Our PROMISE: Our ads will never cover up content.
Our children thank you.
Pat Toth
Published: Wednesday, October 12, 2022 - 12:02 In an earlier article in this series, “Cybersecurity and Industry 4.0: What You Need to Know,” we discussed the four aspects of Industry 4.0: cyber-physical systems (CPS)/cobots, internet of things (IoT), cloud manufacturing, and automation, as well as how they are interconnected. Strong cybersecurity practices protect those interconnections, ensuring manufacturers’ systems consistently deliver accurate data in a timely manner—something critical to the success of an Industry 4.0 model. In the past, enterprise systems in manufacturing facilities had distinct boundaries. The shop floor was separated from the office functions of the company both physically and electronically. Few production systems were connected to each other or the internet. In some ways, this approach, commonly known as “air gapping,” gave reasonable protection for small manufacturers. Without the risks associated with connectivity, manufacturers were seen by attackers as hard targets and not worth the effort. Today, with the growing use of the internet and mobile devices, boundaries between traditional information technology (IT) systems, production systems, operational technologies (OT), or other equipment have almost disappeared. With the recent increase in the number of employees working remotely, the boundaries that remained in place were weakened further. Meanwhile, attacks to get around the air gap have become well known. Manufacturing is now the most targeted industry for cybersecurity attacks. The fundamental guiding principle of cybersecurity is the CIA triad: confidentiality, integrity, and availability. Confidentiality limits access to sensitive company information; integrity ensures that company data and equipment remain trustworthy and accurate; and availability provides timely access to company data and equipment. Other attributes are sometimes added to the CIA triad, such as privacy and safety, but these are the generally accepted core principles and are things any Industry 4.0 adopter should consider. My last blog introduced AthCo, a fictional medium-sized manufacturer of athletic apparel. AthCo had recently achieved rapid growth after the launch of its new athleisure collection, which relies on the in-house development of a new breathable fabric. The production method for the fabric is proprietary information that needs to be protected. For many years, AthCo has used an enterprise resource planning (ERP) system and a customer relationship management (CRM) system. A great deal of data are produced from the ERP, CRM, and the “back office,” including transactional information. With the implementation of Industry 4.0 through the use of sensors, cobots, cloud-based data analytics, a programmable logic controller (PLC), and data visualization, AthCo leadership can now retrieve and access data from every stage of the production process. This provides an instant snapshot of the production status and helps to monitor fluctuations and quickly address potential issues. Plus, the data AthCo now collects allow it to rapidly communicate internally and with its customers, suppliers, and business partners about things such as inventory levels. But AthCo is learning that these improvements aren’t without risks. AthCo, just like any manufacturing company, needs to build the right infrastructure that can support and protect the collection, transformation, storage, and analysis of data. Manufacturing systems must be protected against many types of threats. Most threats affecting small and medium-sized manufacturers fall into three categories: • Traditional IT: These are the types of threat most companies are familiar with—ransomware, data loss or theft, and intellectual property theft. They often target a company’s IT infrastructure and employees through phishing attacks (e.g., fake emails) or weak passwords. Successful traditional attacks can cost a manufacturer time and money. They can damage themanufacturer’s reputation as well as its business partners and supply chain. Often, smaller manufacturers are vulnerable to these traditional attacks because they don’t consistently monitor and update their cybersecurity protections. Let’s look at some scenarios that AthCo might face based on each of the three types of threats: • Traditional IT: AthCo’s IT staff has been very involved in implementing Industry 4.0. In fact, it has been so busy that it overlooked a new software update that included a number of security updates. This allows a hacker to penetrate the company’s IT systems and gain access to its customer database. Although payments are processed using a third-party that wasn’t affected, customer names, addresses, and order information were compromised. AthCo had to follow local data-breach notification laws, which cost it several thousand dollars. Unfortunately, AthCo is unable to tell what other information or systems the hacker may have compromised, and its ability to trust its data and IT infrastructure is now fractured. AthCo knows cybersecurity must be part of the company culture, especially as it moves toward increased Industry 4.0 implementation. Here are some things that you and AthCo can do to protect your investments: • Have a cybersecurity awareness and training program for new and current employees that teaches what behaviors are appropriate, how to identify suspicious activity, and how to react if they see a problem. See this list of free and low-cost online cybersecurity learning content compiled by NIST. AthCo will need to determine the level of risk