Industry 4.0 and cybersecurity – How to protect your investment

Digital transformations are notoriously difficult for small and medium-sized manufacturers (SMMs). SMMs need to meet production goals, recruit and retain talent, and reduce risks in their supply chains all while trying to adapt to an evolving technological landscape. Fortunately, Industry 4.0 is gaining momentum to address these challenges by providing pathways to efficiencies, innovation and growth. As a result, more manufacturers are investing in automation and equipment monitoring.

Industry 4.0 may be a game changer for SMMs; however, it is not a panacea for all the challenges facing 21^st century manufacturers. Like any new technology, Industry 4.0 introduces new vulnerabilities. Connectivity is great, but the cost of protecting critical systems and data cannot be an afterthought. Cybersecurity should be one of the first things to consider with any technology investment.

Physical security is not an afterthought – manufacturers secure their facilities from intruders. They would be wise to do the same for their operational technology (OT), data and connectivity. After all, manufacturing is the most targeted industry for cybersecurity attacks.

In previous blogs on cybersecurity and Industry 4.0, I looked at the basic elements of Industry 4.0 and how cybersecurity is a critical factor in information technology (IT), OT and customized software. In this blog, I’ll discuss how manufacturers can approach the additional vulnerabilities that come with Industry 4.0 and the interconnectivity it provides.

Industry 4.0 means new cybersecurity challenges with OT 

Industry 4.0 is all about leveraging connectivity and data, bridging gaps so that traditional IT systems can exchange information with OT. The boundaries between these areas have almost disappeared. While cybersecurity used to be primarily concerned with IT, manufacturers must be more diligent in securing their OT and its many access points. A breach in OT can interrupt the manufacturing process or impact product quality. It can cause companywide disruption in other departments like shipping and billing or endanger sensitive company information.

Many SMMs rely on machines that operate with customized software. However, these systems may not work with current cybersecurity techniques or may unintentionally introduce vulnerabilities. SMMs may not keep software updated or patched to address newly discovered vulnerabilities. It’s also not unusual for manufacturers to have legacy or specialty machines connected to old computers with operating systems and software that are no longer supported.

When dealing with OT cybersecurity, be sure to account for backups of OT configurations and data needed to restore systems, all with secure encryption. Also keep in mind that new regulations and compliance may present vulnerabilities. Some initiatives involve OT monitoring of energy usage and carbon emissions to avoid costs and penalties. These OT-based sensors and controls create a vulnerability to a cyber attack. 

AI is the latest example of how Industry 4.0 brings vulnerabilities

New Industry 4.0 technologies will continue to benefit advanced manufacturing – artificial intelligence (AI) is the latest example. AI could help secure OT systems by quickly sifting through security data to identify threats and attacks. It also could help analysts monitor systems and conduct forensic investigations.

But like other technologies, AI represents a new risk and introduces cybersecurity vulnerabilities, including some we may not even be aware of. Hackers more than doubled their AI-powered ransomware attacks between August 2022 and July 2023. Ransomware is the most popular avenue for attacks against manufacturers. It is safe to assume bad actors already are using generative AI.

Create a cybersecurity-aware culture so employees understand threats

Operators should have a full understanding of why cybersecurity controls such as passwords or multifactor authentication are necessary when they engage with a machine. They should also know what types of information can be stolen, such as intellectual property, quality controls, and sensitive business information in contracts.

Cybersecurity is not an inconvenience. Manufacturers can create a cybersecurity-aware culture by starting with two primary vehicles:

• Annual risk assessment: When a company understands the risks they are accepting, it positions itself to establish procedures or actions to minimize risk. Here’s a guide to getting started on conducting a risk assessment.
• Cybersecurity awareness and training program: Employees should know which behaviors are appropriate, how to identify suspicious activity, and how to react if they see a problem. See this list of free and low-cost online cybersecurity learning content compiled by the National Institute of Standards and Technology (NIST).

With remote access and so many additional data connections in our Industry 4.0 landscape, it is increasingly important to train employees on how to recognize social engineering. Social engineering refers to the tactics of manipulating, influencing, or deceiving a victim to gain control over a computer system, or to steal sensitive company information. Hackers have been known to pose as suppliers and vendors to gain access or penetrate systems.

Manufacturers should be clear with their cloud computing and other providers about whose responsibility it is to back up data and protect sensitive information. 

Remote access helps manufacturers but requires discipline

As in a previous blog on cybersecurity and Industry 4.0, let’s look at AthCo, a fictional medium-sized manufacturer of athletic apparel, to illustrate some of the additional cybersecurity vulnerabilities that come with Industry 4.0.

AthCo added sensors throughout its factory to monitor machines and control systems, which reduced downtime and helped achieve greater productivity. AthCo also uses an enterprise resource planning (ERP) system and a customer relationship management (CRM) system to communicate internally and with its customers, suppliers, and business partners.

Now AthCo managers across the company can remotely monitor production levels, inventory and more. If those employees are not protecting passwords or if they fall for a phishing scam, bad actors can get into the operating system.

AthCo needs to reduce the risk of shutdowns and ransomware while accounting for corporate espionage. For example, a competitor’s overseas supplier has lost business to an AthCo supplier and seeks to damage AthCo in some way. Hackers could change something in AthCo’s processes – such as the way fabric is cut for one out of every 10 pieces. This would lead to quality issues, waste and rejects. A month later, the hacker could increase their frequency to two out of 10 pieces, creating more havoc.

Another consideration is when AthCo develops a new fabric for the Department of Defense. Hackers from foreign governments or even terrorist groups may attempt to steal information on this project or seek to prevent its development.

Disgruntled employees or former employees who gain access to OT have also caused disruptions. AthCo must be disciplined about the processes and procedures used for remote access. All of these factors need to be taken into account when implementing procedures and practices to secure remote access.

Securing data and connections in Industry 4.0

Industry 4.0, with all its connectivity and data, is a powerful approach to helping manufacturing processes, products and people. This is why cybersecurity has to be top of mind any time a manufacturer makes an investment in technology. Just as manufacturers secure a building, they should take steps to secure their connections and information. For more information on cybersecurity and Industry 4.0, please contact your local MEP Center.