It’s one thing when ransomware can infiltrate a database and pull sensitive files at will. It’s a totally different predicament when it can seize control of a computer system used to manipulate a company’s machinery.
This was exactly the case when LockerGoga, a new breed of ransomware, was used to breach a Norwegian aluminum factory. The attack forced the plant to revert to manual operations and established dangerous new terrain for the world’s industrial sector.
With recent advancements in automation and the advent of the Industrial Internet of Things (IIoT), it’s not just large companies like Target, Home Depot, and Marriott that need to be concerned with cybersecurity breaches. American manufacturers also need to keep a wary eye on defenses and be prepared for a possible attack.
Legislative and Regulatory Action
The Ponemon Institute says that, as of 2018, the average cost of a data breach for a U.S. company sits at a monumental $3.86 million—and government at every level has taken note. Small to mid-sized U.S. businesses can be particularly vulnerable to cyberattacks; recent legislation has been enacted to stress the importance of business cybersecurity compliance.
The California Consumer Privacy Act of 2018 (CCPA), which came in the aftermath of the Cambridge Analytica breach involving Facebook, forces companies that handle personal data to disclose what types of information have been collected from individuals, as well as the purpose of the collection.
The law gives the state’s attorney general the authority to enforce these privacy requirements and will have implications for any company with California consumers; the law is designed to defend California citizens.
Another example from outside the United States is the General Data Protection Regulation (GDPR). GDPR establishes a common set of standards for data protection that, like the CCPA, again gives citizens more control over their personal information.
All of these legislative updates can be found using NSCA’s StateTrack Map, which tracks key legislation in real time.
Further Policy Prescriptions
While it’s true that new regulatory policies will help protect mass amounts of data, small to mid-sized businesses will likely be hit hardest by regulations like CCPA and GDPR. Many simply don’t have the necessary resources to become compliant.
State and federal governments should also consider approaching legislative solutions from an incentive standpoint. This can come in the form of rewarding businesses that meet a certain compliance threshold by providing them with tax credits that can be applied back to their business. This would serve as an excellent incentive for maintaining cyber compliance.
For example, Ohio’s Data Protection Act, which went into effect in 2018, creates a safe harbor for companies that meet cybersecurity standards set by the state. Further, these types of regulations can also be broadened in scope to not only protect the data of consumers and the company itself, but also protect the safety of industry workers in the case of corrupted machinery.
Remaining Vigilant
The technological innovations being integrated into the industrial landscape are truly amazing. From artificial intelligence programming tools that use machine-learning algorithms to generate code to robotic process automation systems operating at light speed, these marvels will drive the American economy into a bright future.
Data has shown that, as of today, half of industrial control system networks have faced a cyberattack. Allowing vulnerabilities to stay unattended can have disastrous effects on not only the victim-company, but also the industry at large.
Presidents Barack Obama and Donald Trump have both deemed cyberattacks a “national emergency.” More can be done to incentivize compliance and help American businesses protect themselves and their consumers. –alliantgroup and Chuck Wilson, NSCA Executive Director