Report finds UK manufacturers’ cybersecurity severely wanting
Nearly half of UK manufacturers have been victims of a cybersecurity incident.
The findings come from a report released by EEF, surveying almost 170 manufacturers across the UK.
According to EEF chief executive officer Stephen Phipson, a comprehensive approach to cybersecurity is not something that manufacturers can afford to ignore given the sector is now the third most targeted attack, behind only government systems and finance.
Despite this, Phipson says manufacturing is one of the least protected sectors against cybercrime.
"The 4th Industrial Revolution represents an unprecedented opportunity through interconnectivity. But that very openness brings with it increased risk. Cyber-vulnerability is a major barrier to business and growth; threatening loss of data, theft of capital and intellectual property, disruption to business, and impact on trading reputation," Phipson says.
"Manufacturers must urgently take appropriate steps to protect themselves. Our sector is already a significant target for malicious activity in cyberspace, which impacts businesses in a variety of ways. Increasing digitisation means that the challenge is likely to both broaden and deepen."
Some of the key findings from the report include:
- 48 percent of manufacturers have at some time been subject to cybersecurity incident, half of whom suffered some financial loss or disruption to business as a result
- 12 percent have no technical or managerial measures in place to either assess or mitigate against the threat from cyberattack
- 41 percent do not believe they have sufficient information and advice to confidently assess their specific cyber-security risk
- 45 percent are not confident that they have the right tools, processes and technologies to mitigate cyber-security risk
- 59 percent have already been asked by a customer and 58 percent have been by a business within their supply chain to demonstrate or guarantee the robustness of their cybersecurity processes - 37 percent couldn't do this if asked today
EEF welcomes the steps the government is taking to improve national cybersecurity, but is concerned with the fact that to date it has been a 'one-size-fits-all' model with no priority given to the specific needs of manufacturing.
Digital Guardian director of cybersecurity Tim Bandos says the reason manufacturing companies are one of the most popular targets for cybercriminals is because of the sheer amount of classified information they hold.
"Increases in cyber attacks targeting manufacturing can be attributed to a growing number of financially motivated, state-sponsored hackers. Typically, government-funded organisations target manufacturers' networks to steal intellectual property (IP) and trade secrets. Data or more specifically intellectual property is the lifeblood of this industry and it must be protected accordingly," says Bandos.
"It's recommended that organisations take a KPI (Key Performance Indicator) perspective to cybersecurity, by setting goals and metrics to improve security stature. A key benefit of this is the ability to develop a heat map of sorts, to outline where they should be focusing their efforts and/or where they should continue to invest in protecting their most sensitive assets.
Exabeam VP of products Sylvain Gil says there is a serious issue with industrial systems in that many of them are old (ten to twenty years old in some cases) and there is not necessarily a practical way to upgrade them due to the criticality of their availability.
"Industrial networks were designed before cyber threats emerged and as a result, they lack the visibility and policy enforcement layers that enterprise IT networks have. We need more insight into the behaviours of these systems," says Gil.
"They are rudimentary and were never thought to be vulnerable to people outside the operating facility – but they certainly are. We've seen enough examples that we know they can be manipulated, not just in terms of being used for cybercrime, but they can actually have physical consequences, as well, like a shutdown or explosion."