In the manufacturing world, we increasingly rely on internal and outsourced security partners to keep our IT networks safe. One report stated that as many as 50% of manufacturing companies have already been the target of ransomware attempts. Therefore, there is more work to do, especially on the neglected IT network. Industry requirements, such as CMMC, invoke costs and difficulties. But like traceability in the past, with the right preparation, this “burden” can be turned around to become a near zero cost, or even a benefit.
You vs. the Hackers
As operational security in the market evolves, hackers are increasingly “left-shifting” their operations toward the source of targeted products: manufacturing. Unlike biological viruses, hackers often share their intrusion tools freely to disguise their origin, resulting in a whole stream of concurrent attacks, each with different motivations and intents. Risk increases so that our seemingly genuine Smart personal, household, automotive, medical, and defense products could suddenly turn against us.
It's no joke that there may be hackers who would like to create a game of “Zombie Cars,” taking remote control of vehicles. They would suddenly take over as you drive along the freeway and use it as a tool to extort money from you; this is technically possible. (Examples of such remote control can easily be seen on YouTube.) Imagine a group of vehicles taken over and used for coordinated disruption. As vehicle control security is ever heightened, the hackers simply get more resourceful; they are focusing on manufacturing, with even the simplest and seemingly innocuous Smart/connected devices as targets. Cars have hundreds of interconnected controllers, where a simple media player or window winder module could become the cyberattack entry point. In the same way, a compromised USB stick on the manufacturing shopfloor could easily be the attack mechanism.
Once they succeed into a manufacturing network, it is open season on:
- Competitive information: Customer and supplier names, capacities, capabilities, schedules, and shipping information that anyone from counterfeiters to dishonest competitors can use against you
- Private information: Organizational and structural details, investors, employee details, payroll records, travel, and expense information
- Intellectual property: Product design and technologies, bill of materials, which together enable the creation of clones and counterfeits in the market
- Product alteration: The changing of data related to product documentation, bill of materials, and embedded software to establish quality or security vulnerabilities
- Hijacking: Implementation of ransomware or parasite programs mining for bitcoin using computers built into automation
- Sabotage: Machine instructions can be altered, either to damage processes and cause downtime, or to make subtle changes leading to quality issues, new product launch delays, or product-related issues in the market
Though these may sound a little ambitious, consider that there have been complex attacks in which design information, for example, was intercepted between design and manufacturing such that cloned products could be manufactured but with alterations that allowed embedded spyware to be active. Shipping information was also hacked so that substitutions of real products with the cloned products could be made. Traceability data was hacked so that legitimate serial numbers would be matched. Noticing a single cybersecurity incident within an organization often represents just the tip of the iceberg of what has been unknowingly happening, which, in at least one documented case, went on for over a decade.
Further Complicating the Problem
Industry regulators are responding to the threat, but with requirements that significantly impact the profitability of most manufacturers and increase the burden on executive accountability but do little to reduce risks. The idea that a firewall and virus checkers keep things relatively safe in IT networks may be true in the office, but this is not true when it comes to manufacturing floors. Most production automation has internal computers, which have been designed for the single purpose of operating the machine and use the same common operating systems, such as Windows. These machines are often now connected for the purposes of MES, machine learning, closed loops, dashboards, program management etc., so in most manufacturing facilities, there is a manufacturing network (OT) in place. These machines, however, typically cannot run anti-virus software, as that may affect the precise timings of the machines, and very often operating systems cannot be upgraded due to the fixed hardware and software limitations. They continue to contain known security vulnerabilities with no checks in place for the latest known vulnerabilities. Any cybersecurity intrusion can spread almost instantly from a single point of entry to every machine on the network.
The reality is that in almost all factories there are many types of automation, from many vendors, with many versions of unprotected software. This is further complicated by numerous instances of middleware; the OT network connection to the IT network has therefore become a critical security concern. In some cases, connection is not allowed at all, as firewalls allow legitimate traffic to flow, which are emulated by viruses that may already be present in the OT network. Data breaches are a major concern as product data, traceability data, and electronic visibility and control are all somehow inevitably transferred to and from the OT network, often using uncontrolled USB drives, middleware, or in-house developed software. It is an absolute nightmare for IT teams, which cannot practicably be expected to be in control all the time.
