As manufacturers dash headlong into smart factory initiatives, the number of IoT devices operating in factories, warehouses, and across supply chain infrastructure is exploding. Manufacturers seek to utilize IoT in a range of places, be it video camera inspection devices on the assembly line, temperature sensors on refrigeration units, or maintenance telemetry sensors on factory equipment. But as they seek to reap tremendous business gains from smart devices in industrial IoT, they also must balance that upside with the potential risks that IoT is increasingly introducing to manufacturing environments.
New cyber challenges are arising in the face of this explosion of IoT in manufacturing. They require organizations in this sector to design modern security architecture that can meet them head on.
Smart manufacturing and the rise in IoT
The consensus across recent industry studies shows that manufacturers are making big bets on smart manufacturing and IoT as the lynchpins to their success in the coming years.
According to Deloitte’s 2022 Manufacturing Industry Outlook, some 45% of manufacturing executives expect increases in operational efficiency from investments in IoT that connects machines and automates processes. Meantime, the State of Smart Manufacturing report published earlier this spring by Plex found that 83% of manufacturers say that smart manufacturing is a key to their organization’s future success. Smart devices and IIoT are among the most used projects to bring smart manufacturing to fruition. Some 49% of organizations have already deployed smart devices and 45% have put IIoT into production, with another 35% and 36%, respectively, planning to use these technologies.
This is rapidly pushing a lot of manufacturing compute out to the edge. AT&T’s own recent analysis in partnership with IDC for the AT&T Cybersecurity Insights Report: Securing the Edge-A Focus on Manufacturing study found that the manufacturing vertical is one of the furthest along in implementing edge use cases. The report reveals that 78% of manufacturers globally are planning, have partially, or have fully implemented an edge use case—that’s ahead of energy, finance, and healthcare industry organizations.
This kind of progress noted by the report is in sync with other industry studies watching the progress of digital transformation in manufacturing. For example, a recent study by Palo Alto Networks says the demand for secure remote access in manufacturing is rapidly outstripping other industries.
Amid many cited edge use cases such as smart warehousing, remote operations, and augmented maintenance, video-based inspection was the number one edge priority cited by manufacturing respondents to the AT&T Cybersecurity Insights Report . This is a prime example of how IoT is being leveraged to improve efficiency, quality and speed on factory floor, while helping manufacturers also overcome workforce challenges.
Unpatchable IoT devices raises manufacturing risk profile
Video-based inspection also provides an excellent example of how IoT devices can at the same time potentially increase cyber risk in manufacturing environments. In use cases like this one, IoT devices such as cameras are increasingly connected to OT networks and devices on the manufacturing shop floor. Simultaneously, they’re also opening up access outside the manufacturing environment for employees to remotely do their work. This is the same for the augmented maintenance use cases, which was named the number-two most common edge priority in manufacturing. This increased connectivity opens up a larger threat surface in manufacturing environments.
At the same time, many IoT devices are installed once and then infrequently or never patched again. Sometimes devices are so simplistic and unidirectional in data flow that it may be difficult to update their software remotely. Other times—as is frequently the case in the IoT camera world—device manufacturers simply don’t provide much support in updating vulnerable software. And in still more cases, they may have been installed together as a package deal with very sensitive industrial machinery that may have infinitesimally low tolerances for downtime and nearly non-existent maintenance windows for conducting patches.
These are all likely big contributors to why only 29% of manufacturing respondents to the AT&T Insights Report said they planned to use patching as a security control to help protect components in their edge use cases.
Without frequent patching, these devices are potentially big threat vectors for compromise.
“That becomes a problem for manufacturers,” says Theresa Lanowitz, head of evangelism for AT&T Cybersecurity. “It allows a hacker to potentially come into your system, move laterally and essentially go on a virtual shopping trip for pretty much anything they want inside of the network.”
This is a challenge for manufacturers who until not all that recently have primarily been used to devices and IT assets mostly running locally, says Dharminder Debisarun, Chief Solutions Architect for Operational Technology and Critical Infrastructure for Palo Alto Networks. Many manufacturing networks are not architected in a way that’s hardened for an attack chain that spreads laterally from an internal device.
“I’ve met with some customers where they spent millions on pilot programs for IoT and they realize, ‘Hmm, you know what, let's not do this yet because we actually have a very open production environment, where if our IoT devices got compromised it would literally spread across the factory floor and cause massive issues in terms of production uptime," he explains.
This is likely why the AT&T Insights Report shows that the number one cyber attack concern for manufacturers against edge use cases is attacks against the user and endpoint devices—a worry cited by 71% of respondents. In the manufacturing setting, this worry is further complicated by the fact that unlike in IT-only environments the ‘endpoint’ includes a wide range of IoT devices and operational technology.
SASE and Zero Trust create a security strategy for Manufacturing
According to Palo Alto’s Debisarun and AT&T’s Lanowitz, two very effective strategies that enable manufacturers to overcome the growing challenges of IoT in their environments, securing the growing remote OT access use case are the use of more effective Zero Trust Architectures and compensating controls for unpatched and unpatchable legacy systems which are vulnerable yet need to coexist with the protected systems.
Across the board, manufacturers are moving to a more modernized network with unified security. Survey results show they need to deliver positive digital experiences not only to their customers but also the employees on and off the shop floor. One of the key ways that leading manufacturers are securely meeting this demand is through the use of Secure Access Service Edge (SASE) architecture and Zero Trust methodologies. SASE and Zero Trust enable a network design that can securely enable innovative edge use cases in the factory and beyond. SASE and Zero Trust Network Access (ZTNA) provides manufacturers a rapid means to secure the IoT edge and maintain flexibility of connectivity between manufacturing facilities and cloud infrastructure. The SASE model enables to rapidly authenticate users, identify and mitigate potential security threats, and fully inspect content. It also make it possible to consistently apply and enforce security policies across the entire networks against vulnerabilities introduced by a threat surface expanded through increasing use of IoT. For example, SASE can help compensate for the added risk of vulnerable, unpatched devices.
Of course, IoT use cases like video-based inspections is just one of many security use cases that SASE helps manufacturers address as they advance toward.
For more information, check out the AT&T Cybersecurity Insights Report Focus on Manufacturing.