Almost half of manufacturers have fallen victim to cybercrime, according to the Cyber Security Manufacturing Report 2018, published by EEF. One of the biggest challenges for manufacturers is choosing from the range of products and services available to protect against these crimes. Here, Lee Sullivan, regional manager at COPA-DATA UK, explains his three cyber security rules that manufacturers should abide by when selecting vendors.
Cyber-vulnerability in manufacturing threatens data loss, theft of intellectual property and severe damage to a business’s trading reputation. Without doubt, the increase of connected devices on the average factory floor has expanded the risk, but in an age where smart production cannot be avoided, how can manufacturers connect their facilities, while remaining protected?
Security by design
When choosing a vendor for industrial software, most manufacturers will enquire about the product’s security features. However, further investigation should be taken to ensure these features can protect against all threats, both today and in the future.
Cyber security features cannot be static. Before selecting a product, manufacturers should ensure the software will provide ongoing security updates during the entire lifespan of the software. Otherwise, the system may be unable to protect against new, emerging or unfamiliar threats.
Asking this in advance can also protect manufacturers against unexpected invoices, as some products may have unplanned additional costs for upgrades or patches. In fact, manufacturers should be wary of any supplier that will only provide adequate security protection as an additional feature — this should be provided as standard.
Secure cloud hosting
Cloud storage has long been hailed the solution for storing the huge volumes of data that smart factories generate. However, cloud-sceptics often argue that storing data offsite can leave it vulnerable to unauthorised access.
Storing industrial data in the cloud can provide manufacturers with plenty of opportunities —the creation of company-wide dashboards and identifying production key performance indicators (KPIs) are just two examples. However, before reaping the rewards of the cloud, it is important to ensure that the software vendor uses a secure host.
Believe it or not, some manufacturers using cloud-based platforms do not know where their data is being stored. Before selecting a vendor, manufacturers should ask who the host is and what security measures the platform provides. This is also the time for manufacturers to perform their own research on the history and reputation of the host, and identify any certifications they might have to bolster their claims of security.
Microsoft, for example, has invested heavily in the security of its cloud platform, and has achieved ISO 27001 certification as a result. This is the international standard for best practice of an information security management system (ISMS). Opting for hosts with certifications like these can provide manufacturers with third party assurance, and ultimately, it proves that the host takes cyber security seriously.
Setting the standard
Identifying other valuable certifications can provide a useful starting point to determine the security standards of both a cloud host and the product vendor itself. COPA-DATA, supplier of industrial automation software zenon, for example, has been certified in accordance with IEC 62443, a standard that confirms a piece of software’s development meets industrial security guidelines.
When selecting software for a facility, IEC 62443 compliance is a noteworthy certification — and is one that customers should look out for. As the standard requires recertification annually, manufacturers can ensure their software provider is constantly under scrutiny from a respected third party.
The annual recertification also requires vendors to provide evidence that proves exactly how the software’s security is improving. Not only does this reassure manufacturers the software is effective against new threats, but can also save the time required to manually audit the effectiveness of a software product.
As shown in the EEF’s report, almost half of manufacturers have experienced cyber-attacks, and 24 per cent of those respondents sustained financial or business losses as a result. What’s perhaps more interesting, is that an additional 24 per cent of victims believe they would have experienced losses, had their cyber security processes not prevented the attack from going further.
Manufacturers cannot afford to bypass the rewards of smart factory connectivity. However, as cyber security threats are so prevalent to the industry, protecting against these threats should be a top priority when selecting any product or service.