Black hats, script kiddies, phishers, and hostile nation-states. Bad actors are out there, fervently working to sabotage your factory and steal your stuff. What are you doing about it?
Google the term “cyberattack” and you’ll find page after page of news headlines, including several recent high-profile international ones.
The list includes:
--“Italian police thwart pro-Russian hacker attacks during Eurovision.”
--“Brazilian e-commerce firm reports multimillion-dollar loss following cyberattack.”
--“Cyberattack causes chaos in Costa Rica’s government systems.”
--“Potential cyberattack detected on Ireland’s NUI Galway’s IT [information technology] network.”
Scary stuff, right? But “at least none of these attacks happened in North America,” you may be thinking. And “none of them have affected me or my business, so what’s the big deal?” Keep scrolling. The sad truth is that hacking happens everywhere and all the time. For instance, Americans would do well to recall the $4.4 million ransomware attack on Colonial Pipeline that, thanks to a compromised password, took down the country’s largest gas pipeline for six days.
There was also the SolarWinds hack that led more than 18,000 computer users to unknowingly install spyware on their systems. Many of these belonged to the Pentagon, NASA, the Department of Homeland Security, and the National Nuclear Security Administration, as well as private companies such as Microsoft and Intel. According to some experts, the attack is still ongoing.
Manufacturers in the U.S. and Canada are especially prone to attacks from these bad actors. According to Mitre Corp.’s online database, ATT&CK, there are currently 133 organized “threat groups” working out of China, Russia, Iran, North Korea, and elsewhere, many of them state-sponsored. Mitre has also identified 680 publicly available software tools that these and other organizations or individuals might use to perform their malicious activities.
The U.S. continues to purchase large volumes of low-cost manufactured goods from at least one of these countries. And if your manufacturing company isn’t careful, it could very well be the next victim in a long string of unpunished crimes.
“The manufacturing sector is the primary target of cyberattacks in the United States, and nation-states are the largest backers.” That’s from Howard Grimes, CEO of the Cybersecurity Manufacturing Innovation Institute (CyManII), San Antonio, Texas. He described the attacks as “Daedalian in nature,” meaning they are highly sophisticated, interwoven, and ubiquitous.
“As the U.S. connects devices, networks, people, and machines, we exponentially grow both the cyberattack surface area and the complexity of their impacts,” Grimes added. “Our response, however, has been linear, market-driven, and collectively undexterous. We must transform our cyberinfrastructure to become more agile and robust than our adversaries. If not, the consequences to our economic and national security will be both unbounded and unacceptable.”
Recognizing these risks, the U.S. Department of Defense (DoD) has launched CMMC 2.0 (Cybersecurity Maturity Model Certification), which is designed to be a “comprehensive framework to protect the defense industrial base from increasingly frequent and complex cyberattacks.” The Department of Commerce has taken similar actions, charging its National Institute of Standards and Technology (NIST) with widespread implementation of the recently developed standard SP 800-171 Rev. 2, “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations.”
Both are big deals to the manufacturing community. According to a blog on the NIST website, “If a manufacturer is part of a DoD, General Services Administration (GSA), NASA or other federal or state agencies’ supply chain, the implementation of the security requirements included in NIST SP 800-171 is a must.” The DoD website offers similar verbiage, stating that “CMMC 2.0 will become a contract requirement once rulemaking is completed.”
For any manufacturer managing controlled unclassified information (CUI), or those engaged in aerospace and defense work, this means a lengthy, invasive, and quite possibly expensive certification process, not unlike that required to meet ISO 9001, TS 16949, AS9100D, ITAR, NADCAP, and other quality standards.
The good news? The two standards are closely related, and meeting 800-171 requirements is one of the first and primary steps toward CMMC certification. Better yet, there’s help with both. NIST has established the Manufacturing Extension Partnership (MEP), a national network of industry experts charged with “equipping small and medium-sized manufacturers with the resources needed to grow and thrive.” In light of the current situation, perhaps the most important of these resources is assistance in implementing 800-171 and CMMC.
CMMC 2.0 has three levels, each more stringent than the last but all based on 800-171 compliance. Certification requires answering 110 control questions across 14 business areas. An MEP client will likely be guided through an internal audit process that helps them address any security concerns and develop an SSP (system security plan), which organizations can think of as their cybersecurity program. When done, the company submits its audit results to the NIST website for scoring—this, in part, is what determines which CMMC level they will achieve.
