18 minute read
AMTIL FORUMS
from AMT AUG/SEPT 2021
by AMTIL
Cyber threats and “double-extortion” in the manufacturing sector
In recent times, ransomware has become an alarming threat across the globe. Like many other industries, the manufacturing industry is also a major target of cybercriminals, as explained by Scott Mathrick.
According to a November 2020 report by security company Dragos, the number of ransomware attacks in the manufacturing industry tripled during the year. Although a large part of manufacturing industry relies on information technology, it also relies largely on Industrial Control Systems for mass production of goods. This is the area that cyber criminals actively seek to target. With the recent ransomware attack on one of the largest oil pipelines in the US, many gas stations had no choice but to shut down – causing national gas prices on average to rise above $3. To resolve the matter, Colonial Pipeline had to pay $5m ransom within a few hours. Though, earlier the opposite of this was reported by CNN and Reuters, the ransom payment news was also later confirmed by the Wall Street Journal. This news is worrisome, since the success of a large-scale ransomware attack can be encouraging for the hackers to launch future attacks. Particularly for the manufacturing supply chain, if one element is affected due to a cyberattack, it can lead to a chain of consequences. For instance, if a manufacturing facility producing medicines or health products is hit by ransomware, it can have negative impact on the whole healthcare sector. In another recent incident, the world’s largest meat processing company – JBS - was targeted by a well-planned ransomware attack, where computer networks were hacked and operations were shut down across Australia, US and Canada. JBS has 47 facilities in Australia. It has the largest production facility network in the country. Though the operations were restored, the incident raises a very important question about preparedness against cyber attacks in the manufacturing industry. Threat researcher John Hultquist of security company FireEye says, "The supply chains, logistics, and transportation that keep our society moving are especially vulnerable to ransomware, where attacks on choke points can have outsized effects and encourage hasty payments." Double-extortion ransomware attacks
According to a report by the research team at ThreatLabZ in May 2021, companies in the manufacturing industry are the biggest targets of double-extortion ransomware attacks. In a doubleextortion attack, criminals steal data alongside encrypting it. ThreatLabZ indicates that 12.7% of the companies affected by double-extortion attacks worked in the manufacturing sector, followed by the services, transport, technology, and retail industries. In another 2021 Global Threat Intelligence Report by NTT, the manufacturing industry saw 300% increase in worldwide cyber attacks. Why are Hackers Targeting Manufacturers?
The industry makes a profitable target for cybercriminals particularly because it involves operations that cannot be kept out of action for longer time periods. Hence, the affected organisation tends to give in easily to the demands of the attackers and pay huge amounts as ransomware compensation, mostly in the form of cryptocurrency. Another reason for quick response is that the losses a company can incur as a result of downtime are sometimes more than the ransom amount. Hence, the manufacturers may be more inclined towards paying the attackers. What makes this even further attractive to the cyber criminals is the fact that the industry does not primarily focus on cybersecurity operations - which makes it easy and profitable target for hackers. Due to the nature of manufacturing processes, often the networking and industrial assets are exposed to the internet. This provides opportunities to cyber gangs to access the network remotely via technologies such as VPN and Remote Desktop Protocol (RDP), or unpatched vulnerabilities in a system. How can manufacturers adopt a secure approach?
Considering the statistics of increased attacks, it’s still not late for industrial manufacturers to take necessary steps against future attacks. For this, we need to adopt three basic measures such as:
1. Adopting a Cybersecurity framework
By adopting best cybersecurity practices and complying with standards, manufacturers can control their production and reputation. Manufacturers can follow any of the cybersecurity frameworks such as NIST, IEC 72443, or NIS. These frameworks provide best practices to facilitate security by keeping all manufacturing process in line such as inventory asset management and threat identification.
2. Improving network and operational visibility
Your IT team must be updated about your inventory. If they are not aware of the exact number of devices on the network, it’s not possible to provide better resiliency. When all the assets are correctly identified on the network, it provides visibility in real-time to all the devices, their communication, connections, and protocols. This allows for continuous monitoring and troubleshooting issues, since system deviation often indicates network attacks.
3. Integrating IT and OT Network Security
Operational Technology helps meet production targets while Information Technology addresses networking and cybersecurity issues. By integrating IT and OT, operations can become more resilient by reducing security risks around tightly connected Industrial Control Systems. Preparing for an attack
Apart from taking steps to decrease the likelihood of an attack, manufacturers also need to be prepared for a time an actual attack occurs. For a company in the manufacturing industry, a ransomware incidence response plan should answer these questions: • How much downtime is acceptable and what impact will downtime have on operations? • What are the available resources for investigating and mitigating a threat after it has already occurred? • What is the insurance coverage to help deal with the impact of ransomware attack, including the payment and operational interruption?
