Get In Touch
Cover nov2024 104x80.jpg
Current Issue
section
logo

Data Privacy: Is Manufacturing Sector Vulnerable?

By Rahul Kamat,

Added 31 May 2022

Every industry is vulnerable to cyber-attacks, be it the crypto industry, banking, healthcare, retail, manufacturing or even the government. Some industries have made sure all their data and networks are secure, but others are catching up, putting processes in place and ensuring safety. However, there is still ambiguity about how far the guaranteed practices are safe. While this is the first one from a series of articles on the importance of data security and privacy in the manufacturing domain, this one focuses on best practices.

The manufacturing industry is a critical driver of a nation's economy and therefore, sees a fair bit of attention from cyber attackers. As the domain pivots to Industry 4.0 and adopts 5G, IoT, and more, enterprises have seen an uptick in attacks with a majority of them coming from the software supply chain. According to Gartner, 45 per cent of organisations worldwide will have experienced attacks on their software supply chains by 2025, a three-fold increase from 2021.

We are already seeing evidence of this trend in the manufacturing industry as cyber attackers are taking advantage of pre-existing security flaws from the supply chain network, infiltrating systems to spread malicious payloads throughout the organisation's software, and using exfiltrated data to launch ransomware attacks.

Such layered attacks, says Huzefa Motiwala, Director - Systems Engineering for India & SAARC, Palo Alto Networks are leading to disruption and long downtimes for manufacturing companies which is resulting in them losing millions of dollars over and above ransom payouts. What's more, growing enterprise IoT networks are further complicating this scenario. "As per Palo Alto Network's Annual IoT Survey, 84 per cent of organisations in India saw an increase in the amount of non-business IoT devices connected to their business networks in 2021. This adds to an already extensive launchpad for cyber attackers to put their nefarious intentions into action."

The concerns with data security were raised in 2020 with organisations being forced to depend on remote workers due to pandemic restrictions. According to 2021 Global Threat Intelligence Report (GTIR), data breaches have increased by 300 per cent within a year. From the manufacturing industry standpoint, downtime adversely affects hundreds and perhaps thousands of workers resulting in downtime costs being potentially catastrophic.

However, organisations are rapidly adopting the concepts of Industry 4.0. Data privacy can be strengthened by making the mandate of compliances such as ISO27001, CCPA and Cyber security IoT act. "With the recent announcement by the Government of India on the emergence of the Data Protection Bill, India has taken a cautious approach to building a strong data privacy regime. However, there is an immediate need for creating awareness and educating digital users across sectors," feels Anupam Kulkarni, CEO & Director, iauro Systems Pvt. Ltd.

Within the Industrial Internet of Things, there is a lot of valuable information stored. The digital transformation of the manufacturing industry requires a network of equipment, sensors and other devices that will further help to constantly analyze and collect data from their production processes. The data will enable to improve cost-effectiveness and efficiency in the manufacturing industry. Systems that use machine learning (ML), artificial intelligence (AI) and other emerging technologies will help businesses consistently improve their overall productivity. However, the huge data becomes a target for competitors and hackers, thus creating a need for better data security.

"It is, therefore, paramount that manufacturers leverage a centralized, integrated Cyber Fusion Centre-based approach that encompasses not only their IT systems but also their Operational Technology (OT) systems that are critical to the manufacturing processes," said Akshat Jain, CTO & Co-founder, Cyware. "This would give them complete visibility and control over all the security risks that exist in their infrastructure and enable them to implement the right processes for strengthening their data privacy," Jain added.

M&A Deals And Data Security

Organisations must make cybersecurity a key focus during the entirety of the M&As process. When conducting their due diligence pre-merger, emphasis should be laid on understanding how secure the target company's environment is and how it approaches security controls, behaviours, and practices. When the M&A is put in gear, the focus should shift to include vigilance as, during this stage, risks multiply due to open networks, external threats from competitors, increased attention from cyberattackers, and more. The environment needs to be secured during the integration process and constant round-the-clock monitoring is essential to keep the organisation secure.

Finally, in the post-M&A stage, the focus must grow to include security, vigilance, and resilience. Even though the acquisition is now complete, and it is business as usual, IT teams must be on constant threat watch to ensure the security of company networks, data, and assets.

According to Sudip Pal, Business Head, Dev IT Group data privacy regulations and mandatory breach disclosure laws have the potential to significantly impact post-merger valuations. With operations in transition, high-value data is often vulnerable. "Threat actors target short-term and long-term rewards. Chief Information Security Officers (CISOs) are key to protecting the assets and brand reputation of acquirers. CISOs should play a significant advisory role in all activities of the M&A lifecycle. More than one in three said they have experienced data breaches that can be attributed to merger integration," he added.

That said, Vijay Pravin Maharajan, Founder & CEO, bitsCrunch thinks that it is always better to have privacy and data security as an integral part of decision-making. "Things get complicated when these data privacy and security & risk management are seen as separate technical or legal constraints."

For Vishal Shah, Co-founder, and CEO, Synersoft Technologies Pvt. Ltd in M&A deals, the level of cybersecurity practices and internal threat mitigation practices would be different organisation wise. "If M&A happens for horizontal integration, more or less, the nature of liabilities will remain the same. The idea-Vodafone merger can be a good example. If M&A happens for backward or forward integration, the nature of liabilities will be different. It needs careful analysis and a strategic perspective," he explains.

Best Practices

In this new age of the digital revolution, new risks emerge every hour of the day. Reputational and monetary risks are high if businesses don't have an appropriate cyber security plan. When creating a security management strategy, there are numerous best practices that businesses can consider to prevent incidents and be prepared for any cyber-attacks. A comprehensive cyber security program is the key to modern-day business survival.

To improve cybersecurity and data privacy organisations are focusing on managing, automating, and prioritising their cybersecurity journey. One step an organisation must focus on is gaining total asset visibility - because you can't manage what can't be found. Utilising an automated platform to discover connected devices and software will enhance the visibility of overall assets and aid in data protection. To maximize user privacy while maintaining secure corporate data, according to Liam Ryan, Vice President-Sales & Marketing APAC, Ivanti, businesses should implement unified endpoint management (UEM) approach that fully supports all devices accessing your network. UEM architectures usually include the ability to establish device hygiene with risk-based patch management and mobile threat protection.

Subha Lakshmi, Product Marketing Manager, ManageEngine draws a five-point agenda for the industry.

Here they are:

  1. Only collect and store necessary information.
  2. Inform the customer beforehand about what data you collect.
  3. Don't store critical data like credit card or payment information without the consent of the user.
  4. Disclose security breaches to affected customers immediately.
  5. Perform internal and external audits to streamline processes and procedures and align security

"When it comes to medium to large brands in the Indian ecosystem we see a fair bit of maturity when it comes to ERPs and CRMs being used - in tandem with a data security architecture, policies and procedures. These are often led by the big international ERP providers who have led the awareness for security policies. So the awareness and the seriousness this topic is getting at the board room level is heartening," concluded Murali Balan, Co-Founder, Tenovia.

The Last Words

As per IBM's report on Cyber Security Intelligence Index, the manufacturing industry is one of the most frequently hacked industries. With the interrelatedness of the smart factory technologies and industry 4.0 adoption; cyber threats are among the most ubiquitous, as smart factory environments expose technology, people, physical processes, and intellectual property to these risks. However, there are a few critical elements in terms of data security like Data privacy at rest, movement and use, data confidentiality, data anonymisation, data residency, data electronic discovery (e-discovery) and data lifecycle management to prevent any kind of data security incident.

Rahul Kamat