Safety and Cybersecurity Management in the Manufacturing Industry
Like many other industries, manufacturing has been hit hard by labor shortages. In April 2022, US factory activity would be at its slowest pace in more than 18 months. Therefore, many factories are seeking more agility through artificial intelligence and other automated processes to better manage disruption and uncertainty. With these modernizations come the threat of potential safety and health risks and cyber threats.
Occupational Safety and Health Administration
Increased automation can reduce some risks and increase efficiency, but technological advances that use computerized hazardous energy controls may also conflict with the existing Occupational Safety and Health Administration (OSHA) standard for control. Hazardous Energy (Lockout/Tagout) (LOTO ). The use of robotics can also introduce other hazards into the work environment. In 2019, OSHA issued a Request for Information (RFI) on Control of Hazardous Energy (Lockout/Tagout) and Overall Use of Robotics to seek more information from stakeholders on increased efficiency and potential hazards associated with robotics (84 Fed. Reg .22756). OSHA’s RFI demonstrates recognition that robotic modernization can create new hazards that are not easily addressed by its current LOTO standard. OSHA’s notice of the regulatory proposal to change the LOTO standard is expected in September 2022, but it could take years. While manufacturers await updated guidance, service and maintenance of automated equipment should be performed in accordance with OSHA’s existing LOTO standard until they are retrofitted.
It is important that manufacturers continue to evaluate the interaction between equipment and employees and keep abreast of federal and state safety regulations by joining advice on current health and safety regulations. .
In addition to security issues, modernization leads to an increase in vulnerability to cyberattacks. According to the Identity Theft Center report for the first quarter of 2022, manufacturing was one of the top three sectors targeted by cyberattacks. As manufacturers embrace modern technologies, this shift exposes these organizations to ransomware and data theft vulnerabilities in ways that simply weren’t available in the analog era. Part of this problem is likely due to organizations prioritizing innovations over the cybersecurity needed to protect new technology. According to Cybersecurity Ventures, phishing attempts have increased by 200% in 2020, the amount held for ransom has increased from $5,000 in 2018 to $200,000 in 2020, and experts have estimated that an attack attempt by ransomware has occurred every 11 seconds in 2021. warned organizations to be on high alert for a possible cyberattack as the war in Ukraine escalates. As late as March 2022, the Texas Grandstand reported that Russian hackers probed Texas’ energy infrastructure.
Manufacturers can prepare against cyber threats. Manufacturers should ensure that they continually invest in cybersecurity strategies appropriate to their needs, including partnering with consultancies to develop strategies to meet the interplay of business needs, data protection and legal risks. As a first step, organizations can develop and practice an incident response plan before a breach occurs. The steps include the following:
Identify the internal response team (for example, management, IT, corporate lawyers and HR). These are the people in the business who will lead the response to any data-related incident. They will make quick, informed, and prudent decisions that are likely to be critical to the success of the response process and, ultimately, the future of the business.
Identify the external response team (for example, external legal counsel, forensic investigators, notification providers and public relations). Having external team members identified in advance and negotiating/agreeing to all applicable contracts can be critical to the success of any preparedness plan. When a breach occurs, valuable time can be wasted trying to identify, assess, negotiate with, and engage the third-party service providers necessary for the response.
Anticipate critical business continuity and site security issues that could be compromised by a compromise of information and control systems. Where possible, contingency plans should be established to allow operations to continue while the incident is investigated and damage mitigated.
Consult insurance brokers or cyber insurance companies to confirm applicable coverage or to discuss coverage options for cyber attacks. If coverage exists, notifying the insurance company should be one of the organization’s first actions in response to an incident.
Clarify the roles and responsibilities of team members at key stages of the response process: incident discovery, investigation, coordination with law enforcement, remediation, notification, third-party requests, compliance, and reassessment. This should include a well-defined decision-making process to facilitate the right choices and avoid delays.
Practice, practice, practice. It is likely that members added to the response team will not have direct experience in coordinating a data incident investigation or response. Unfortunately, even a well-written plan does not give those responsible for its implementation the competence to execute it. Once the organization has created its plan, it should bring members of its internal and external breach response team together to simulate an incident to help members gain valuable experience navigating the investigation, mitigation and comprehensive response process, as well as working with each other. Much like a fire drill, practicing this process will help ensure that any data incident is handled in an efficient and orderly manner.
It is also important for organizations to raise awareness of the risks of cyberattacks and cybersecurity risks. This may include the following:
Tell employees what to do immediately if they believe an attack has occurred (for example, who to notify (usually IT) and how to disconnect from the network). This may include coordination with the organization’s site safety team to ensure, for example, that compromised systems and equipment do not cause physical harm to people or damage to property.
Preparation can make all the difference in the success of an organization’s ability to handle a cyberattack. An incident prevention and response plan is as strong as employee awareness. Employees should understand the risks involved in maintaining complex data-driven systems and equipment and the basic steps they can take to prevent or mitigate a cyberattack and, if necessary, respond to it.
© 2022 Jackson LewisNational Law Review, Volume XII, Number 131