Manufacturers investing in Industry 4.0 need to budget for cybersecurity

“Especially within the manufacturing space and when dealing with transitions to that Industry 4.0 philosophy or standard, cybersecurity really has to be top of mind,” Heiney said. “I don’t know that you hear a lot of software or hardware vendors say this out loud, but I really do think everyone should: Cybersecurity starts and ends with people. I want you to buy my product. I want you to go out and get new hardware and do what you need to do, but, ultimately, the process that you need to put in place has to really nail cybersecurity.”  

Start with risk assessments by a manufacturer or consultant. Frequent assessments need to look at the “risk landscape” for a particular facility or organization and for its interconnectedness with employees and vendors, Heiney said. The second step is monitoring what is happening within those different systems and processes, and the effects of any changes that are put in place. Monitoring can take place manually or automatically with software that monitors traffic into and out of computer systems, file changes and computer logs. Finally, manufacturers need to offer ongoing employee training. 

The federal government's Cybersecurity & Infrastructure Security Agency (CISA) can help businesses learn more about cybersecurity threats.

“When I talk about cybersecurity starting and ending with people, it’s about assessment, monitoring and training, and if your people aren’t trained on the equipment they’re using or on the new policy that you’ve implemented or the new process that CISA has rolled out, then all of your work kind of falls apart,” Heiney said.  

Manufacturers need to stay on top of the changing nature of cybersecurity risks, he said. 

With IIoT technology, such as new sensors, automation equipment and connections to the internet, come additional cybersecurity risks.  

“Most cybersecurity professionals talk about that as the attack surface,” Heiney said. “It used to be pretty small. It was self-contained.” 

But as more data flows into and out of a network, the attack surface grows and “your ability to defend and protect and secure that surface also needs to grow and adapt.” 

“As you transition to this Industry 4.0, this dramatically interconnected set of networks, the attack surface for your organization — for your equipment, for your people, for your data, for your intellectual property — that attack surface just grows and grows and grows,” Heiney said.  

If a manufacturer doesn’t have the necessary skillset, and doesn’t have the resources to hire a full-time cybersecurity professional, it should invest in consultants or auditors, he said.  

Some small manufacturers may opt out of Industry 4.0 technology to avoid the expense of hiring cybersecurity professionals, but Heiney questioned whether that is a viable long-term solution. 

“The answer is yes and no,” Heiney said. “It’s reasonable for now, but if all your competition suddenly gets 15- to 20-percent efficiency gains [from Industry 4.0 technology], how long are you going to compete?” 

If the competition adopts Industry 4.0 technology and “the promised value actually materializes, then the people who aren’t doing that are going to get left behind, and we’re already seeing that,” he said.  

The bottom line, according to Heiney, is that when budgeting for Industry 4.0, a company also needs to budget for cybersecurity. 

“If you're going to invest in automation and in Industry 4.0, if you're going to bring in sensors and vendors and new pieces of equipment that communicate with the internet, you also need to make an investment in the professionals that know how to protect it,” Heiney said. 

Bruce Geiselman

[email protected]

Contact: 

Cybersecurity & Infrastructure Security Agency, 888-282-0870, www.cisa.gov

Impero Solutions Inc., Portland, Ore., 844-346-7376, www.imperosoftware.com/us