I wish I could describe a perfect and simple solution, such that manufacturing can avoid the cost, compromise, and burden of security measures that will imminently be required in manufacturing, but I cannot. The reality is that there is no easy answer. There are some principles that can and should be established as soon as possible to reduce the cost, risk, and impact from security breaches, or requirements for protection, which enable easier compliance and benefit the factory. Think back to the early days of traceability, where data collection and collation quickly became a major burden for the industry, with accuracy and usefulness of reporting, as well as long-term storage of data being quite a challenge. As technologies developed, native traceability data extraction mechanisms became normal with the IPC-1782 traceability standard defining exactly what is needed and how to communicate requirements. The IPC-CFX standard securely extracts traceability data in a single standard language. This enables the use of traceability data for machine learning and active quality management, thus building value from contextualization of events in many ways, turning an everyday burden into an everyday benefit. Preparedness and utilization of the right technologies and solutions turns situations around.
Trying to bolt on a high-security regime on top of an existing shop-floor network, more reminiscent of the “wild west,” is likely to invoke a life-changing experience. Instead, there are several things that can be considered and prepared that will secure production, while at the same time modernizing and streamlining the operation for improved performance and quality, thus reducing costs and risks. Some things for immediate consideration are:
Is the current exchange of data on the shop floor secure?
- Is any of the data open and not encrypted end to end?
- Is there any third-party middleware involved?
- Are there one or more “translations” of machine data?
If the answer to any of these questions is “yes,” then consider the use of IPC-CFX (Connected Factory Exchange) which is already supported by an increasing list of machine vendors.
Are the shop-floor solutions secure?
- Are there home-grown solutions that cannot be modified or maintained?
- Are there multiple solutions that share data through an automated or manual translation process between solutions?
- Are USB devices to transfer data ever needed?
- Is sensitive data ever sent by email?
- Is my IT network connected somehow with my OT network?
If the answer to any of these questions is “yes,” then the infrastructure and interoperability of solutions should be reviewed with the ideal being a single, secure IIoT-based MES platform that provides secure interoperability with other solutions, such as ERP, PLM etc.
Are my people secure?
- Does anyone have access to data that is not of immediate relevance for their tasks?
- Does anyone have contact with key intellectual property relating to the product, such as when preparing automation programs or work instructions?
- Are there people operating computers or automation that have not been appropriately trained in cybersecurity?
- Are there areas in which enforced and monitored best practices for security are not established?
- Does my OT network have a flat structure, not segmented according to customer/product/environment?
- Do the IT team refuse or are unable to take full 24/7 responsibility for OT network security?
If the answer to any of these questions is “yes,” then it is important to now start identifying vulnerabilities and to establish best practices, such as the replacement of procedures. For example, this might involve emailing multiple documents relating to the design of a product between engineering groups with applications that utilize PCB layout and 3D CAD design data through secure digital manufacturing engineering tools that don’t require users to manually access the raw design data. It is also advised to implement an OT-specific cybersecurity package that detects abnormalities on an OT network, including the operation of machines and other automation.
Are my products secure?
- Am I sure that there has been no manipulation of product or manufacturing data due to any cyberattack?
- Where a cyber-intrusion has been detected, can I identify and quarantine those materials and products that may have been affected and inform the supply-chain appropriately to prevent issues from further escalating in the market?
If the answer to either of these questions is “no,” then implementation of the new IPC-1793 Cybersecurity standard is advised, which includes exact traceability in manufacturing of the association of material to products, such that potentially affected specific products can be identified and quarantined.
For sure, almost no facility should feel as though it is well prepared for coming security requirements; there is no magic pill. But by implementing some intelligent practices as part of digital transformation projects, most requirements can be addressed without excessive cost or burden to the operation, and just like modern traceability, can bring with it best practices that directly and positively impact profitability.
This column originally appeared in the July 2022 issue of SMT007 Magazine.