Figure 1: Q9 Thinking about the last 12 months, how long is your organization’s ICS/OT system operation usually disrupted, because of a cyberattack? (N=829)
Factories in the manufacturing industry are broadly divided into assembly manufacturing and process manufacturing. Of these, assembly manufacturing is relatively easy to partially stop or disconnect from the network when an abnormality is detected. It can be inferred that the incident response time will be completed in a relatively short period. In addition, since the system can be restarted faster, the financial damage caused by cyberattacks may be reduced as a result.
1.2 “Exploitation of external published application or cloud service” was the most common type of attack that forced the system to stop operating in response to cyberattacks.
In response to a question about how they dealt with various cyberattacks, we analyzed the types of attacks that answered, “We were unable to stop this type of attack and had to respond to the incident.” As a result, the manufacturing industry is most likely to exploit external applications and cloud services at 32%, followed by malware infections via removable media at 30%. On the other hand, remote access exploitation was the lowest in the industry at 15%.
Figure 2: Q4_1 ~ Q4_7 How has your organization dealt with the following types of cyberattacks? (NB: Multiple choices allowed)
The assembly manufacturing industry is characterized by the procurement and introduction of a wide variety of equipment from multiple vendors. You can imagine that cloud usage and IoT devices are increasing in connection with the promotion of DX. While it can introduce new technologies quickly, it can also increase the number of entry points. Comprehensive risk judgment and incident response may become more difficult.
Even in the process manufacturing industry, DX is slowly being promoted. Even when a new service is launched in a specific factory, it can be said that comprehensive security management is necessary.
1.3 Insufficient efforts to improve cybersecurity
When asked if their organization has improved cybersecurity after an incident, 56% said, “We always/usually make improvements.” Although it is slightly higher than other industries, it is not a situation where sufficient measures are taken.
Figure3：Q10：Thinking about the last 12 months, post-incident, does your organization make cybersecurity improvements to minimise future attacks? (N＝829)
As mentioned above, it is possible that the outage time was short and many incidents were handled in a short time, but it is also possible that the cause was restored without sufficient investigation. In that case, it can be said that there is a possibility that you will be damaged again by the same trick.
1.4 Security enhancement drivers are recurrence prevention, followed by 5G implementation
We categorized the reasons for implementing cybersecurity measures into two categories, “past*” and “next three years,” and asked what the top two reasons were. As a result, the strongest driver was “Because we prevent recurrence of specific security incidents”, and we are continuously paying attention to recurrence prevention and improvement.
Next, implementation/implementation plans for 5G show the largest growth rate, showing a high percentage. Germany exceeded the industry average, and Japan rose by 7.2 points. Adherence to industry guidelines also scores highly.
*As of the survey (February to March 2022)
Figure 4: Top two reasons for implementing cybersecurity measures
Figure 5: Q19. Until now, what have been your organization’s top two reasons for implementing cybersecurity measures to protect your ICS/OT systems?
Q20.What do you believe your organization’s top two reasons for implementing cybersecurity measures to protect your ICS/OT systems are over the next three years？(NB: Multiple choices allowed)
We will consider the reasons and background for these results.
One of the reasons why there is a high awareness of efforts to prevent recurrence is that the manufacturing industry is expected to have a high percentage of established improvement processes to constantly increase productivity, and security can also be put on that system. There is a point that This result is the highest in the US, Germany, and Japan, exceeding 31% in all countries, and there is no variation like in other industries. You can see that this is a common issue throughout the industry.
5G initiatives have changed the most in Japan, rising by 7.2 points. I believe that the two points that have led to the big change in Japan are the increased benefits of introducing 5G and the requirement for security measures as a condition for granting local 5G base station licenses.
The local 5G usage system by the Ministry of Internal Affairs and Communications expanded the frequency band used from December 2020 to 4.6 to 4.9 GHz, which has a long transmission distance, and the government introduced a preferential tax system for 5G introduction. The benefits are even greater.
The Ministry of Internal Affairs and Communications stipulates that cybersecurity measures, including supply chain risks, must be taken as a condition for certifying development plans for specific base stations for the introduction of 5G. And local 5G is supposed to have the same conditions at the time of licensing.
Interest in 5G in Germany continues to be high at 31.4%. In Germany, the autonomous decentralized inter-enterprise collaboration mechanism (GAIA-X), which has been considered and implemented since around 2016, will start full-scale activities in 2021, the mobile communication strategy by the German government, and the EU as a whole.
We are actively working on 5G against the background of investment in the digital Europe program that we are promoting. At the same time, it is thought that there is a high awareness of ensuring security. Cloud usage scores similarly high. It is necessary to analyze the risks and threats at the time of introduction so that the introduction of these new technologies does not create new security risks.
2 Trend Micro Proposal
Summary of our research and analysis:
- In the manufacturing industry, the period of suspension due to security incidents is relatively short, and as a result, the amount of damage in terms of money is relatively small. This is thought to be because there are many assembly manufacturing systems, and it is relatively easy to stop and start the system.
- Although we are continuously working to improve security, it is thought that there are still issues to be addressed in ensuring security when using the cloud or using removable media.
- The hurdles to introduce new technologies such as cloud and 5G are more aggressive than other industries, but we must be aware that the number of companies and products involved will increase accordingly, and security management requirements such as analysis of new attack surfaces will increase.
- It is necessary to visualize the security risks of complex systems with a mixture of various tools, services, and vendors, and implement measures to ensure safe operation
Based on this result, Trend Micro proposes to organize and address cyber security challenges for CISOs in the manufacturing industry as follows:
- Take advantage of the improvement process of the manufacturing industry to improve security and strengthen operations and implement preventive measures specializing in OT to prevent a recurrence.
- Create a system and mechanism that can perform accurate cause analysis and response when an incident occurs across IT and OT.
- When introducing new technologies such as 5G, conduct threat and risk analysis comprehensively rather than locally. It also visualizes situations that change dynamically during operation, shortening the time to detect and respond to minimize damage.
More information on threats to ICS endpoints, including manufacturing, can be found here.
A full version of these findings can be downloaded here. It details the challenges that manufacturing, power, and oil and gas companies face, their causes, and the state of industrial cybersecurity.