Industrial 4.0 and the Cyber Security Challenge
Industry 4.0 is the transition towards the end-to-end digitalisation of all physical assets within a manufacturing environment and along the value chain, driven by advances in analytics, cloud and cognitive computing, communications (e.g.5G) and sensor technology. The Internet of Things is a key component of Industry 4.0. With computers, devices and machines on the factory floor and along the supply chain being interconnected, interactive and responsive, sharing information with one another and human beings, they constantly capture, exchange and analyse data, deriving valuable insights that enable smarter and faster decisions at the operational and commercial level, promoting greater efficiency and profitability. However, while this transition to a more interconnected and intelligent manufacturing environment will deliver significant benefits, it also adds to the complexity and degree of cyber threats already faced by businesses.
The background to industrial cyber attacks
Industrial cyber attackers and the agendas that drive them vary; attackers may be opportunistic hackers, disgruntled employees (IBM estimates that 60% of all attackers in 2015 were insiders1), aggressive competitors or state sponsored disruptors. These attackers may seek to extract sensitive corporate information or IP, disrupt or alter manufacturing processes, or corrupt manufacturing data. The impact of these attacks can be severe and far reaching. Not only can they disrupt an organisation's operations, and hence profitability, but they can cause less obvious problems like environmental damage, physical damage to equipment, and health and safety issues alongside more obvious issues such as customer loss, litigation and reputational damage.
The disparate and proprietary nature of operational technology networks has meant that some segments cannot be monitored via traditional IT network and cybersecurity tools. This was sufficient in the past when operational networks connected devices and systems via proprietary protocols, formal descriptions of digital message formats and rules. The nature of these protocols isolated operational networks, making them inaccessible to external parties and consequently allowing them to defend against cyber threats. However, this natural defence mechanism was eroded with the emergence of the internet, subsequent adoption of internet protocol (IP) based communication and the cloud.
The lack of security measures employed by industrial control systems has been an enabler of cyber crime. The absence of authentication or encryption in control systems has meant that after breaching networks, attackers have been able to gain unrestricted access to all controllers (the industrial computers that manage production processes) and have altered the configuration of controllers to disrupt processes.
A recent history of cyber attacks
While industrial cyber attacks are not a new phenomenon, the topic only really gained momentum after the infamous Stuxnet attack. Stuxnet was the attack of an Iranian nuclear enrichment facility by malware in late 2007. Allegedly, the Stuxnet malware was introduced to the facility's production network via a flash drive before compromising the facility's programmable logic controllers. The malware is said to have collected information on industrial systems and damaged one fifth of the nuclear centrifuges by causing them to spin out of control. It was reported by some that the attack was conducted by Israel and the United States. However, the source of the attack has never been officially confirmed.2
Another notable attack took place in December 2014. The German federal agency for digital security reported that a German steel plant suffered a cyber attack. The specific location and date was not disclosed, and the attackers and their agenda are unknown. The attackers are assumed to have used phishing to first penetrate the enterprise network before compromising the production management software, acquiring control of the plant's systems and causing significant physical damage. For instance, one of the plant's furnaces was prevented from shutting down, causing significant damage to the infrastructure. Were this type of attack to happen in the future, in a fully interconnected industry 4.0 setting, it could spread to the entire supply chain, potentially causing millions of dollars' worth of damage.2
More recently, car makers Nissan and Renault were the targets of the global WannaCry ransomware attack that took place in May 2017, which affected more than 200,000 systems across 150 countries, including those of the UK's National Health Service. The attack disrupted production in Nissan's Sutherland factory and halted or reduced production of at least five Renault sites. The attackers are thought to have exploited vulnerabilities in the Microsoft Windows operating system, and after infecting the system, the ransomware encrypted hard drives, preventing users from accessing their files, before demanding a ransom to decrypt them.3
Shortly after WannaCry, the NotPetya ransomware attack targeted Ukraine in June 2017. Organisations with strong trade links with Ukraine, such as Maersk, the shipping giant; Merck, the major pharmaceutical company; and Reckitt Benckiser, the international consumer goods company, were all affected. The attack is estimated to have cost companies more than $1.2B.4
According to IBM, the manufacturing industry was the second most attacked industry in 2015, with the automotive and chemical industries at the receiving end of most of the attacks.1 More recently, Siemens estimates that cyber threats in 2017 caused over €500 B in damage and that for certain European countries the damage amounted to 1.6% of their GDP.5
Industry strikes back
Reports on the cost of cyber attacks and the growing interest in the Industrial Internet of Things (IIOT) have driven increased awareness of the threat, to the extent that McKinsey6 recently reported that the biggest deterrents to the adoption of Industry 4.0 technologies in Germany are concerns around data security and the ability to safe guard systems. In response to these concerns, the Industrial Internet Consortium (IIC), an open membership organisation that brings together government, academia and industry, is coordinating a response to the threat. The IIC was formed in 2014 by the likes of AT&T, Cisco Systems, General Electric, IBM and Intel and has since developed the Industrial Internet Security Framework (IISF), which endeavours to "drive consensus in the industry, promote IIOT security best practice and accelerate its adoption".7 Similarly, Siemens is collaborating with eight other organisations, including OEMs Airbus, Allianz, Daimler, Deutsche Telekom and IBM to develope the "Charter of Trust," which seeks to promote collaboration between corporate entities and policy makers and advocates ten principles intended to enhance cyber security in an increasingly digitalised industrial environment.5
This increasing prioritisation of cyber security by OEMs on both the supply and demand side has led market analysts to anticipate strong growth in the enterprise cyber security market. For instance, the security market for industrial controllers is estimated to grow from $9B in 2016 to~$13B by 2021.5 While cyber-attacks are an increasing concern in an Industry 4.0 world, clearly steps are being taken to better understand and minimise cyber threats. As an investor in lower mid-market businesses, we welcome collaboration from the industry giants to drive technology standards and enable businesses across the spectrum to invest in digitising their production and supply chain infrastructure with confidence. Increasing confidence in cyber security solutions allied to IoT technologies is likely to enable real growth in adoption and make for an attractive investment environment in industrials.
Baird Capital's investment approach
At Baird , we are seeking to make investments in high quality businesses that are benefiting from the growth in industrial automation. With our global capabilities and deep sector experience, we believe that we are uniquely positioned to help differentiated and growing companies in the sector, particularly those with international ambitions. If you would like to discuss investment opportunities in relation to any industrial technology business with strong secular drivers and international growth aspirations, please contact any of the team members listed.
2Schneider Electric – https://www.schneider-electric.co.uk/en/work/insights/industrial-automation-systems-cybersecurity.jsp
3CSO – https://www.csoonline.com/
4Reuters – https://www.reuters.com/article/us-merck-co-results/merck-says-cyber-attack-halted-production-will-hurt-profits-idUSKBN1AD1AO
5Siemens – https://www.siemens.com/press/pool/de/feature/2018/corporate/2018-02-cybersecurity/factsheet-charter-of-trust-e.pdf
6McKinsey – https://www.mckinsey.de/files/mck_industry_40_report.pdf
7Industrial Internet Consortium – http://www.iiconsortium.org/IISF-faq.htm