If you have any enquiries on how to protect your business from a cyber threat, please contact: Kaine Mathrick Tech T: 1300 174 391 E: info@kmtech.com.au W: www.kmtech.com.au
Employer receives jail time for workplace death
A company director in Western Australia has received the longest jail sentence in Australia for a Workplace Health & Safety (WHS) violation following gross negligence which led to a worker’s death. Kate Neilson explains.
The Director of MT Sheds in WA, has become the first employer to be sentenced to jail for a workplace health and safety incident under WA’s workplace health and safety laws. The term of imprisonment of two years and two months is the longest term of imprisonment ever imposed for a work safety and health offence in Australia. The Director was convicted after pleading guilty to a charge of gross negligence that resulted in the death of a 25-year-old worker, and seriously injured another, in March 2020. In October 2018, the WA government bolstered its occupational safety and laws. Under these laws, MT Sheds faced a maximum penalty of $2.7m and the Director faced a maximum penalty of a term of imprisonment for five years. In May the Esperance Magistrates Court made a first-of-its-kind decision in sentencing the Director to two years and two months in jail. He has to serve the first eight months immediately – the remaining sentence is suspended for 12 months. He will be eligible for parole at the four-month mark. His company has been fined $605,000 for safety breaches and the Director has also been instructed to pay a personal fine of $2,350 for operating a crane without a licence. According to Worksafe WA Commissioner Darren Kavanagh, this penalty should act as a “significant deterrent” and be a “moment of awakening” for employers who don’t prioritise health and safety. What happened?
In March last year, two workers were installing a roof on a building near Esperance, WA. A strong wind picked up and a roofing sheet came loose, knocking both workers off the roof. One fell 9m to the ground, resulting in his death. The other fell 7m, resulting in serious injuries. Why is the Director liable? He wasn’t on the roof. He didn’t loosen the roofing sheet. He didn’t summon the strong winds. But he didn’t do everything reasonably practicable to ensure the workers were not exposed to harm due to the hazard of working at heights. Neither the employees or the Director held the relevant high risk work licences to operate the mobile plant, and the worker who died didn’t hold a construction induction training certificate. As WHS Lawyer Sue Bottrell puts it, this work was MT Sheds’ “bread and butter”. This, paired with the lack of licensing, was likely the reason behind the substantial sentence. Bottrell notes that a lack of licensing can be administratively difficult to track and “employers probably rely on employees to update their licence ... It’s not administered properly; their licenses expire and they just don’t get them renewed, and no one is checking. Eight months is no small stint. This man’s life is ruined. He won’t be able to be a Director of a company again and he’ll have a criminal record. His life is absolutely ruined, as is the family of the boy.” Bottrell isn’t out to demonise MT Sheds. She understands there are often other factors at play. However, there are also well-known actions to control risk when working at heights. “There are easy [preventative] measures available: roof perimeter protection, edge protection, travel restraints etc. There’s also a code of practice for working at heights. How will the states and territories respond?
Five Australian states and territories (ACT, QLD, NT, WA and VIC) have passed industrial manslaughter legislation, and a bill was introduced in the SA parliament in 2019 which is yet to be passed. Tasmania is the only state with no legislation. In WA, new industrial manslaughter legislation was introduced in November 2020 as part of the WHS Act 2020 (WA), but this has not commenced operation. Under the industrial manslaughter provisions, company officers will face up to 20 years in jail and $5m fines when safety breaches in circumstances of gross negligence result in the death of a worker. Companies will face fines of up to $10m. These instances aren’t isolated to the construction industry. Any workplace death that could have been prevented will be examined under the same legislation. So how can you protect your business? Keep the following things in mind, says Bottrell: • Do a risk assessment. Ensure you have processes in place to mitigate that risk. • This legislation is targeted at people who own and run companies, not frontline workers. However, everyone has a duty of care to ensure workplaces are safe. • Each state regulator offers support, information and free advice. In Victoria there’s a free resource called ‘OHS essentials program’ offered by WorkSafe Victoria. • There are safety professionals through the Australian Institute of Health and Safety who offer advice. • When you see a lawyer, make sure they have a strong background in health and safety.
