ICS/SCADA, Endpoint/Device Security, Risk Identification/Classification/Mitigation, Network Security, Endpoint/Device Security, Endpoint/Device Security

CISA highlights the gains (and security risks) of increased automation in the manufacturing sector

Boxes containing the Pfizer-BioNTech COVID-19 vaccine are prepared to be shipped at the Pfizer Global Supply Kalamazoo manufacturing plant. Along with gains in efficiency, increased automation trends are bringing new security risks to the manufacturing sector, CISA warned the public this week. (Photo by Morry Gash – Pool/Getty Images)

The Cybersecurity and Infrastructure Security Agency has warned that in addition to greater efficiency, increased automation in the manufacturing sector will also bring greater digital risks that malicious hackers can exploit.

Manufacturers were already moving towards automation and remotely operated processes before the COVID-19 pandemic, but the onset of the virus led to a fierce acceleration of those trends as factories dealt with quarantines and limited the number of in-person employees on factory floors.

In a document published this week, CISA noted that this shift, while necessary for many companies to keep operations running, may also introduce unfamiliar technologies that increase the attack surface for cyber criminals, ransomware groups, and nation-state hackers.

For example, the shift to automation and remotely operated machinery requires retraining operators on new processes, strong connectivity, and a specialized cybersecurity workforce familiar with the intricacies of manufacturing technologies who can put in place effective policies around control, validation, and monitoring of cybersecurity risks.

Manufacturers have already been disproportionately targeted by ransomware actors and other cyber criminals during the pandemic, but CISA said that if current trends around automation hold, attacks against the sector are likely to get even worse as more vulnerable systems are brought online and connected to operational technology (OT) and machinery.

“Environments previously ‘air-gapped’ may become more connected to enterprise networks, as well as to public clouds, vendor networks, and other third parties for remote management,” the agency warned. “This rapid expansion of the threat landscape and attack surface has made it far more likely manufacturing organizations will experience a cyber event significant enough to degrade or impede safety and availability of production.”

At a time when many brick-and-mortar companies struggle to stay open, automation has been a lifeline for the manufacturing industry. A report and survey on the sector conducted by Ericsson earlier this year found that 69% of businesses in the sector reported unchanged or improved financial performance during the pandemic, even as eight out of 10 said they’ve had to cut costs.

There are signs that economic drivers could push the industry towards a wholesale transformation before it can adequately plan or assess what that future environment will look like and how it will operate. The cybersecurity implications of more widespread automation are just one of those unknowns. There’s also a major gap between how employers and employees perceive the future of the workforce.

“Full automation is approaching, but neither decision makers nor production employees fully grasp the consequences,” the report noted in one conclusion. “While almost two-thirds of the surveyed manufacturers expect to be automated to at least 80 percent within 10 years, more than half of the production employees still believe more people will be needed in similar roles by 2030, and only 1 in 5 think companies will need fewer people. Close to 9 in 10 decision makers expect to use AI in their production processes within the next 10 years, however 3 in 4 think humans will still make at least half of all production decisions.”

Like many industries, manufacturing needs to invest more in cybersecurity talent, whether through recruitment or retraining of existing staff. CISA said that given reduced crew density, it's essential for manufacturers to develop cybersecurity and operational knowledge within the shop floor environment. The agency also added that manufacturers must train security analysts so that these companies can conduct remote monitoring of factory environments.

Derek B. Johnson

Derek is a senior editor and reporter at SC Media, where he has spent the past three years providing award-winning coverage of cybersecurity news across the public and private sectors. Prior to that, he was a senior reporter covering cybersecurity policy at Federal Computer Week. Derek has a bachelor’s degree in print journalism from Hofstra University in New York and a master’s degree in public policy from George Mason University in Virginia.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.