It’s probably not a bad idea for smaller and mid-sized manufacturers (SMMs) to adopt an “us against them” attitude as they become aware of the prevalence of cyber-attacks in the digital age of the Industrial Internet of Things (IIoT) and Industry 4.0.
The sources and agents of cyber-attacks include, but are not limited to, malware, ransomware, careless humans, nation-state hackers and industrial espionage. Manufacturing has been a bit late to the party when it comes to adopting cybersecurity safeguards for its multi-million dollar machine technology investments on the shop floor.
Both newer, advanced machines and technology and legacy equipment have vulnerabilities to malicious or even accidental intrusions that can result in demands for ransom, denial of service, industrial espionage or just plain costly downtime. Legacy equipment may be the most vulnerable, but even networks with the latest equipment require constant vigilance on the part of shop floor folks and their soon-to-be new best friends in IT.
According to Koushik Subramanian, strategic advisor to the National Center for Cybersecurity in Manufacturing (NCCM), industries that depend on payments like the banking and retail sectors are much further along in adopting the necessary cybersecurity safeguards.
NCCM was launched by the Digital Manufacturing and Design Innovation Institute (DMDII; Chicago) with $750,000 seed funding from the U.S. Department of Defense with the express objectives of lowering the educational and cost barriers that manufacturing faces to increase readiness to thwart cyber-attacks.
“Manufacturers are much more prone to threats to their security because of connectivity in IT and OT systems through Industry 4.0 digitalization,” said Subramanian, citing a 2017 Verizon data breach investigation report that found that 35% of all cyber-espionage attacks in the U.S. target the manufacturing sector.
“First and foremost, manufacturers must undertake a risk assessment of their operations,” he said. “Risk can be technical—found in machines, controls or software, and also found in personnel, practices and processes. Risk takes many different forms, but the most common is from cyber-attacks where malicious individuals or groups try to break into systems by taking advantage of the weakest link: people. That’s the reason phishing and ransomware are so popular and why attacks are trending higher. They target getting into the SMM environments through emails or telephone calls, where they are counting on a human response to an email or phone call by clicking on a link, and that provides a way into the system.”
Subramanian added that NCCM is working with SMMs on pilot cybersecurity projects and with the National Institute of Standards and Technology (NIST) Manufacturing Extension Partnership (MEP) National Network. “Each state and Puerto Rico have a MEP,” he said.” SMMs tend not to know where to start, so we give them a high-level strategy and introduce them to tools so they can start to figure out what to do and how to identify and prioritize the security risks.”
Currently, NCCM is piloting three specific tools and looking for more SMMs interested in participating. A cloud-based risk assessment tool allows the manufacturers or third parties to run through a compliance audit for DFARS or NIST 171, or NIST CSF (Cyber Security Framework).
Another tool is automated penetration testing for vulnera-bilities that SMMs can bring in-house. It performs a phishing campaign or has a third party run an operation to scan for internal vulnerabilities. The last tool is a series of training labs in partnership with the Information Systems Audit and Control Association (ISACA) to raise the level of employee training, awareness and safe practices.
Impact Can Be Devastating
Pointing out that it’s a great time to be a manufacturer, Elliot Forsyth, vice president of business operations at the Michigan Manufacturing Technology Center, part of the NIST MEP National Network, raises a cautionary note.
“The practicality today is that SMMs are running at capacity, orders are coming in, and the biggest issue is finding and retaining talent—the biggest constraint in getting product out the door. Considering all the decisions that manufacturers have to make every day, cybersecurity is not high on their radar,” he observed.
But it should be. Breaches designed to steal intellectual property and critical engineering data are happening at lower levels up and down the supply chain, according to Forsyth. “If you look at some of the significant breaches that affect our security, in June it was reported that China now has all the secrets of our most advanced nuclear submarine, the Sea Dragon, and has built its J-31 fighter jet to duplicate the F-35, our most advanced U.S. warfighter,” he said. “Hackers discovered critical IP and engineering and design data up and down the supply chain and by hacking as low as a Tier Four manufacturer.”
Information is a vital part of running a company. As manufacturing becomes more digitized, cybersecurity must become a standard component of doing business.
“If sensitive information such as employee records, customer transactions or proprietary data are compromised, the consequences to SMMs of a serious breach can be devastating. There are reports that 60% of the SMMs that have suffered a serious breach through cyber-attacks that result in a substantial amount of downtime or loss of intellectual property are out of business within a year,” said Forsyth.
