Imran Husain, Global Chief Internet Information Security Officer at MillerKnoll, spoke about the often underestimated arena of manufacturing. Data backups may be boring, Husain warns, but ignoring them comes at a potential large cost.
Manufacturing has long been viewed as slow to adopt new technologies. As Husain describes, for years the sector’s reliance on manual controls and isolated systems shielded it from much of today’s cyber threats. That all changed with the emergence of IoT, putting previously offline levers onto the internet for efficiency and cost savings. With connectivity, however, came vulnerability.
“Most did not forecast the types of threat attacks that could happen as a result of these open internet connections” Husain recounts.
High profile breaches, from Iran’s Stuxnet attack in 2010 to Norsk Hydro’s ransomware ordeal in 2019, proved that operational technology (OT) is not only a target but can be a company’s proverbial Achilles' heel.
While public perception might expect a cyber attack to tank a company’s value, the opposite happened for Norsk Hydro – their stock price actually went up. Husain attributes this to how the company responded.
“The key difference between one plant and another,” he says, “is resilience and recovery time, how fast their systems are restored.”
In this context, resilience means not just resisting an attack, but containing its ‘blast radius’ and quickly getting critical operations back up and running. This, Husain argues, is what truly protects a company’s reputation and bottom line.
It’s that simple according to Husain, disciplined data backups, which are often overlooked for flashier cybersecurity projects are absolutely critical.
“Backing of data is rather boring… but that boring type of task has probably saved a lot of companies from the headache and from the loss, and not only just the loss here, but the public image.”
Why do companies neglect backups? Cost is a big factor, especially when dealing with legacy systems, on-prem servers, and enormous volumes of data, some of which may no longer even be needed. But forgetfulness and a lack of immediate payoff play a role too. It’s the classic ‘out of sight, out of mind’ problem, until ransomware hits and executives realise too late that the ‘basics’ have been ignored. The basics being backup and recovery.
As companies ramp up compliance with privacy and data retention laws, many are respositioning from the old ‘collect and keep everything’ mantra to a more strategic approach.
Husain admits it’s difficult, but hammering out what’s genuinely mission-critical is now part of the CISO’s job. So what do you do when your production line runs on 40 year old technology, and upgrading isn’t an easy fix?
“You have to be creative,” Husain says, outlining approaches like network segmentation or API overlays to protect critical legacy systems without disrupting them.
He’s bullish on concepts like digital twins and the future role of AI and machine learning to bridge old and new, anticipating an eventual ‘new generation of manufacturing’ where these risks of the past are finally replaced or replicated in safer, smarter ways.
Perhaps the most significant trend on the horizon is the convergence of IT and OT, with using modern information technology controls to secure operational technology. While this offers increased visibility and efficiency, it also opens up new attack surfaces. Hackers are already probing these bridges between the digital and physical attack paths.
Husain’s advice to peers is, “Be patient, this transformation takes time. Understand your operational topology before you slap on controls, always assess the risk, and implement changes step by step.”
Get your fundamentals right, because when…not if…a cyber attack comes, the difference between a headline-grabbing disaster and a survivable incident could hinge on that last, boring data backup.
