Road to maturity involves safeguarding supply chains, treating security with the same urgency as safety, for starters
Cyber defense is still a maturing concept in manufacturing: Executives are growing more aware of threats and making better investments to mitigate them.
“Cybersecurity is an infant right now,” said Ken Modeste, director of connected technologies at UL. “It’s going to grow up. You will see significant changes over the next few years.”
Taking that maturity to the next level requires progress in three key areas, Modeste and other experts said at an exclusive roundtable Smart Manufacturing convened recently at MxD: The Digital Manufacturing Institute (formerly called DMDII) in Chicago:
- safeguarding supply chains;
- treating security with the same urgency as safety; and
- addressing vulnerabilities inherent in the Internet of Things (IoT).
The three core cybersecurity areas are interrelated: malware buried in the software supply chain could allow an advanced hacker to exploit weaknesses in IoT devices, potentially affecting safety at a plant.
Manufacturing executives need to consider those possibilities in concert and not in isolation, the experts said.
Thinking about the problem holistically means having a firm grip on the cybersecurity risk at your organization, according to the experts. Smart, sensor-driven manufacturing—and the need to produce goods at speed and scale—give asset owners a lot to consider in that regard.
“The manufacturing environment is, in and of itself, changing quite a bit,” said Dan Herway, chief of strategy & innovation at Idaho National Laboratory. “And so to try and hit that moving target is very difficult.”
Getting serious about the supply chain
Wrapping your head around cybersecurity risk requires going deep into the supply-chain—a journey that experts are urging more manufacturers to take.
“From a pure cybersecurity perspective, this is one of the issues that should be concerning more and more manufacturers,” said Mark Weatherford, former Deputy Under Secretary for Cybersecurity at the Department of Homeland Security.
Manufacturers that delve further into their supply chains may discover that where they thought they had diversity of supply is really anything but that, he said.
The most famous supply-chain attack in recent years was the 2017 NotPetya attack, in which corrupted accounting software in Ukraine hobbled operations for the shipping giant Maersk and many other companies.
With real-world supply-chain attacks fresh in their minds, more manufacturers are starting to demand assurances from vendors that their software is secure.
Organizations are waking up to the fact that “software is inherently just as important in the manufacturing process as hardware,” Modeste said.
More multinational companies are developing supply-chain security programs because clients are starting to demand them, he added.
Asking for a BOM for software
There is still plenty of work to do: Manufacturing executives who are ready to hand you a hardware bill of materials, or a list of all components, might give you a blank stare when asked for the software equivalent.
“I go to manufacturers and I ask for their hardware bill of materials… and they have it down pat,” Modeste said. “Then you ask for the same thing with the software bill of materials and they don’t even know what you’re talking about.”
One reason is that while it may feel like ages since the tech boom of the 1990s, software is still a fairly young industry.
“The software supply chain, especially when you’re also talking about open-source, is an incredibly rich place for issues,” said Shoshana Wodzisz, global product security leader at Rockwell Automation. “Because software in general is new. The whole software industry is maybe 30 or 40 years old.”
There are programs for manufacturers to build confidence in supply-chain components; it’s a matter of using them.
Helping smaller shops
Roundtable panelists pointed to the National Institute of Standards and Technology’s Manufacturing Extension Partnership (NIST- MEP), a program that can help smaller manufacturers steel themselves against supply-chain attacks.
The program, which includes NIST-MEP centers in every state, “is a great resource, particularly for the small-to-midsize manufacturers,” said Amanda Quick, senior director of strategy and operations at MxD (Manufacturing times Digital). “As we think about how to increase awareness and increase skillsets, leveraging the NIST-MEP network is a great way to do it.” [EDITOR’S NOTE: For more details, read this guest column by James Watson.]
Taming the IoT
Take a stroll through a modern factory and you’ll see any number of sensors giving managers real-time feedback on output.
The broad surge in deployment of IoT devices has changed manufacturing, at the same time boosting production and opening up potential avenues to hackers.