The Australian Human Resource Institute (AHRI) is the national association representing human resource and people management professionals, with more than 20,000 members from Australia and around the world. It provides HR certification; formal education and training services in HR, people management and business skills and holds conferences, seminars and networking opportunities. Kate Neilson is the editor of HRM magazine and HRM Online, the publications of the Australian HR Institute. A version of this article was first published on HRMOnline. www.ahri.com.au Full article here: www.hrmonline.com.au/hr/section/legal
The importance and the challenges of supply chain-diversification in the Post-COVID world is explained in this article by Altios.
The manufacturing sector has been one of the most impacted industries during the ongoing COVID-19 global outbreaks. However, as the world recovers from the pandemic’s effect and global economy improves, sectors including manufacturing have regained resilience and have begun to invest in third-party solutions. Whilst improvements have been witnessed in the global manufacturing industry, in comparison to other industries which have equally been impacted, it is important to note that continuous development and persistence is required for manufacturing to fully recover and to move forward. The Australian manufacturing industry in 2020 contributed around $100bn to Australian GDP annually* (7.69 %). It also subsidised 26.4% of business expenditure on research and development (R&D). To say the least, the manufacturing industry is an important sector within the Australian economy. On a global scale, manufacturing is often attributed to Asian countries, specifically China. In fact, China has been labelled as the world’s factory. With the recent rise of economic tensions and negative relationships between Australia and China, a shift in the manufacturing trade focus from Australia is imminent (less reliance on China and more domestic manufacturing). Diversification of supply chains has been recognised as a major trend and opportunity for manufacturing in the (post) COVID-19 era. Amongst other changes and the impact of globalisation, it is essential for Australian companies to recognise the potential of internationalisation. This includes diversifying your supply chain to optimise your business and operations. Nevertheless, internationalisation brings forward a myriad of challenges prior to deriving exponential benefits, amongst them, cultural and communication differences, choices of partner, and trade war effects. Trade war effects
The relationship between Australia and China was once very positive and businesses from both countries were able to generate profit from a variety of benefits. China represents more than 40% of Australian exports. However, since late 2019/early 2020, the relationship between the two countries deteriorated for political reasons. For some crucial industries like Iron Ore where China is still dependent on Australian supplies, business still goes on. From businesses struggling to get access to their Chinese partners due to travel restrictions, to the trade war generating tax and trade barriers, Australian businesses have faced one too many struggles. Needless to say, the Australian Government has advocated for a change and a reduction of reliance on China. This advice was followed by Australian enterprises, as well as other countries, which used to rely heavily on China as a primary source for manufacturing activities. Cultural and communication differences
Cultural and communication issues often occur between partners in different countries due to language barriers. Languages can vary from place to place and words themselves can have different meanings. This often leads to messages being “lost in translation”. Additionally, problems can also arise from managerial power distance between countries. For instance, business etiquette and business methodologies can diverge between East and West, leading to unsatisfactory results. Misunderstandings and unfulfilled expectations are often the results to cultural and communications difficulties. Choosing the right partner
The success of overseas manufacturing involves a combination of management and experience. Partners with the right skillset and experience can fast-track businesses’ supply chains. Hence, it is important to align your goals and find the right synergies with your current or future business partner. Furthermore, finding the right partner is not the only step to a successful market growth. Building and nurturing local relationships is another significant factor contributing to successful overseas manufacturing in the long-term. Thus, prospection missions and qualifying potential partnering companies is essential. The solution
Option 1: Whilst there are no one-size-fits-all solution for all the problematics mentioned above, Australian companies still have a few options to overcome them. As COVID-19’s pandemic continues and limitations on travel remains, it would be optimal for companies to employ a locally-based representative on their chosen market ground. Having an agent with market expertise, qualified to manage your business operations in the country where the manufacture is localised, could be a remedy to travel restrictions. Not only the latter would be the company’s one point of contact to grow the local network and opportunities, but also conduct business as an onground company’s representative. Option 2: In order to build resilience and gain competitive advantage, businesses would benefit from investing in new manufacturing partners. South-East Asia (especially Vietnam and Malaysia) has been labelled as the New China, its countries members have started to open their door to foreign companies, including Australia. Hence conducting an in-depth search of partners or investing in an export strategic roadmap could be profitable to seek new manufacturing partners with attractive prices.
