Staying cyber safe in industry – European Automation Report

Taken from the European Automation Industry Report about information security and its growing importance:

‘In 2014, the total number of cyber security incidents detected rose to 42.8 million according to PWC’s Global State of Information Security Survey 2015. For those of you that have not done the maths, that is 117,339 attacks per day, every day. And these are just the strikes that were detected and reported.

To comprehend the sheer extent of current threats, antivirus business Kaspersky has created an interactive map. It depicts the number and type of cyber threats in real time. I am sure you will agree that it is almost hypnotic.

But the map is also incredibly worrying. The total number of security attacks detected increased by 48 per cent from 2013 to 2014 and there is little evidence to suggest this percentage will decrease in 2015. Despite these figures, it appears that information security programs have actually weakened, due largely to naivety and inadequate investment.

In the industrial sector alone, companies reported a 17 per cent increase in detected security incidents in 2014. The resulting financial costs increased by 34%, while research from Barclays suggests that nearly 50% of businesses that suffer a cyber security attack cease trading.

This special report analyses the increasing global cyber threat and outlines the value of implementing a business focused security strategy to ensure the wellbeing of both employees and industrial automated systems.

Who done it?

The year 2014 featured some of the biggest hacking and cyber security breaches of the decade. It seems nobody was safe, not even the biggest corporate players. eBay, Sony Pictures Entertainment, Apple and Sony Playstation, were all victims of cyber attacks in one form or another.

Interestingly, there is one thing most security threats have in common and that is the source. The results of PWC’s survey illustrate that 34.55 per cent of companies asked, reported that the attacks on them last year were estimated to originate from current employees of the company and 30.42 per cent from former employees. These were the two biggest culprits.

Statistically, you are far more likely to come under cyber attack because of someone plugging in a corrupted USB stick to your network, than you are to be specifically targeted by a hacker trying to exploit a weakness in an automated system. However, that’s not to say that you shouldn’t prepare for both eventualities.

Hackers still ranked highly in the survey – third with 23.89 per cent of companies surveyed pinning their security attacks on them. However, there is another, less prevalent threat that companies should be aware of too.

Every business encounters third parties on a daily basis – such as consultants, contractors, suppliers and providers. It is imperative that the information shared with these parties, on and off site, is restricted to an appropriate level. 18.16 per cent of businesses surveyed responded that they believed their current third party providers were responsible, actively or passively, for their cyber attacks.

For example, the US retail giant Target had a considerable breach in 2013 when the personal identifiable information (PII) and credit card details of customers were stolen. The multi-staged hack began with Target’s heating, ventilating and air conditioning supplier, who, it would seem, had access to Target’s network. Credentials were stolen from the US vendor using common malware implemented through an e-mail phishing campaign. This was the hackers’ way in.

The moral of the story is that to develop secure systems, companies must implement technical, conceptual and organisational measures to prevent different types of security threats.

Where to start

In a manufacturing context, typical security incidents include infection by malware, unauthorised use, manipulation of data, espionage and denial of service – the latter being an attempt to make a machine or network resource unavailable for its intended users.

The rise of interconnectivity and the Internet of Things allows everything in a factory to communicate using a common protocol, generating a large amount of data. This brings us to the second area companies should focus on: securing the mass data flow so that hackers cannot exploit it.

It is essential that, during an initial security assessment, the team identify, group and isolate the critical information belonging to the business so that the Chief Information Security Officers can properly protect it. This should be the main priority for any company concerned with its cyber security.

Network protection

One of the most effective means of safeguarding automated production systems is cell protection. This form of defence is especially effective against a number of different threats, including man-in-the-middle attacks, whereby the attacker has the ability to monitor, alter and inject messages in a communications system.

The most common device used for cell protection is an industrial Ethernet communications processor that integrates a firewall and VPN, filtering out attacks and keeping the network connection secure.

Security via education

Part of the current problem is that the topic of cyber security isn’t being elevated to a board level discussion in most companies despite the damaging consequences of security breaches including loss of production, reduced product quality and safety

To help educate businesses in the ways of information security, the UK Government has allocated £860 million until 2016 to establish a National Cyber Security Programme. Under the programme, the Government has developed a cyber essentials scheme to give companies a clear goal to aim for. This will allow businesses to protect themselves against the most common cyber security threats but also advertise that they meet this standard.

In addition, a ‘Ten steps to cyber security booklet’ is available for anyone seeking advice on current risks and methods of prevention. The literature outlines important elements when creating a business-focussed security strategy, such as risk management regimes, secure configuration, network security, user privileges, education and awareness, incident management, malware prevention, monitoring and home or mobile access.

