While the rise of smart, connected products and processes in manufacturing is driving unprecedented operational efficiencies, creating exponential growth in data flows and access points, and birthing opportunities for economic growth, it’s also exposing manufacturers to unprecedented risks.
For the first time, cyber risk ranks among manufacturers’ top 10 risk factors. According to BDO, more than nine in 10 manufacturers cite cybersecurity concerns in their SEC disclosures this year, up 44 percent from 2013.
These concerns are well-founded. The manufacturing sector was one of the most frequently attacked industries, second only to healthcare in IBM’s 2016 Cyber Security Intelligence Index.
The Industrial Internet of Things may be transforming manufacturing, but each new connected device, sensor, or controller on the network means another entry point of attack. Every endpoint, every communicating sensor, every transaction could transmit a potential threat. The risks range from operations interruptions to theft of valuable IP to even more devastating consequences like unsafe food from tampering with a pasteurization unit. Furthermore, the use of containers in production—at the center of cloud services—raises additional concerns as the security measures are not yet well-developed. The known firewalls, encryption and antivirus systems are no longer enough for that environment.
IoT systems are, by definition, sensitive to performance and energy consumption. In addition, they are not available for patching and vulnerability corrections; they are static and predictable. At a dramatic level, one can imagine a hacker taking control of mission-critical systems.
IoT and IIoT have just opened millions of doors, distributed across the globe. The attack techniques are not yet scripted, so how can existing security products, which are based on prior knowledge, address these unknown attacks and attack vectors? And how will they update their signatures and behaviors, or patch their vulnerabilities for devices, sensors and industrial controllers that are not even reachable?
How can manufacturers protect their business as they grow increasingly interconnected?
It’s simple: Manufacturers need to focus on pre-emptive attack prevention, so a breach is prevented, a-priori, from ever occurring. This approach beats reacting to a breach once it has happened. Unfortunately, this simple concept is unattainable with the standard set of security tools, no matter how complex their configuration.
Today’s breach “prevention” is a reactive, multi-tier, targeted strategy: network security, firewalls, antivirus, patching system and application vulnerabilities, etc. And it’s not working. The security solutions are bypassed, and patching practices must be balanced against operational needs and sometimes are not even possible in manufacturing. Enterprises must choose between accepting the risk, or inefficient security practices that jeopardize thin profit margins and hinder growth.
But there’s an alternative. Enterprises need to build a security stack for endpoints and servers that covers patching gaps and blocks advanced and targeted attacks, without any prior knowledge or configuration.
All detection-based security products are necessarily limited by their detection logic—whether signature-based like traditional antivirus or more sophisticated solutions based on heuristics, reputation lists or machine learning. They also do not prevent file-less intrusions. Antivirus should be augmented with new memory protection and exploit prevention technologies that are attack independent and application agnostic. For example, our Moving Target Defense (MTD) uses counter-deception techniques to change the attack surface—in memory, in particular— before attacks ever happen, so that attackers can’t find their target. Any attempt at access is blocked and trapped.
This approach, using an MTD-augmented security stack, can help manufacturers mitigate risk in developing their Industrial IoT strategy without impeding its adoption.
Omri Dotan is chief business officer with Morphisec.