, ahead of the energy, utilities and financial services industries, a study conducted by Infosys has revealed.
“If you look at the history of cyber security risks, you find that attacks were against financial segments like banks, so the BFSI sector, and to some extent the telecom sector got heavily regulated and the maturity level (on cyber security) grew in these segments,” Salvi said.
“But, with a higher number of ransomware attacks, which are basically non-discriminatory in nature…the major brunt of the attack is being borne by the manufacturing industry and those…that weren’t considering cyber security as a major issue,” he added.
For large enterprises including the likes of Tata Steel and JSW Group, premiums for cyber security insurance have reduced due to increased competition, according to a report by Data Security Council of India, an industry body on data protection.
Indian manufacturers employing Industrial Internet of Things (IIoT) solutions pay premiums of a little over $8,000 a year for $1 million worth of coverage, it said.
Those early to adopt predictive threat management, however, expect to avoid disruptions as these cost millions of dollars in detection, remediation, reputation, customer trust, market value and higher costs of cyber insurance.