Cybersecurity for Advanced Manufacturing
By Michael McGrath
VP for Systems and Operations Analysis Analytic Services Inc. (ANSER)
Yesterday’s manufacturers operated factories using “visual flight rules” (VFR)—they read blueprints, manually controlled machines, and directly inspected each operation. Today’s industrialists pilot advanced enterprises using “instrument flight rules” (IFR)—they rely on factory processes where digits go in and parts come out, with technicians operating automated machine controllers and sensors. A digital thread of information flows on implicitly trusted networks to connect every level of the enterprise—from the shop floor to the global supply chain. But, as with instrument flying, if that digital thread is compromised the enterprise may crash.
Our national and economic security depends on critical manufacturing infrastructure capabilities that are resilient in the face of cyber threats, especially in Aerospace and Defense. There is ample cause for concern. Symantec reports that manufacturing was the most targeted sector in 2012, accounting for 24% of all targeted attacks. Manufacturers must be equipped to prevent: theft of technical data (for criminal or espionage purposes); alteration of data (thereby altering processes and products); and denial of control (damaging or shutting down operations, or holding them for ransom).
Cyber spies, cyber criminals, cyber terrorists, disgruntled insiders and hacktivists can attack in very sophisticated ways. For example, the Washington Post (May 28, 2013) reported that an Advanced Persistent Threat (cyber espionage) exfiltrated technical design data on over two dozen US defense systems. Stuxnet, the worm that attacked the Iranian uranium refinement capabilities, was a sophisticated attack against a cyber-physical system that caused physical damage. Threats like these are hard to detect and containment/restoration can take months. Such sophisticated attacks are not yet commonplace, but this should not be cause for complacency. As Verizon puts it, “would you use a guided missile to attack a screen door that’s not locked”?
So what needs to be done about the unlocked screen doors in the critical manufacturing sector? First, we need to recognize the similarities and differences between the manufacturing operational technology (OT) culture and the information technology (IT) culture. The OT community’s highest priorities are operational availability and throughput—anything that slows or stops operations is anathema. Unlike the IT community:
- Operators run production machines as long as possible without rebooting, changing passwords or otherwise interfering with stable production processes.
- Factory technicians and vendors have administrator-level access to production machines.
- Security patches may not be available for weeks after a vulnerability appears. Machine downtime must be scheduled well in advance, and software changes must be validated offline due to potential safety concerns.
- Supply chains are interconnected to such an extent that your suppliers’ vulnerabilities can become your vulnerabilities.
Nonetheless, lessons learned in the IT world can apply directly to networked transactions within the supply chain, and can be adapted to machines on the factory floor. This requires a mechanism that will help IT and OT practitioners collaboratively define needs, adopt known solutions and best practices, and develop new solutions to fill gaps. This mechanism must also meet the business needs of the manufacturing sector.
The NIST-led Cybersecurity Framework initiative is developing such a mechanism. Launched by the President’s February 2013 Executive Order on Improving Critical Infrastructure Cybersecurity, the initiative is supported by multiple industry sectors. This framework will provide for voluntary participation in implementing practices and standards. It will give manufacturing companies and their partners a shared basis for achieving a level of cybersecurity maturity commensurate with both the cyber risks and business needs applicable to their sector. It remains to be seen how DoD will address levels of compliance in future contract requirements—or invest in programs to strengthen the cybersecurity of the Defense Industrial Base. Now is the time for A&D firms to engage in the collaboration forums and become part of the solution.✈
McGrath previously served as the Deputy Assistant Secretary of the Navy for Research, Development, Test and Evaluation.
This article was first published in the 2013 edition of the Aerospace & Defense Manufacturing Yearbook.
Published Date : 11/21/2013