In a recent proposal, President Obama introduced a Cybersecurity National Action Plan (CNAP). The plan attempts to address the myriad number of cyber threats that have the capability to seriously compromise the United States’ national security. While the proposal does discuss critical infrastructure, it does not include specific plans for the manufacturing industry. However, it is imperative for the CNAP to address the threats facing manufacturers to ensure the security of the United States. The Department of Homeland Security (DHS) emphasizes this point, describing critical manufacturing as “crucial to the economic prosperity and continuity of the United States.”
Within its description of “critical manufacturing,” DHS lists the production of primary metals (iron, steel, aluminum, etc.), machinery, electrical equipment, and transportation equipment. DHS names these specific industries because they are central to the operation of critical infrastructure (e.g., electric plants). However, other essential manufacturing sectors, particularly pharmaceutical and food & beverage, are equally critical to US security, prosperity and quality of life. For instance, nearly 60 percent of Americans rely on medication and, of course, nearly everyone eats factory-made food.
At present, the manufacturing industry is undergoing a major advancement in production techniques, connecting their factory environments to external networks in order to improve productivity and save on costs. However, this connectivity is going almost entirely unprotected, leaving “smart” manufacturers at risk, given that critical manufacturers and essential manufacturers are prime targets for cyber criminals. Attacks against these manufacturing industries could have an immediate and deadly impact on wide swaths of the American population.
Smart Manufacturing: Better, but Bare
Manufactures today are quickly taking advantage of the production benefits offered by the Industrial Internet of Things (IIoT). In what is known as smart manufacturing, operational technology (OT) systems, such as factories are connecting to the information technology (IT) systems and the Internet. These smart manufacturers yield a variety of benefits, allowing them to access their production systems remotely, remove downtime, make quick adjustments to products and orders, and save tremendous sums of money. This transition is spreading across the industry so quickly that it has been dubbed the “fourth industrial revolution.” Moreover, researchers expect the number of Internet-connected industrial devices to triple in the next four years.
Though the manufacturing industry has rapidly introduced smart manufacturing technology, it has been slow to recognize its security flaws, let alone protect against them. For the most part, smart manufacturers— which include critical manufactures, pharmaceutical, food and beverage companies—rely on IT security solutions to protect their industrial environments. However, IT equipment and OT equipment are markedly distinct from one another. Until recently, no connection has existed between them. Likewise, OT and IT machines are built to perform entirely distinct functions, which means they have different flaws and different security needs. Simply put, IT solutions are incapable of protecting OT technology.
Every OT device that is connected to an external network presents cybercriminals with an opportunity to wreak havoc. Particular danger lies in the pharmaceutical and food & beverage industries, where gaps exist that could allow hackers to manipulate formulas or cause complete shutdowns. These security gaps could leave enormous amounts of people without food and others with harmful medication. Moreover, American companies place their financial viability and reputation at risk by not addressing these threats.
Slowing Down and Shutting Off
Unfortunately, the emergence of cyber attacks targeting smart manufacturing networks is already upon us. In Germany, cybersecurity flaws allowed hackers to maneuver from a steel mill’s IT network into their OT network and disrupt its protocols. The attack led to fires and eventually an explosion that inflicted massive damage. This type of attack could just as easily occur at one of the world’s few insulin factories, and lead to factory-wide slowdowns, or even complete shutdowns, leaving millions of people who live with diabetes at severe risk.
Saving Lives and Preventing Recalls
Perhaps the scariest form of these attacks comes in product manipulation, which is particularly threatening given how difficult it is to detect. Recently, Mars faced a massive recall after a piece of plastic was discovered in one of their chocolate bars. The error, which left Mars’ customers with a potential choking hazard, lead to recalls in 55 countries. The cost to Mars tallied in at tens of millions of dollars, in addition to incalculable damage to their reputation. Though this product manipulation was likely caused by a human or technical error, if they can’t detect non-malicious errors, how will they detect hackers that intentionally tamper with a recipe and cover their tracks? An attack causing a similar manipulation could easily alter the content of a major drug, such as an over-the-counter painkiller. The consequences of such an attack could harm people across the country, and poses a very real security risk.
Clearly, weaknesses in smart manufacturing systems pose homeland security risks. The question the White House should ask within its proposal is, “How can the government take action in order to better protect smart manufacturing networks?” First and foremost, CNAP funding can be used to raise awareness of flaws in these industrial environments. There is a vast knowledge gap at most smart manufacturers. Many of them are unaware that connecting their OT systems to external environments creates new threats.
Additionally, CNAP intends to “double the number of cybersecurity advisors available to private-sector organizations with in-person, customized security assessments and implementation of best practices.” The “private sector” in this case should most certainly include the manufacturing industry. Likewise, the government could help industry develop a stronger cybersecurity position by outlining industry-wide standards for safety, and encouraging companies to adopt them.
Finally, within its proposed National Center for Cybersecurity Resilience, CNAP should provide a forum for manufacturers to assess their security systems in contained environments. With government aid, manufacturers can test the resilience of their security systems and make the necessary adjustments to keep attackers at bay. Smart manufacturing is suffering from a growing number of weak points and a swelling barrage of attacks. The government needs to act now to prevent a homeland security disaster.
This article was written by Yoni Shohet, Co-founder and CEO of SCADAfence, a pioneer in securing IIoT networks.