Cybersecurity is consistently in the news today, with regular reports of hacks and data breaches at major companies such as Sony, Best Buy and most notably, Equifax. Companies are facing mounting pressure to improve their protections for customer data, and for good reason: personal data, such as names, addresses, emails and credit card numbers are easily monetizable by hackers. But with so much focus on consumer data and corporate information security, manufacturers may be left wondering: What are the risks in my sector? What do I have to protect? And who would want to hack us?
Xerox recently hosted a conference called the Xerox Security Summit. The event featured cybersecurity experts from Xerox, as well as from McAfee, Dragos and Cisco Systems. While the conference deals with cybersecurity issues across all business sectors, engineering.com attended the event in order to find out just how these issues affect manufacturers.
We sat down with the experts for a short panel discussion. Watch the video below, or read on for the summary.
Here’s the “too-long; didn’t-read” version: Cybersecurity is a critical concern for engineering, design and production operations, and you should start thinking about security practices, policies and products even before you begin production.
How to Identify Cybersecurity Threats
An ounce of prevention is worth a pound of cure. According to Alissa Johnson, Chief Information Security Officer for Xerox and the former Deputy CIO for the White House under Obama, there are two fronts in cyberwarfare: the insider threat and the outsider threat.
Insider Threats
This represents not only nefarious internal actors, which are rare, but also poor security hygiene, bad policies, and sloppy practices. The solution to these threats is to cover the basics: close ports, change passwords regularly, control network access. “We are our own weakest link,” said Dr. Johnson.
Outsider Threats
The key to resisting outsider threats is to anticipate them. Don’t simply buy “shelfware” and expect a software package to cover your needs without support. The best approach to cybersecurity uses technology to complement good practices and behavior as part of a security ecosystem.
Cybersecurity for Small and Medium Enterprises
While the highly-publicized hacks are at multinational corporations worth billions of dollars, about 75 percent of manufacturing operations in the US have less than 25 employees. Of course, small companies are not immune to threats, though their approach to security may differ.
While large corporations have fully staffed IT Departments that can focus on handling security systems and threats, smaller operations may not have the necessary manpower or expertise. For these smaller companies, partnerships with third parties, such as McAfee or Dragos, become important.
Who Would Hack a Factory, Anyway?
The Hollywood image of a ‘hacker’ is a geek in a ski mask, furiously typing away in a dank basement. This is obviously not accurate, but it does reflect a kernel of truth: some hackers looking for monetizable data, such as consumer identities, are individuals. For manufacturers, however, individual hackers are not the main source of attacks, according to Sergio Caltagirone, Director, Threat Intelligence and Analytics at Dragos, Inc. Instead, he said, there are two main sources of threats.
Unexpected Threats
“These threats were not directed at a process control network, but rather got there because of some happenstance, and then caused some sort of issue,” said Caltagirone. “They didn’t look like they were the target, but a piece of malware got in that harmed their operation.” This is a good point: many industrial control systems, even machine HMI devices, run Windows operating systems, often out-of-date and unsupported versions, such as Windows XP. These systems are vulnerable to viruses and malware, just like consumer devices. The key to preventing this includes good security practices, training and using antimalware software.
Directed Threats
“The second type is the more directed or targeted threats. Those, particularly, are going to be nation-state actors,” said Caltagirone. The “lone wolf” hacker just isn’t as often a factor. Reasons for this include the legal ramifications of causing bodily injury or even death by interfering with industrial control systems, the complexity and difficulty of most industrial systems and the fact that most manufacturing data isn’t as easily monetizable as consumer data.
So, What are Attackers Looking For?
According to Candace Worley, Vice President and Chief Technical Strategist at McAfee, the key thing manufacturers must protect is their part-and-process intellectual property. Business competitors or nation-states may seek access to a manufacturer’s technology or trade secrets. This data can also be compromised not only maliciously by an attacker, but also through carelessness, by an employee seeking an unauthorized, but convenient, method of work, such as using an insecure data transfer or storage platform, freeware, or personal email accounts, for example.
Cloud IIoT Platforms: Are They Safe?
The major push in industrial connectivity today is for ERP, PLM and other platforms which involve web-based dashboard analytics. But how secure are these tools? Dov Yoran is the Sr. Director, Security Business Group at Cisco Systems. He said that the answer to this question depends on finding a balance between opening up to external services and keeping things in-house. For example, you could allow machine monitoring data such as temperatures and uptime to be uploaded to the cloud, but not CAD or GCODE files. This depends on the size of your operation and your IT capabilities.
In many cases, leveraging third party software-as-a-service (SaaS) offerings can actually improve your security, because many of these large companies have better practices, knowledge and technology than you have the resources to achieve. Bottom line: it depends on the data, on your business and your capabilities.
For more on cybersecurity, check out the article The Most Pressing Challenge Modern Manufacturers Face? Cybersecurity.