ALTIOS International is a Global Business Development Firm focused on helping small to medium companies grow through international expansion and cross-border investments into the world’s leading markets. Successfully combining a wide range of market entry services and a powerful global and well positioned network of 28 offices in the most attractive markets, Altios has the resources and capabilities to be a partner in success to international enterprises. With 100 additional partners in 50 countries, we have operations in the world’s major economic centres, in key regional locations and emerging market hubs. Ph: +61 0409 310 790 E-mail: r.delvallee@altios.com www.altios.com
Protecting your innovation
Rob Jackson explains what businesses must do to ensure workers do not exploit their ideas or their intellectual property (IP).
Forward-looking businesses know innovation is vital to securing a competitive advantage within their chosen industry. But how does a business ensure that it retains the intellectual property (IP) rights in their innovation? Innovation to commercialisation in years, losing your IP in minutes
A business may develop a strategic approach, or just strike it lucky in finding an unexpected technological breakthrough. To progress from this point, requires further research and development, securing government grants and tax breaks, and maybe applying for patents in Australia and overseas, with an eye on potential overseas markets. Hopefully before too long commercialisation creates further growth and opportunities. Many start-ups and established corporations alike strive to achieve success, after the ‘sweat and tears’ of enduring many late nights of endless research and experimentation. The creators of innovation might work in an informal setting, like a start-up, made of a collection of friends and family members with a shared vision of making that imagined product a reality. Or in a large corporation, with the formal procedures, protocols, sign offs and KPIs. Finally, the Eureka moment arrives, figuring out what works, and importantly what sells. But there is a vulnerability shared by small and large organisations alike: somebody leaves the organisation and takes not only that great idea with them, but the whole ecosystem of suppliers, investors and customers’ data – which is then gone in one little USB. What can you do to make a difference?
A small organisation might be too informal with no safeguards in place. Large business might be too formal, lost in a myriad of policies, and repeatedly amended contracts that have long lost all sensible meaning – and nobody dares to alter the company employment contract template without a signed memo from head office! Whatever your size, it is important to consider these seven things to protect your company’s innovation: 1. List your key workers, (employees and contractors) with valuable technical or sales knowledge. Who has key relationships with suppliers and customers? Can they be replaced within a week, a month, maybe a year? Consider not only those with specialist technical qualifications but also those who have a key understanding of the product. For example, a tradesperson who has maintained and upgraded a key piece of machinery might be the only one who knows how to fix it. 2. What makes your business unique? A technical formula or a process? Is it protected by means of confidential information, or a patent? Or is it the ability to source a particular specialist product at a price generally not known in the rest of your market? 3. Who are your key customers? For many start-ups there isn’t a known customer base. Finding private investors willing to invest may be more important than customers at the present time. If a departing employee canvassed your investors for scarce funds, is that a problem? 4. Conduct an intellectual property audit to identify what assets are capable of copyright protection, patent protection or other specialist means of IP protection, and identify which workers have created those rights. Engage IP experts to ensure the appropriate legal protections and registrations are in place for your product. 5. Have up to date employment contracts for every employee and review them regularly. Make it easy to read, especially the post-employment restraint clause, which must be reasonable.
Length and complexity do not make an employment contact stronger and in fact, it may have the opposite effect.
Importantly, do not download a template off the internet, there is no ‘one size fits all’. Ensure the employment contract clearly asserts ownership of all (IP) rights. 6. Be clear as to what constitutes confidential information. If an employer cannot articulate what is truly confidential as opposed to the know-how a skilled worker in the industry would ordinarily possess, then a judge cannot work it out for you. This exercise can be complex. Disclose confidential information to only those employees who need to know it and obtain a signed acknowledgement that they will protect its integrity. 7. Make sure contractors have a written agreement giving your organisation ownership of all IP rights to anything they may create during their engagement with your business. Otherwise, the default position is that the contractor will own all IP rights in their creations and ultimate commercial benefit. The final word: Workplace culture
You may have every IP right registered and the most effective employment contracts signed and in place for your employees. However, if your employees dislike your workplace culture for whatever reason, you will find it difficult to retain them as soon as a new competitor enters the industry. This dislike or unhappiness may provide your competitor with the opportunity to hire your employees and use their knowledge and experience to move into your area of business. It is important to note that some employees place a high value on workplace culture and may take reduced salaries to work for an organisation with a more respectful culture. If an employee believes they already have a strong workplace culture and enjoy coming to work, where all staff are treated respectfully, the employee may never be tempted to leave your employment. A positive, respectful and inclusive workplace with clear and fair leadership is just as essential as registering an IP right.
