What smart factories keep getting wrong about cybersecurity

In this Help Net Security interview, Packsize CSO Troy Rydman breaks down the biggest vulnerabilities in smart factory environments today, from IoT devices and legacy systems to human error. He explains how unmanaged devices, from sensors to robotic components, often go unpatched and become entry points for attackers.

Legacy infrastructure is frequently overlooked as organizations move to cloud and SaaS platforms, leaving outdated systems exposed. Employees remain a persistent weak point, not because of negligence, but because human nature can be exploited through social engineering and phishing. Rydman also addresses the ongoing tension between production uptime and security requirements, and how organizations can find the right risk threshold by keeping stakeholders informed, investing in training, and building a security-aware company culture.

When you look at smart factories, what part of the “digital transformation stack” is expanding the attack surface the fastest right now?

Definitely IoT, including operations, development, manufacturers, and equipment. Threat actors are often looking for usability and an industry that isn’t closely tied to security or advanced technologies. Many IoT devices are meant to help with productivity and require direct internet access. The credentialing needed may not be up to current security standards, which creates a high probability of these devices being targeted in a cyber security event.

Securing and protecting IoT products has always been a cybersecurity challenge. It’s still a major issue for the supply chain, warehousing and manufacturing industries, which have to protect and maintain security for their IoT devices while ensuring they provide adequate value to the customer. We believe it is our responsibility to ensure we have proper security around every device we use, and to make customers aware of additional risk they could present in the customer environment.

What kinds of assets are most frequently forgotten in security programs but end up being the foothold attackers exploit?

Legacy devices or devices that have been in environments or processes for long periods of time are often overshadowed when organizations start adopting cloud type services or SaaS solutions. They forget about these systems that are running on infrastructure. A big challenge we see with our partners and customers is integration with legacy systems, especially if those systems are from a vendor who no longer supports them or has gone out of business

Another possible foothold is the system inside a system, like a computer system or a warehouse manufacturing system. In robotics specifically, there are multiple smaller computer systems that run source code to operate specific environments. These individual computer systems are oftentimes neglected in favor of the larger system. For example, a warehouse might be managing a robotic picking arm, which will have three or four IoT devices built into the system that maintains individual portions. Those aren’t maintained and updated the same way as the main computer system. Those become exploit points for attackers as they’re looking to get into warehouse manufacturing, and robotics can have direct internet access without the user being aware of it. So it’s very important to keep these machines up to date.

If you had to name the most dangerous “invisible” vulnerability category in manufacturing, what would it be and what makes it hard to detect?

The biggest vulnerability for any company is an ignorant employee or workforce. Companies often create employee processes that are navigable and user-friendly to show a return on investment. From there, human errors lead to the majority of security incidents, from people giving up their passwords through a phishing exercise to mistakenly providing customer information over the phone or via email.

These kinds of honest mistakes continue to be the weakest link inside of organizations. Computer systems are very static, so they don’t fall victim to phishing exercises. People have human nature built into them, including empathy, compassion, and the desire to be helpful. Unfortunately, that can be exploited.

As a result, investment in not only training but also company culture becomes extremely important. Companies need to create processes around making sure people feel comfortable understanding and identifying weak points, why and how to work around them, and how to voice improvements to the security team.

What role do unmanaged devices like sensors, smart cameras, and industrial wireless gateways play in expanding risk?

A lot of these systems go unprotected because they’re viewed as zero-touch deployment systems. The belief is that once you place a camera, very little configuration or management will be needed from there.

But these unmanaged devices connect out to the internet independently into growing cloud-based and SaaS platforms. If you look at botnets today or computer systems that can be used to perform a denial of service attack, they are usually made up of hijacked IoT devices. If people are not aware these devices have become compromised, they can be used to send unapproved traffic patterns to unintended targets. Devices that we think are zero-touch have cloud-based access and typically require additional security calls and scrutiny before being deployed.

Where do you see the most tension between production uptime goals and cybersecurity requirements, and how do mature organizations resolve it?

There’s always a balance in understanding organizational risk and appetite. It’s a challenge on both sides. From a production perspective, a lot of workers don’t have a deep understanding of technology risks and see any type of resistance to what they’re doing as a direct impact on their customers. On the flip side, cyber security professionals may not understand organizational risk thresholds. They want to implement every control possible to mitigate any perceived risk inside the organization which can impact supply lines, deployment timelines and other operational issues.

Conversations inside the organization can help everyone understand the appropriate risk threshold. Where is the organization willing to accept risk? It’s okay if certain systems aren’t completely locked down in favor of moving faster. There might be a better return on investment. In security, there’s a principle where you don’t want to spend $500 to protect a $100 risk. You always want to spend the right amount of money to mitigate the proper amount of risk for the organization. So, understanding that threshold is extremely important as well as having those conversations in the business and not keeping your stakeholders out of the loop.

Secure by Design: Building security in at the beginning