by Bill Virgin
It might be tempting for those in manufacturing to read about the latest cyberheist, involving the theft of millions of data records such as credit card numbers, and think, “That’s a problem for the banks and retailers.” They should resist temptation—and quickly.
Cybersecurity’s most prominent breaches, in the commercial realm, have indeed come in retailing and banking. But lots of other industries are learning just how vulnerable they are and how much they have to lose . Electric utilities are the latest sector about which troubling reports are surfacing about incursions into their computer systems.
Manufacturers have lots to lose already–intellectual property concerning products and processes, as well as sensitive information about suppliers and customers. All of that has value to someone; anything with value is automatically a target for theft. But manufacturers’ exposure to cyber- security incidents and what they have to lose are about to go up. Way up.
To explain why, we first need to discuss another trend coming at manufacturing – the Internet of Things.
For all the jokes about smart toasters and refrigerators that know to order milk from the grocery store before you even know you’ve run out, the Internet of Things is serious, real and in many cases practical, even at the consumer and household level. Devices that can be monitored or controlled remotely, that can use their connection to a wireless information grid to perform routine tasks, are not just the stuff of gee-whiz and “maybe someday” displays at trade shows. They’re here already, in such forms as home thermostats that can be operated from your smart phone.
The applications and usefulness are even greater on the manufacturing shop floor and up and down the supply chain. Managers can get real-time data not just on how much is being produced but how the products meet quality and tolerance parameters. Is a crucial piece of machinery running hotter than normal? Is another overdue for maintenance? IoT-capable devices equipped with the necessary sensors, software and wireless communication connections can tell managers now, before potential problems become real and expensive problems.
Nor is it the manufacturer itself that can make use of the Internet of Things’ potential. Suppliers can get alerts in advance about raw material and parts inventories that need to be reordered (and those systems can be programmed to place and fill those orders automatically). Customers can get information on the status of the orders as well as real-time inspection data of what they’ve ordered (a Seattle startup is working on that specific application).
That’s a lot of potential. The potential for trouble is also big.
“Manufacturing is a highly sensitive process and any disruption could not only cost millions of dollars, but also be a serious risk to the lives of thousands of consumers,” wrote Peter Koen and Christian Strömsdörfer in an article for Architecture Journal, a Microsoft publication. “Just imagine what would happen if a hacker got access to the process that controls the recipes for production of food... Although security and safety are extremely important almost everywhere, manufacturing always adds life-threatening features such as exploding oil refineries or failing brakes in cars. If a computer virus sneaks into a chemical plant undetected, everything and anything might happen, not the worst of which were depredating the company’s accounts.”
If that sounds a bit hyperbolic, consider the report from a German government agency on a 2014 attack on a steel mill in which hackers worked their way through several systems to gain control of a blast furnace, preventing its normal shutdown. The result, the report says, was “massive damage.”
The problem is not just the degree and extent of damage but the number of points of vulnerability. It’s not just the manufacturer’s own points of access that have to be worried about. If suppliers and customers are all connected, then their vulnerabilities provide gateways to the manufacturer’s own systems.
A lot of people up to no good are going to be exploring those gateways and testing just how well they’re secured. IID, a Tacoma-based cybersecurity firm, warns in its annual threat- assessment report (looking out two years instead of the conventional one) that “by the end of 2017, botnet operators seeking new frontiers will execute a full-scale invasion of compromised Internet of Things (IoT) devices such as wearables and connected home products. A botnet is a collective of private computers, infected with malware, that are controlled by cybercriminals to launch mass attacks, unbeknownst to their owners.”
Such “zombified” IoT devices could be used in coordinated denial-of- service attacks to overwhelm systems with traffic or spying, among various nefarious purposes.
“The increasingly advanced technical capabilities of IoT devices such as autonomous consumer-grade drones and smart appliances will not be able to keep pace with security and privacy requirements,” says Sean Tierney, IID’s vice president of threat intelligence. “This will drive large- scale compromises of IoT devices.”
The only reason the threat is likely to come first to consumer IoT devices is that deployment of the technology is much slower in manufacturing. The systems are far more expensive and complex, and standards and protocols are scant.
That means that manufacturing actually has a little time to figure out the security aspect. Some, like Peter Koen and Christian Strömsdörfer, argue that “manufacturing applications must not be exposed to the outside world (i.e. the Internet) such that anyone could penetrate the system,” adding that “it is pretty much unthinkable to ever have a manufacturing environment connected to the cloud.”
In fact cloud-based services are what some providers will offer, and that will in turn prompt some manufacturers to worry that the threats and risks are not worth whatever benefits derive from IoT connections.
“Everybody involved in IoT understands that without security,
it dies,” said William Hill, president of Western Integrated Technologies in Bellevue, in a presentation at a manufacturing conference las year. “They’re pretty committed to staying alive. I think we’re going to see some wholesale changes and upgrades
to security in the next five years. Because without that, none of this works.”
How and how extensively IoT proponents and services address those concerns is something manufacturers will want to watch
as closely as they do the rollout of Internet of Things technology
for industrial technology. They’d certainly never tolerate uninvited
and unwelcome strangers hanging out around their physical premises, rifling through files and loitering in the vicinity of the machinery. That ought to go quadruple for those who enter via an Internet connection, unseen but all too real.
BILL VIRGIN is a veteran business journalist and the founder of the newsletters Washington Manufacturing Alert and Pacific Northwest Rail News. He is also a columnist for The News Tribune, Seattle Business Magazine, and the energy newsletter Clearing Up, He and his wife own Page 2 Books, a retail store in Burien.