Some of the 800-171 controls are basic and well-known IT security practices, such as limiting unsuccessful login attempts and enforcing password complexity and character requirements. Others are more complicated. Are cryptographic keys used to protect your information systems? Is Federal Information Processing Standards (FIPS)-approved encryption used to protect CUI? Are personnel performing maintenance required to use multi-factor authentication methods during their work and are those login credentials deleted when maintenance is complete?
Given that the U.S. government, IT leaders such as Microsoft, and countless Fortune 500 firms failed to prevent the SolarWinds breach, it’s unlikely that they or a small manufacturing company will ace a security audit on the first attempt. Regardless, it’s important that businesses begin addressing these concerns now rather than later.
TechSolve Inc. is one such MEP center and serves the southwest Ohio area. It’s there that senior cybersecurity analyst Joe Anderson ticked off a number of equally alarming breaches, such as a barely averted attack on a water treatment facility in Oldsmar, Fla., that might have injured thousands. Others include the release of 21,880 records from New York State’s Office of Mental Health; a $40 million ransom payment from an insurance firm in Chicago; and $2.3 million paid by Visser Precision Manufacturing, a Denver-based DoD contractor. Anderson also referenced another grim statistic: A 2018 report from Inc. magazine stating that 60 percent of small businesses fold within six months of a cyberattack.
Anderson noted that these examples are not offered as a scare tactic. Each is a statement of fact, a data point that indicates how the world has changed over recent years. “It’s clear that some organizations are more risk averse than others, and these are the ones taking the necessary steps to avoid or at least reduce their chances of getting hacked,” he said. “But let’s face it, there are always those companies that aren’t going to do anything unless they’re forced to by their customers, or until it hits them in their pocketbook.”
Steve Gillock, TechSolve’s director of cybersecurity, explained that the financial ramifications of cybersecurity come in many forms. For a ransom attack, the solution is often to pay up, after which the hacker will gladly send you a key to unlock your machine tools, pipelines, business software, or corporate data. It’s hopefully a one-time event. Assuming the company survives, it will then apply first aid to its bloodied corporate nose in the form of strengthened IT practices. Yet there are also losses from intellectual property (IP) theft, corporate and government espionage, denial-of-service attacks, and plain old malicious behavior, all of which are harder to place a price tag on.
With all this comes the rising cost of cyber insurance, a pain that TechSolve feels, as does a growing number of manufacturers. “Five years ago, it was pretty easy to get a policy—just answer a few simple questions correctly and you were approved,” said Gillock. “But like so many organizations these days, insurance firms are starting to feel the pinch, and are checking to see if you have a robust security posture before doing business with you.”
So are OEMs, added Anderson. “General Electric is a great example. We have many tier suppliers in our area, and GE has begun stipulating to them how to manage their IP and other corporate information. Without the proper procedures in place, they won’t give you the contract.”
So what to do about it? That’s the subject of some lengthy meetings with security experts, but as Chou and the others here would agree, it’s critical to get started now rather than later. One good way to do that is to download the 800-171 publication from the NIST website. There you’ll see all manner of common-sense recommendations—many of which were listed previously—as well as the advice to “implement sub-networks with firewalls or other boundary protection devices and using information flow control mechanisms.”
Neil Desrosiers can assist with this last part. An applications engineer and MTConnect specialist at machine tool builder Mazak, he routinely trains CNC machinists and programmers at the Florence, Ky., facility, and starts each session with an anonymous survey asking how many customers have been hacked or hit with malware. “There’s always a handful,” he said. “It might be 20 percent of them one time and 50 percent the next, but it’s happening, and from what I’ve seen, most of them don’t want to discuss it.”
A big chunk of the problem is Industry 4.0 and, to a greater extent, the Industrial Internet of Things (IIoT). It’s a good news, bad news situation: Both will make manufacturers more efficient, while also increasing the likelihood of a cyberattack. “We promote IIoT, machine tool monitoring, data analytics, and all that, but many of these shops have older equipment that was designed before internet connectivity became a thing,” said Desrosiers.
“And even on the newer machines,” he added, “the operating systems are embedded in the control, and not easily patched. With that, you have IT departments or consultants who know very little about securing industrial machinery with CNCs and PLCs and automation systems.
