Why Modern Manufacturers Need Cyber Incident Response

By Nikolai Vassev June 12, 2018 forensics, incident-response, industry-specialization, security-orchestration-automation-response

Despite the constant news about cyber threats and the growth in major breaches, many companies are overly focused on prevention, while overlooking incident response and handling practices. With today’s environment of an increasing attack surface, numerous security tools, overworked analysts, and a non- stop barrage of attacks, taking another look at existing policies and operating procedures can make a big difference to overall security effectiveness.

Industry 4.0 is the term used to describe the modern landscape of “smart factories”, where integrated cyber and physical systems monitor factory processes and take actions automatically. Robotics connected remotely to computer systems equipped with machine learning algorithms are becoming commonplace, and this major trend is only going to increase over the coming years. The physical systems communicating and cooperating with other machines and humans in real time over the network add more risk and complexity to manufacturers’ IT security.

This innovation has brought on revolutionary improvements in manufacturing, but with so much advanced equipment connected to a network, hackers can cause costly production interruptions by shutting down or damaging machinery.

Because of the connectivity of Industry 4.0, manufacturers are becoming a major target for hackers. Modelez International was one of the most significantly impacted manufacturers last year, reporting a loss of $140 million in revenue directly from a ransomware attack that shut down one of their plants. One of Honda’s manufacturing plants was infected with WannaCry ransomware, and 1,000 cars were not produced because of the interruption. Toshiba’s 2017 ransomware incident caused a 3-week plant shut down and caused a major production backlog of 100,000 units of an important semiconductor product line. With proper incident response plans in place, these incidents could have been contained and the losses minimized.

These are some of the worst cases, but even a small-scale attack can cause major damage. Accenture reports that the average cost of a breach was $11 million in 2017. This number has risen 62% over the last 5 years, which underscores the growing dangers that organizations are facing.

Businesses should continuously finetune their emergency plans to reflect this new environment. If there are specific plans for a variety of scenarios with established strategic alignment across all stakeholders, incidents are much less likely to result in damaging work stoppages.

Security teams should focus on developing the following five vital capabilities as part of their modern incident response plans:

  1. Implement technologies that collect and automatically enrich all threat data in a central place to add context, accelerate analysis, and improve decision making
  2. Have predefined and easily accessible playbooks for all possible scenarios to ensure consistent and standardized response procedures
  3. Automate simple tasks to help analysts prioritize incidents while reducing mundane “busy work” that can be eliminated by computers while still allowing human intervention
  4. Ensure that managers and executives have detailed metrics on the SOC’s performance and the types of threats faced
  5. Have the ability to store digital evidence and investigation data to allow advanced search, compliance reporting, and link analysis to establish patterns and relationships for complex cases

Implementing these 5 key capabilities in your SOC will not only significantly reduce incident response times, but also help lower the overall cost of security operations—while getting you the analytics you need to not be “flying blind”.

Let us know if you are looking to improve your incident response program and we can connect you with our manufacturing cybersecurity experts that can help you implement all five key capabilities at your organization.

Nikolai Vassev

Nikolai Vassev


Comments

comments for this post are closed