Industry

On the whole, cyber threats are increasing and yet information security budgets seemed to decrease in 2014. The industrial products market is the exception because it has created budgets to protect itself.

According to the PWC security survey, this sector, more than all other surveyed – power and utilities, healthcare, retail and consumer, technology and financial services – appears to understand rising security risks. Moreover, it’s investing accordingly.

Information security budgets for industrial products companies have soared more than 150 per cent in the past two years. In 2014, information security spending represented 6.9 per cent of PWC survey respondents’ total IT budget, the highest of any sector surveyed. However, in 2014, security incidents in the sector also increased six fold. So perhaps even a 150% increase is not enough.

The result of this investment has been notable improvements in security processes and technologies, as well as training initiatives. However, there is still generous room for improvement.

Stay safe

Megatrends such as Industry 4.0, the Internet of Things and big data have driven industrial automation to a completely new level, creating more efficient and sophisticated production lines. Industry is integrating its manufacturing lines with IT layers and the traditional industrial automation pyramid is collapsing due to the need for faster, cheaper and more effective production. However, there is a price for these gains: with greater openness, interconnectivity and dependency comes greater vulnerability.

If the majority of cyber attacks in 2014 were committed by current employees of the affected company, how many of these do you think were undertaken knowingly? Or were they the result of an individual not fully understanding that his or her actions could lead to security breaches?

Risk assessments need to be undertaken for suppliers, providers and contractors and restrictions on information should be put in place. Unified procedures should be written up and followed when dealing with any third party that requires a certain level of information from a business.

With financial investment and appropriate attention paid to cyber security infrastructure and procedures, a business will be ready should a malicious external attack take place. Otherwise, a company does not just face loss of production and financial penalties; there is also loss of reputation and potential danger to both machines and humans to consider.’

The full report can be viewed here: http://www.euautomation.com/us/automated/special-reports

About Security Buyer

Security Buyer is the leading authority in global security content, delivering expert news, in-depth articles, exclusive interviews, and industry insights across print, digital, and event platforms. Published 10 times a year, the magazine is a trusted resource for professionals seeking updates and analysis on the latest developments in the security sector.

To submit an article, or for sponsorship opportunities, please contact our team below.

Rebecca Spayne picture 2025

Rebecca Spayne

Managing
EDITOR

Georgina Turner image

Georgina Turner

Sales
Manager

Afua Akoto image - Security Buyer

Afua Akoto

Marketing Manager

Read the Latest Issue

Follow us on X

Follow us on X

Click Here

Follow us on LinkedIn

Follow us on LinkedIn

Click Here

Advertise here

Reach decision makers and amplify your marketing

Advertise here

Click Here

Related News

Image provided by SentinelOne

SentinelOne to Spotlight AI-Power at GISEC 2025

SentinelOne announces its participation at GISEC Global 2025 (6-8 May) at the Dubai World Trade Centre. The company will highlight..
Two young intercultural programmers trying to solve problem with access to data while interacting in front of computers

DDoS attacks targeting critical infrastructure

NETSCOUT released its 2H2024 DDoS Threat Intelligence Report, revealing how Distributed Denial of Service (DDoS)…
Copyright: Security Buyer

ASIS UK Launches “Security is You(th)” Hackathon

ASIS International UK has launched Security is You(th), an initiative designed to engage students and early-career professionals…
BeyondTrust

Into the Cloud – Morey J. Haber, BeyondTrust

The January edition of International Security Buyer featured Morey J Haber, Chief Security Advisor for BeyondTrust in our Into the Cloud…
Riham Security website

Growing Intersec Saudi Arabia

Intersec Saudi Arabia’s Event Director, Riham Sedik, discusses the event’s future growth and government partnerships

Neustar Security Services introduces UltraPlatform

Neustar Security Services, a provider of cloud-based security services that enable businesses to thrive online, is launching UltraPlatform.

Security and fire 2023 trends

In 2023 all industries will face several challenges: sustainability, cost increases, and how to better manage energy & resources.
istorage

Zero trust, maximum caution

John Michael, CEO, iStorage considers the dangerous new ‘golden age’ of ransomware, ways businesses can neutralise..
Camera

Camera and microphone been hacked?

Microphone and camera hacking is when an attacker gains remote access to a device’s camera and microphone – usually with the…

LAPSUS$ exposes cyber gaps in organisations

The LAPSUS$ group exploded onto the cyber scene late last year after successfully breaching major companies.
Scroll to Top