it’s willing to accept and what specific cybersecurity practices it will want to apply. A useful roadmap for reducing cybersecurity risk in manufacturing can be found at NISTIR 8133 Rev 1—“Cybersecurity Framework 1.1 Manufacturing Profile.” As Industry 4.0 matures, and as we approach the fifth industrial revolution (5IR), your manufacturing company should expect to see the interconnection of data and technology as a competitive advantage over less technologically advanced companies. Cybersecurity will continue to be a critical component of successful implementation of Industry 4.0 and beyond. For more information on cybersecurity and Industry 4.0, please contact your local MEP center. First published Sept. 7, 2022, on NIST’s Manufacturing Innovation Blog. Quality Digest does not charge readers for its content. We believe that industry news is important for you to do your job, and Quality Digest supports businesses of all types. However, someone has to pay for this content. And that’s where advertising comes in. Most people consider ads a nuisance, but they do serve a useful function besides allowing media companies to stay afloat. They keep you aware of new products and services relevant to your industry. All ads in Quality Digest apply directly to products and services that most of our readers need. You won’t see automobile or health supplement ads. So please consider turning off your ad blocker for our site. Thanks, Pat Toth has more than 30 years of experience in cybersecurity and has worked on various NIST cybersecurity guidance documents, including “NISTIR 7621 Small Business Information Security: The Fundamentals.”Cybersecurity: A Critical Component of Industry 4.0 Implementation
Manufacturers may be more vulnerable than ever
The CIA triad is a model used to represent three core principles of cybersecurity: confidentiality, integrity, and availability. What manufacturers need to consider with industry 4.0 implementation
Threats to manufacturers
• Operational technology (OT): Industrial control systems (ICS), industrial IoT (IIoT), or other shop-floor equipment usually have little internal cybersecurity protection because they were always considered secure if air gapped. Today, this equipment is often connected to the company network and internet, and attackers can compromise them even if they aren’t connected. Successful attacks to the OT environment can endanger proprietary company information, interrupt the manufacturing process, or affect the quality of products.
• Customized software: Manufacturers frequently use software that has been adjusted, modified, or adapted to fit the demands and requirements of their businesses. Often, software must be tailored to allow for communications among different manufacturing systems. These adjustments may unintentionally introduce security vulnerabilities. Additionally, to prevent the equipment from malfunctioning, the software isn’t updated or patched to address newly discovered vulnerabilities. If the custom software wasn’t designed from the beginning with security as a priority, or if it’s not implemented and maintained correctly, it can be a point of entry to gain access to other systems.
• Operational technology (OT): A disgruntled AthCo design department employee shoulder-surfs the production manager’s remote-access control credentials during an off-site meeting. Several days later, the employee uses the stolen credentials to remotely log onto the production system, bring up screens, and randomly click on things, hoping to do as much damage as possible. These actions result in a complete production shutdown for three days as the manufacturer is forced to reconfigure its machines.
• Customized software: AthCo has several pieces of older production equipment that still work, but it needed custom software to connect the machines to the new production management systems. A local software developer customized some open-source software to provide this connection. Unfortunately, AthCo didn’t stress cybersecurity as a priority to the software developer, and the software contained many vulnerabilities that weren’t managed. As a result, AthCo’s production methods for its new breathable fabric, the reason behind the success of its new collection, was stolen by its competitor through the vulnerabilities introduced in its custom software.
• Perform a cybersecurity risk assessment every year. This provides an understanding of which cybersecurity risks to focus resources on and prevents waste. See NISTIR 7621 Rev. 1—“Small Business Information Security: The Fundamentals” for a simple guide on conducting a risk assessment.
• Have a conversation about cybersecurity with any service providers. Make sure cloud service providers protect your data from misuse and disclosure, that cleaning or maintenance providers are trustworthy, and that critical utilities such as power or internet guarantee an appropriate level of “uptime.”
• Understand the cybersecurity practices of suppliers. AthCo could request that each supplier submit a completed vendor assessment questionnaire. See NIST’s Assessment & Auditing Resources page. This will provide an understanding of the level of cybersecurity expertise within the supplier’s company.
Our PROMISE: Quality Digest only displays static ads that never overlay or cover up content. They never get in your way. They are there for you to read, or not.
Quality Digest Discuss
About The Author
Pat Toth
© 2023 Quality Digest. Copyright on content held by Quality Digest or by individual authors. Contact Quality Digest for reprint information.
“Quality Digest" is a trademark owned by Quality Circle Institute, Inc.