“Sometimes it feels like the wild, wild west,” he laughed.
Desrosiers concedes that he’s not a security expert, yet indicated that at least part of the way to tame this iron frontier is to do precisely what 800-171 recommends: implement subnetworks with firewalls or other boundary protection devices.
For this, Mazak offers a preconfigured industrial solution, the SmartBox, which the company website describes as “a scalable, end-to-end solution that connects manufacturing equipment, including machines, software and other devices, to a factory’s network and allows the free flow of information to management systems via MTConnect.”
“It’s no longer feasible to leave CNC machinery off the corporate network,” said Desrosiers. “You need to measure utilization, you need to transfer programs and tool offsets and other forms of data. You might use a USB stick to accomplish some of this, but not only is that slow, it presents its own security risks. So the question is how to get machines online securely. A savvy IT person can certainly set up VLANs [virtual local area networks] and firewalls, although these might not interface easily or have enough ports for all the different hardware. Still, it’s possible. The SmartBox just makes it much simpler and faster.”
Anyone in the IT field knows the importance of regular and secure backups of hard drives and corporate data. And yet, what if you could create a digital copy of an entire IT system, which in a factory includes every bit of firmware, ladder logic, and parameter settings? Not only would this allow its owners to “roll back the clock” in the case of a cyberattack, but probe that system for vulnerabilities before the bad actors can pull the trigger.
Such capabilities fall under the purview of Nick Cappi, vice president of portfolio strategy and enablement at Hexagon’s Asset Lifecycle Intelligence division, Huntsville, Ala., who suggests that the digital twin is good for much more than product design and simulation—it also offers manufacturers the capabilities just described.
“Consider a typical CNC machine tool,” said Cappi. “Within it are pumps, motors, temperature sensors, logic controllers, and so on, each with firmware or software running on it. I want to protect those different components while also understanding what risks exist to them so that I can mitigate or remediate each security hole proactively.
“That’s what our software does—it constructs a comprehensive virtual twin of any piece of machinery, right down to the microprocessor level. This allows its owner, among other things, to compare its various subsystems against a database of known weaknesses—ICS-CERT, for example, and the NVD, or National Vulnerability Database.”
Cappi argues that if hardware or software had no security weaknesses, bad actors would be unable to hack and there would be no need for cybersecurity. Granted, that fantasy world does not yet exist—and likely never will—but tools like this are bringing it closer by bridging the gap between IT and OT (operational technology).
“IT has been focused on risk avoidance for a very long time,” he said. “OT, on the other hand, is relatively new to cybersecurity and hasn’t really brought manufacturing security to an acceptable risk standpoint. It’s a different world, one filled with PLCs and CNC machinery that IT knows very little about. Until we can apply their best practices to the factory floor, cybersecurity will continue to be a concern.”
Network segmentation and cyber-twinning are good first steps, but CyManII’s Howard Grimes suggested that traditional security measures are insufficient. “Today’s world of cybersecurity can be described in many ways; the words I would use are inadequate and insufficient,” he said. “Basically, the systems we use now were never designed to be secure, and as a consequence, we tend to defend the perimeter in an attempt to keep the bad guys out. We protect pieces of our operations, not their holistic nature.”
What’s needed are next-generation architectures that will prevent and mitigate attacks, Grimes explained. They should be secure by design, cyber-inspired, and threat informed. They should also address “digital engineering lifecycles across the entire supply chain, where every operation, machine, and person is a “node” in this digital ecosystem.”
This is the technology that the Department of Energy has charged CyManII and the University of Texas San Antonio with developing. They’re making significant progress. Grimes pointed out that the team is active in a number of cybersecurity areas and works with many manufacturers.
He provided the following as one small example:
“We’ve built a device that allows a one-way transference of information or data,” he said. “You cannot be penetrated because we simply don’t allow anything to come in the door. Think of it as a nothing-to-attack mentality, which is a term you rarely hear in the cybersecurity community. Anyway, this device costs 500 bucks, and can be hooked up to practically any piece of CNC machinery, radically increasing its cybersecurity posture. Again, that’s just one example of our work. We’re also researching cyber-physical passports for securing supply chains, anti-counterfeit initiatives, and like I said, the development of architectures that are secure by design and threat-aware. All this and more is our mission.”
Connect With Us