Manufacturers face a significant challenge when it comes to cybersecurity. Along with the task of protecting internal network systems and trade secrets, IT professionals are also on the hook to develop defensible architecture for any Internet-enabled technology they develop and deploy. The result? Cybersecurity in manufacturing is often more fabrication than fact.
According to CA Veracode's recent "State of Software Security Report: Focus on Industry Verticals," this specific market vertical faces the largest number of flaws per megabyte of code — more than triple that of government agencies and tech companies. So how can manufacturers build more effective cybersecurity protocols?
The current state of manufacturing cybersecurity doesn't look promising. Consider the troubles faced by Fiat Chrysler Automobiles (FCA), which recently rolled out its Uconnect system in a host of familiar brands including Jeep, Chrysler and Dodge. According to We Live Security, FCA pushed ahead with the Uconnect rollout despite warnings from industry experts that the infotainment and connectivity hub came with significant security flaws. For example, a communications port was unintentionally left open, and radio firewall rules defaulted to allow communication with any external device. It's no wonder, then, that Chrysler is now in the process of the automotive industry's first cybersecurity recall.
Healthcare manufacturers face a similar problem. As noted by Bloomberg, the FDA recently advised that a line of drug pumps called Symbiq, created by Hospira Inc., should no longer be used since it's possible to hack into them through internal hospital networks, potentially risking patient lives. The problem with both cases lies in their assumption about human nature — one that hopes for the best without planning for the worst. Unfortunately, such optimism is rarely rewarded.
It's not all bad for cybersecurity in manufacturing. The CA Veracode report points out that when businesses in this vertical discover flaws, they act quickly to remedy the situation. In fact, 81 percent of detected flaws were fixed by manufacturing companies, compared to just 65 percent in financial services. This high number stems largely from the value these businesses place on supply chain controls for critical suppliers, but there's often an unintended side effect: Large-scale vulnerability programs with multiple categories often discourage vendor participation, in turn lowering overall security.
This dovetails with the biggest threat to manufacturing vulnerabilities, which is code quality. When partners and vendors believe that security standards are unreasonable or unattainable, the result is often slipshod code that passes basic testing but can't hold up over the long term.
So what's the solution for cybersecurity in manufacturing? The answer comes in two parts: simplicity and scope. First, companies must be able to effectively communicate security requirements with all third-party vendors, in addition to creating clear and concise internal policies. Second, flaw detection and remediation tools must be able to scan code at any stage of development and report back with critical findings — this lets companies sidestep costly mistakes like seriously flawed products rolled out on a global stage but quickly recalled when malicious actors gain a foothold.
Bottom line? The depth and breadth of a manufacturing supply chain infrastructure demands cloud-based tools that include not only on-the-fly testing, but also access to remediation coaching and other flaw-control techniques, which can help manage cybersecurity at scale.
Manufacturers are in a constant struggle to reach the market first with products that outperform the competition. As a result, it's easy for companies to value speed over security, placing long-term ROI at risk. Solving the problem requires organizations to take a new approach to building better barriers.
Time for a deeper dive? Check out CA Veracode's full report here.