Managing IIoT Product Defect Risks

Jude DiBattista


December 2, 2019

The industrial internet of things (IIoT) is reinventing manufacturing as a highly connected enterprise dependent on machine-produced data flowing from equipment on the factory floor and disparate locations over high-bandwidth wireless and wired networks to IT data centers and control systems in the cloud. The IIoT offers great opportunities for manufacturers to increase efficiency, reduce costs and make products that align more closely with buyers’ demands. However, the downside is elevated cyberattack risks.

Manufacturing data presents hackers with a host of attractive opportunities from stealing intellectual property like blueprints and schematics to shutting down a production line until a ransom is paid to corrupting a product’s specifications, which can cause a catastrophic product liability claim.

The information transmitted within industrial control system networks has been vulnerable for decades as the internet has evolved. IIoT has vastly expanded the number of access points due to the greater use of wireless networks, the proliferation of sensors because of lower costs, and reliance on cloud computing. Once a hacker finds a way to penetrate a system, they can move into and through the network, until they arrive at the goldmine—the operating systems that control the factory equipment. This is unfortunately becoming increasingly common.

A March 2019 study by Kaspersky Lab found an alarming increase in the number of cyberattacks targeting industrial control systems. By and large, these incidents are intentional, meaning that the hackers have very specific aims for perpetrating the attacks. According to Verizon’s 2018 Data Breach Investigations Report, 86% of cyberattacks against manufacturers are, in fact, targeted.

Most of these hacks are designed to steal information and then sell it on the dark web; others are intended to disrupt manufacturing operations. Of greater concern is the possibility of a hacker attacking a factory machine producing a component that goes into finished products like vehicles or airplanes. If hackers got inside the machine’s operating system, for example, they could alter the component’s specifications ever so slightly. To the human eye, it may look perfect, but its composition (the materials making up the component) and/or its dimensions (the size and shape of the component) might be defective and cause a disaster.

A 2017 study of robotic industrial machines by cybersecurity firm Trend Micro indicated a number of problems, including outdated software, inferior software protection and weak network security, increasing the risk of unauthorized access. Researchers easily hacked one machine’s network to alter the robot’s movements by two millimeters, introducing minor defects into the manufactured product.

Not only are planes and vehicles susceptible to the risk of hacker-engineered defects, any product made to incorrect engineering specifications is at risk of failing. For example, the chemical formulas in pharmaceuticals, pesticides and even household goods can be altered to increase the risk of injury and illness.

Harmed individuals may bring lawsuits against the company that produced the defective component, the equipment manufacturer that embedded the component in the final product, and the software vendor of the IIoT operating system. The company could face serious loss from having to recall products and cease production until it discovered and fixed the problem. Individual directors and officers might also be held liable if proper governance is found lacking. Cases may drag on for years, undermining the reputation of the defendants while also significantly depleting their bank accounts.

The heightened risk of liability will not slow the pace of IIoT adoption—the IIoT market is expected to generate an annual $85 billion by 2020. Smart machines are regularly touted as one of the major planks in the so-called Fourth Industrial Revolution, the next era of technological advancement. In fact, manufacturers that fail to embrace IIoT may soon be at a competitive disadvantage. According to a 2017 study by Deloitte, a more flexible, adaptive production system is almost imperative for manufacturers that wish to either remain competitive or disrupt their competition.

These new adaptive systems would use internet-enabled sensors that measure temperature, moisture, vibration, density, weight, speed and other factors, depending on product manufacturing details. When analyzed, this information could indicate machine wear and tear and variances in tolerance and tooling drift, guiding more timely maintenance and repair, as well as more efficiently controlling production workflows.

When data from all the factory equipment is connected in the cloud and analyzed, a manufacturer could speed up or slow down production velocity. Benefits would include lower machine utilization, reduced inventory costs, and increased customer satisfaction. The primary benefit, of course, would be higher product quality.

Given this value, the onus is on manufacturers to manage the escalating risks of a cyberattack and resulting product defects. Best practices would include routine upgrades and patching, state-of-the-art firewalls and intrusion detection software, data segmentation protocols, routine penetration testing, as well as mandatory training to help employees spot phishing and other forms of cyberattacks.

Insurers can also help manufacturers via product liability insurance, which would absorb the potentially catastrophic costs of a major product liability suit. Depending on the insurance company, coverages may be expanded to absorb expenses related to product defects and product recalls. Insurers can also provide professional services that extend beyond the assumption of a manufacturer’s product-related loss exposures to identify key risks to business models and operations and enhance overall business resilience.
Jude DiBattista is senior vice president and underwriting leader of excess and surplus lines at QBE North America.