A great number of those internet-connected devices are already deployed, causing a headache for security professionals.
“The things that we’re building today are completely different than the things we’re going to build 12 months from now,” Weatherford said. “The innovation cycle around IoT is dramatic, it’s revolutionary. Those of us who are on the security side of things are trying to plug fingers in all of these holes. Most companies don’t have a clear strategy for how they’re applying IoT.”
Seeing Mirai botnet attack as a warning
The affordability and ease-of-use of sensors obscures the insecurity they sometimes introduce.
“People ask me all the time, what keeps me up at night,” Weatherford said. “It’s not the walking dead zombies, it’s the zombies of IoT devices around the world being compromised.”
He pointed to the 2016 Mirai botnet attack, which used IoT devices to disrupt a host of major websites like Twitter and PayPal.
Although that attack wasn’t aimed at manufacturing specifically, its weaponization of IoT devices is a warning for the industry.
Managing IoT devices, which have a small digital footprint that often doesn’t include computing capacity, will be an immense challenge, Weatherford said.
But it has to be done if factory owners are to elevate their cybersecurity posture.
Expanding the definition of safety
The IoT has also changed the parameters of safety discussions in manufacturing, according to the panelists.
When properly secured, IoT devices can boost safety by giving precise readings of pressure levels in a factory and other critical data.
“In this new century, with IoT, safety is expanding,” Modeste said. “Safety means a lot of other things because of the connectivity that we have today. But that mindset hasn’t been inculcated into society.”
Coupling safety and security
As Wodzisz pointed out, the Germans have one word for safety and security: Sicherheit.
In English, manufacturers need to merge the two words if they are to appreciate the threats coming at them, panelists said.
Take, for example, the Failure Modes and Effects Analysis (FMEA), a framework that manufacturers have used for years to identify weak points in the production process.
No responsible manufacturer would buy a product from a supplier without doing an FMEA analysis, Modeste said.
However, incorporating cybersecurity into that analytical process is still a work in
progress, he added.
Further, a more comprehensive inventory of assets at a facility is key to marrying cybersecurity and safety concepts, the experts said.
“I can tell you there is probably no company of any size that really knows all of the assets that they have,” Wodzisz said.
Weatherford also swore by that statement.
A starting point is the global standard for industrial control systems cybersecurity, known as IEC 62443, which offers best practices for building strong security measures into manufacturing processes.
Adhering to IEC 62443 is about conducting rigorous risk assessments, Wodzisz said.
An increasing number of companies are offering such assessment services to help manufacturers identify and protect their most prized assets, she added.
Simplifying the risk-identification process
Idaho National Laboratory, one of the U.S. government’s top cybersecurity research labs, is trying to simplify that risk-identification process.
The lab has developed a methodology it calls “Consequence-driven, cyber-informed engineering” that helps business pinpoint their most critical functions.
The goal is to apply the engineering expertise that many organizations have to design systems that fully account for cybersecurity risk.
In cybersecurity, Herway said, “you cannot afford to chase down root cause. You have to instead start with, ‘What are the effects? What are the outcomes? What do I care about protecting?’ And protect that first.”
Kickstarting better defense
If cybersecurity is still an infant in the manufacturing industry, what will cause it to grow up?
For some organizations, standards won’t be enough.
“Somebody told me something a long time ago in this business and that is companies don’t buy security, they buy compliance,” Weatherford said.
For publicly-traded companies where the buck stops with the shareholders, showing return on cybersecurity investments is still key, the experts said.
While no respected executive would demand to see a return on investment before prioritizing safety, they still do so when it comes to cybersecurity issues that can affect safety, the experts added.
One way cyber defense may gain greater steam in the industry is if it can be shown to be a recognized source of competitive advantage the way that quality products are, Quick said.
“For a while, it will be a source of competitive advantage for the companies that can figure it out, but we’re still a long way away from that,” she added.