Though the manufacturing sector does not attract the sheer volume of total cyberattacks as other areas of the economy, research has shown that coordinated cyber espionage targets manufacturing more than any other sector.1For this reason, ISACA and the Digital Manufacturing and Design Innovation Institute (DMDII) recently partnered to conduct a survey that explored the cybersecurity challenges faced by the global manufacturing industry. Survey findings showed that manufacturers still face security concerns, including those related to Internet of Things (IoT)-integrated devices and employee error, and that they continue to struggle with finding skilled cybersecurity staff and may be underspending on security training.
This survey, conducted in August 2018, captured responses from 167 participants from across ISACA, DMDII and Manufacturing Extension Partnership stakeholders. Where possible, these findings were compared against ISACA’s 2018 State of Cybersecurity and 2018 Cybersecurity Culture research findings for all industries. This outreach was meant to take an early pulse of manufacturing cybersecurity with a smaller sample size, with plans to expand this research with a larger-scale survey in the future.
“Three-quarters of U.S. manufacturing firms have fewer than 20 employees and 98 percent have fewer than 500. To shore up the resiliency of the U.S. supply chain, reaching small manufacturers is essential, and understanding their needs and capabilities is a crucial initial step,” says Kevin McDunn, Chief Product Officer of DMDII. “This survey begins this important work that will lead to the type of accessible, low-cost tools and training opportunities that DMDII can develop and get into the hands of these manufacturers.”
Survey results revealed some areas of strength related to the manufacturing industry’s approach to cybersecurity when compared against all industries:
- 78 percent of manufacturing organizations have a formal process for dealing with cybersecurity incidents, and 68 percent have one for ransomware attacks.
- 77 percent expressed confidence in their security team’s abilities to detect and respond to advanced persistent threats (APTs).
- 34 percent noted they were experiencing more cybersecurity attacks today than a year ago, compared to 62 percent across all industries from ISACA’s 2018 State of Cybersecurity survey.
- 74 percent indicated they believed their organization’s cybersecurity training budgets would either increase or at least be maintained at current levels; only 4 percent anticipated a decrease in the coming year.
Despite these positive data points, the survey results also revealed areas where the industry still needs to make progress:
- 75 percent of manufacturing organizations have a program in place to promote cybersecurity awareness among their employees, but only 37 percent believe that their programs are very to completely effective.
- 47 percent of manufacturing organizations are spending less than US $1,000 on average each year on continuing education opportunities for their staff—versus 25 percent in other industries—and nearly 1 in 10 reported that their enterprises spent nothing on average each year on these educational opportunities.
- 81 percent of manufacturing organizationsare somewhat to very concernedabout the potential cybersecurity risks with personal, internet-connected devices. 58 percent don’t allow those devices to connect to the corporate network and 72 percent don’t allow those devices to connect to the corporate network on the manufacturing floor.
- Finding skilled cyber-staff remains challenging; a 1.8 million worker shortage is anticipated by 2022. Respondents indicated it takes an average of five months to fill open positions and 61 percent of hiring managers said less than half of applicants are qualified.
“Though the manufacturing industry has made great strides in addressing security issues, this research illustrates the need for organizations to elevate cybersecurity as a priority to build the foundation of its cybersecurity culture, better secure their operations, and strengthen the global digital economic ecosystem,” says Frank Downs, Director of Cybersecurity Practices at ISACA. “Partnerships and information sharing, like ISACA’s collaboration with DMDII on this study, are becoming increasingly key to accomplishing these goals.”
To read ISACA and CMMI’s 2018 Cybersecurity Culture Report and related executive summary, infographic and blog posts, visit www.isaca.org/cybersecurity-culture-study. ISACA’s State of Cybersecurity report and related blog post, resources and infographic can be found at https://cybersecurity.isaca.org/state-of-cybersecurity.
Now in its 50th anniversary year, ISACA® (isaca.org) is a global association helping individuals and enterprises achieve the positive potential of technology. Today’s world is powered by information and technology, and ISACA equips professionals with the knowledge, credentials, education and community to advance their careers and transform their organizations. ISACA leverages the expertise of its 460,000 engaged professionals—including its 140,000 members—in information and cyber security, governance, assurance, risk and innovation, as well as its enterprise performance subsidiary, CMMI® Institute, to help advance innovation through technology. ISACA has a presence in more than 188 countries, including more than 220 chapters worldwide and offices in both the United States and China.
The Digital Manufacturing and Design Innovation Institute is where innovative manufacturers go to forge their futures. In partnership with UI LABS and the Department of Defense, DMDII equips U.S. factories with the digital tools and expertise they need to begin building every part better than the last. As a result, its more than 300 partners increase their productivity and win more business. DMDII has invested approximately $90 million in more than 60 applied research and development projects in areas including design; product development; systems engineering; future factories; agile, resilient supply chains; and cybersecurity.
1 2017 Verizon Data Breach Investigations Report