“The FBI estimates that more than $400 billion in intellectual property (IP) leaves our country every year.”
An essential first step in getting cybersecurity up to speed is risk assessment and management, according to Forsyth. “A company’s intellectual property has to be secured no less than its physical plant is secured. First and foremost, SMMs should have adequate backup systems in place. Information and IP have to be filed away in a protected area, and employees have to be trained in and have a clear understanding of procedures. Finally, any threats that hit a firewall have to be reported and acted upon, especially if a change-out of an operating system is needed.”
The Up and Down Side of Connectivity
In the new Industry 4.0 environment, data and data analysis are mission critical, according to Neil Desrosiers, application engineer/developer MT Connect specialist, Mazak Corp. (Florence, KY).
“The problem lies on the factory floor. Multi-million dollar machine tools have to keep making parts for the company to stay in business,” he said. “These aren’t $1,200 laptops that can be isolated with the goal of protecting the office. When management comes in and wants to connect all these machine tools to the network for Industry 4.0 connectivity, they are creating what I call a petri dish because now you have these Windows 95, Windows 2000 and Windows XP systems that are susceptible to infection or malware in play. Viruses can easily propagate across all of the equipment in the network and right now that is the biggest threat.”
According to Desrosiers, two key requirements of cyber-security are establishing connectivity and implementing ways to standardize and transport data. The requirement to standardize and securely transport data involves the MTConnect standardized communications protocol. MTConnect provides an industry-oriented data dictionary and vocabulary that standardizes transfer of data across all devices, enabling the data to be read and understood by any piece of software.
MTConnect is read-only so it is functionally unable to forcibly send data to the machine tool or alter parameters that could cause the machine to crash or otherwise malfunction, Desrosiers pointed out. Connectivity means getting every machine and device on the shop floor connected to an Ethernet network. Many machines on the shop floor already communicate with each other via automation protocols such as Profibus, OPC-UA and Ethernet I/P.
A Network Inside a Network
“Cybersecurity practices typically employ a layered approach; a network is housed inside a network, which itself is housed in another network,” said Desrosiers. “Typically, data does not flow between the layers and the aim is to stop intruders in one layer from moving to the next. IT departments often sandbox the factory floor in its own Virtual Local Area Network [VLAN] to separate it from a corporation’s global network and the cloud. A key reason for such strict security is that the shop floor equipment typically features legacy operating systems such as Windows 95 and Windows 2000 that are highly vulnerable to viruses.”
Mazak’s cybersecurity answer was to team up with Cisco to develop a solution that is scalable for Industry 4.0. The resulting SmartBox allows the IT department to be responsible for the entire factory network and is something that the IT department can recognize and understand.
According to Desrosiers, “The Smart Box has the capability to isolate the machine with a VLAN while still enabling connection with clients off the shop floor. The central element of the Mazak SmartBox is a Layer 3 managed switch developed by Cisco for industrial applications. As a managed switch, it becomes part of the IT department network and IT can connect to it and manage it via Cisco software.
“The software enables IT to see Mazak SmartBoxes on its network, control access to them, install or remove applications and know which boxes need software updates and other services,” he continued. “It also enables an IT department to add features to the SmartBox, such as audit functions and the ability to perform deep scanning of the data packets for viruses, worms and other abnormalities.”
The SmartBox is an edge device, according to Desrosiers. One edge of the network is the firewall that goes out to the Internet. The other edge is the door between the office and the factory. “What we want IT to do is push the edge of the network right out to the machine tool, own that network and make sure that network is secure because the factory floor is its own isolated network,” he said. “The SmartBox allows getting the edge of the network so close to the equipment that I can deploy apps specific to a device and isolate and monitor high-frequency data with sensors.”
An essential cybersecurity-related microservice involves secure file transfer (SFT), which is especially important for sending confidential information such as a machining program to the shop floor. Desrosiers described how an SFT can be used: An engineer would use SFT to transfer an encrypted piece of intellectual property from the design office over the network directly and automatically to the machine. In this way, SFT would be valuable with helping manufacturers with their Defense Acquisitions Regulations Systems (DFARS) compliance, a DoD regulation regarding unclassified, on-premise technical information that must be managed and protected from theft.
Other machine tool builders and software companies are following suit with their own unique black box cybersecurity solutions.
How to Get Started
The National Institute of Standards and Technology has developed a practical framework for cybersecurity that can be implemented by businesses of any size. The MEP National Network Cybersecurity Self-Assessment Tool is available online, or by contacting the local MEP Center by calling 800-MEP-4MFG.