Part 1 of this two-part series addresses cybersecurity risks for manufacturers, assessments and threat responses.
Cybersecurity coverage. Are you sure you’re insured?
Many manufacturers carry general business insurance, but one size does not fit all, and, cybersecurity adds a new dimension that requires its own kind of coverage.
AHT Insurance specializes in providing insurance coverage for many industries, manufacturing included. Recently the company added cyber liability insurance to its offerings. Together with attorneys and cybersecurity firms, AHT can create customized insurance packages for manufacturers. And, again, it all starts with a risk management—understanding the exposures and working with insurance carriers to create an effective program that may include business best practices, enhanced product safety and a safe working environment.
“From an insurance standpoint, when you pay premiums, part of the premium should always include some level of risk reduction,” says George Forrester, a principal at AHT Insurance.
In an effort to understand risk reduction, Forrester and his team studied the ANSI/PMMI B155.1-2016 safety standard for packaging and processing machinery. “Statistics show that more than 80 percent of industrial accidents on machinery was operator error, not a defect in manufacturing or design. We now make risk assessment a centerpiece of our product safety program to get the manufacturer to proactively demonstrate, when an incident occurs, the safety, design and manufacturing processes, which makes them more defensible,” he says
About 18 months ago, when more industrial cyber incidents were on the rise, AHT recognized that cybersecurity threats are not only about hackers stealing credit card or personal information, but it represented a safety threat for manufacturers.
“As a result of remote access you can have a product liability loss,” Forrester says. Through remote access, you could unintentionally lock up equipment and cause downtime as a result of a security breach. For that reason, the industry should understand the difference between first and third party insurance coverages. “First party is direct damage to your own property or business as a result of a cyber [incident]. And liability to a third party is the result of what you are doing, perhaps with remote access.”
Many manufacturers are now putting clauses into contracts that make their OEM responsible for consequential loss and requiring them to have professional liability insurance. Soon, manufacturers may be demanding their machine builders carry cybersecurity insurance, too.
AHT addresses the many faces of cybersecurity threats, which include business interruption, loss of income, as well the potential for a product recall. Forrester’s mission is to educate his manufacturing clients on the legal requirements associated with a breach and the protection insurance can provide the company.
Forrester echoes Rooney and Coughlin (see Part 1) in stressing that an upfront breach assessment is an important first step, and worth the investment. “Way too many companies are still not putting enough effort into the assessment exercise,” Forrester says. “They are waiting, not on purpose, but they are going down the road—until a breach hits, and then the cost is exorbitant.”
Having cybersecurity insurance transfers the risk to a third party—the insurance carrier—which is increasingly important in a digital world.
Addressing remote access and network risk
To help manufacturers and OEMs prepare for the inevitable move to remote services for predictive maintenance on equipment at a customer site, The OpX Leadership Network is getting ready to release a remote equipment access selection guide to provide a baseline of connectivity options.
“The guide is there to help end users select the type of connection paradigm they can use to allow OEMs to connect into the machine that is on their factory floor,” says Bryan Griffen, PMMI’s Director of Industry Services.
The OpX selection guide offers six different options from a simple modem they dial into up to a remotely managed secure switch that is managed by a third party. The guide also provides the general cost, complexity and security levels, but it is not meant to be a technical tutorial, Griffen says. “It is for the end users so that they can figure out how to let OEMs into their factory systems without the OEM having to be present at the factory do any troubleshooting.”
Robotic arms and security
Another underestimated area of entry for bad actors are robot arms, which are often added to machines to enhance automation. But these robotic parts are not designed to be inherently protected from threats, says Nikolai Vargas, CTO of Switchfast Technologies, a Chicago-based IT managed service provider, which serves as the IT department for small and medium-sized businesses that don’t have their own internal team. “The disconnect between legacy equipment and modern technology has created a security gap in many manufacturing facilities,” he says. “Since robotic arms aren’t compatible with firewalls, cyber attacks have evolved to target these weaknesses, effectively making any facility a highly enticing payday for criminals.”
Vargas says that Switchfast clients are provided with a core set of security best practices, with the over-arching theme being “defense-in-depth,” a multi-layered approach that includes firewalls, anti-virus software and adding data encryption on the network for the systems that need to “talk” to each other. Part of the strategy is to create segmentation across the network to “shrink the attack surface so that it is easier to identify what is going on in each segment,” he says.