Authored by Dirk Sweigart, MESA Cybersecurity Working Group Chairman
Thursday, May 20, 2021
Myth – We are An Unlikely Target
The Colonial Pipeline, Iranian Centrifuges, large financial companies and large companies in general, big cities – these are the notable targets of cyber attackers. Seen within this context, it is easy to assume that your company is an unlikely target for a cyberattack and therefore, does not need to be stringent about protecting your manufacturing systems. Let us explode this myth.
First, some attackers are simply opportunistic. They don’t know the potential value of an intrusion because they don’t really know the inner workings of your company. They prey on the weak or the poorly protected. They may choose you as a target almost at random.
The best way to become an unlikely target is to strengthen your cyber posture. The analogy is of the two hikers who encounter a bear coming towards them. As one begins to hike off, the other stops to put on his running shoes. The first hiker says, “what are you doing, we need to outrun that bear!” The second hiker says “no, I only need to outrun you!”
Strengthening your defenses (or providing defense in depth) can make you a less desirable target (too much work relative to other targets) and therefore, a less likely target.
Second, your company may unwittingly become a target because of the actions of your employees. Depending on what is permitted to be while done on the job, your company may become a target due to successful phishing, websites with embedded malware, or the installation and use of compromised software by your employees or contractors. These methods do not care that you’re supposed to be unlikely – they look for the careless. Good employee training and strong policies and practices can make this less likely but cannot remove the possibility.
Last of all, you may believe that your industry or what you make is not “interesting enough” to attract any attention. Maybe you operate a small municipal water treatment plant, or make small plastic parts, pencils, metal rods or other “cogs in the wheel.” Surely, operations such as these would be unlikely targets? Please re-read the first point and then consider what the company has that is of value that could be lost or compromised. Every manufacturing operation has something of value that could be lost, even if it is simply lost production. If it is of value, it can make you a target.
Following that line of reason, consider that risk is a combination of threat and consequences. You may believe you’re an unlikely target but what is the value of your company, your process or your intellectual property? Even if you believe the likelihood is low, can you afford the consequences if the unlikely event occurs? ID Agent says 60 percent of companies go out of business within six months following a cyberattack. This is due to the long and lingering cost of recovery, the loss of revenue and the on-going unrepairable reputation damage.
The conclusion is that you can make this myth a reality for your company if you work at it. Practicing defense in depth, having good designs and implementation, maintaining good training, policies and practices and having a strong cyber posture can reduce the risk of having to address a successful cyberattack on your manufacturing. You can become an unlikely target and outrun the bear.
The MESA Cybersecurity Working Group focuses on current topics at the intersection between cybersecurity and manufacturing systems. Stay tuned for more on these topics or reach to our Working Group for expertise and valuable networking.
About the Author
Dirk Sweigart, CISSP, PMP (Applied Control Engineering, Inc.) is an MES Solutions Manager and Cybersecurity Expert at Applied Control Engineering, Inc in Newark, DE. He has over thirty years experience developing systems for process control, SCADA, MES and business applications with DuPont, INVISTA, Koch Industries and ACE. Dirk also teaches cybersecurity and SCADA at the Wilmington University graduate school. He is an information member of the ISA-95 Committee and a member of the MESA Cybersecurity Working Group. You can reach him at firstname.lastname@example.org.