May 12, 2017, hackers launched a “ransomware” cyberattack that would eventually infect 300,000 machines in 150 countries over a three-day period.
The ransomware, known as WannaCry, locked computers and blocked access to files. Victims were ordered to pay a $300 ransom to regain their data. The countries most affected by the ransomware were Russia, Taiwan, Ukraine and India, but the attack also hit U.S. companies, notably FedEx. Victims included universities, oil companies, telecom providers and train systems.
The virus hit computers running older versions of Microsoft software that had not been recently updated. Microsoft released patches in April and again during the attack to fix a vulnerability that allowed the worm to spread across networks. Computers at manufacturers and hospitals, which can be hard to patch without disrupting operations, were particularly vulnerable. Indeed, the cyberattack slowed or stopped production at five assembly plants run by Renault-Nissan, including the automaker’s huge factory in Sunderland, UK.
Cyber-risk-modeling firm Cyence estimates the economic losses from the cyberattack as high as $4 billion.
A month later, on June 27, 2017, a second major ransomware cyberattack struck worldwide. The ransomware, known as “NotPetya,” initially targeted institutions in Ukraine—experts believe it was a politically motivated attack originating in Russia—but it eventually spread to France, Germany, Italy, Poland, the United Kingdom and the United States.
At first, the attack targeted energy companies, the power grid, bus stations, gas stations, airports and banks. But, as before, manufacturers were affected, too, including pharmaceutical company Merck & Co., consumer goods company Reckitt Benckiser, personal care company Beiersdorf, and food company Mondelez International.
A White House assessment pegged the total damages brought about by NotPetya at more than $10 billion, making it the most destructive cyberattack ever.
The WannaCry and NotPetya ransomware attacks underscore the importance of cybersecurity today even for facilities, like assembly plants, that are seemingly less desirable targets for hackers than, say, banks, retailers and insurance companies. However, as assembly plants become more digitally connected to both suppliers and customers, the potential threat posed by cyberattacks will only get worse.
“Plant management’s job is to guarantee production in line with the business plan and avoid unplanned downtime. To do that, they must not only have an asset performance management strategy, but also a solid industrial cybersecurity plan,” says Maurizio Milazzo, director of industrial digital innovation and operations technology security for Cybertech, a division of the global software company Engineering Group. “They must avoid the ‘security-by-obscurity’ approach. Today, managers must ask themselves not if the plant will be attacked, but when.”
Cyberthreats to assembly plants are real, and the consequences can be severe. Aside from locking up host computers or holding critical data hostage, hackers could, for example, simulate that a machine is working properly when it is not. As a result, the machine could produce faulty products or have a catastrophic break down.
That’s what happened in 2010, when the Stuxnet computer virus infected the PLC systems in Iran’s nuclear program, causing centrifuges to spin out of control without triggering alarms. Before it was caught, the attack was able to destroy up to one-fifth of the country’s nuclear centrifuges and set its nuclear program back a decade.
Conversely, a hacker can simulate that a machine needs maintenance when it does not. Remote access to equipment or company networks could also be compromised.
“A hacker can access a router, a PLC, an IoT sensor or an industrial PC to navigate from the industrial network to the IT network, and thereby gain access to sensitive data regarding production, intellectual property, customer data or balance-sheet data,” says Milazzo.
Avoiding Attacks
Preventing cyberattacks requires a joint effort between the operations technology (OT) and information technology (IT) teams. For some assembly plants, that will be a new way of doing things. Traditionally, roles at assembly plants have been distinct. The operations team ran and maintained the production equipment. The IT team was responsible for the security of the corporate network.
“That’s one reason why cybersecurity in assembly plants is so hard,” says Eddie Chang, vice president of cyber risk management at The Travelers Companies Inc. “Once the manufacturing floor becomes more integrated with the internet, roles become less defined. Companies need to think ahead and determine what the lines of responsibility are. Ultimately, it should be a team approach.”
Bindu Sundaresan, director of AT&T Cybersecurity, agrees. “Manufacturers today are taking a risk-based approach to cybersecurity,” she says. “It’s no longer just the responsibility of the IT department.
“Manufacturers are realizing that an attack on the operations technology infrastructure can have broad implications for the business, so they’re looking more at network assets, such as workstation servers, HMIs and PLCs.”
Many larger companies have an information security operations center—a dedicated site where enterprise information systems (websites, applications, databases, data centers and servers, networks, desktops and other endpoints) are monitored, assessed and defended.
However, as with other types of skilled labor, manufacturers are having difficulty finding qualified help. According to a 2020 survey by Information Systems Audit and Control Association, 69 percent of companies said that their cybersecurity teams are understaffed, 58 percent have unfilled cybersecurity positions, and 32 percent said they spend six months to fill cybersecurity jobs.
“Most assembly plants do not have any expertise to address operations technology security, so they just delegate responsibility for cybersecurity to their automation vendors,” says Milazzo. “But, is that a good policy?”
With everyone on the same page, the next step is to conduct a baseline assessment of cybersecurity at the facility. The assessment should cover both information security and operational security.
“Information security is about identifying and protecting your information, whatever that may be,” says Jeff Williams, program manager for cybersecurity at the Michigan Manufacturing Technology Center, the Manufacturing Extension Partnership (MEP) affiliate for Michigan. “What information do I have? Why is it important? What should I be doing with it? What would happen to my business if something happened to it? Does everybody who touches that information really need to touch that information? Or, am I sharing too much information on the shop floor, when they really only need a small portion of it to produce my widget?
“Operational security deals with basic business operations. If this critical CNC machine failed, what would it do to my overall business? Can I restore that machine to a position where I can continue working? Do I know what to do or whom to contact? If a computer is running my equipment, do I have a way to easily recover and restore it?”
Such assessments are often eye-opening experiences for managers. Williams recalls asking one manager to inventory all the computers on his shop floor. Upon completing the task, the manager realized that three-quarters of the computers in his factory were running outdated operating systems.
Equipment with proprietary controllers or software is another red flag, warns Williams. “One of our customers had a proprietary machine that failed,” he remembers. “The company did not have recovery software to restore the controller, and the manufacturer of the machine was out of business. Eventually, the company was able to track down the software, but by then, the machine had been down for more than a month. Once the company had the software, the machine was up and running again in 30 minutes. If the company had the software in advance, it could have saved a lot of downtime.”
Just as engineers create value-stream maps to implement lean manufacturing, managers should create data-stream maps to enhance cybersecurity.
“Start with the data flow,” says Sundaresan. “And what types of data are you tracking? What data is coming in? What data is going out? Where are the interfaces?”
As assemblers take advantage of the Industrial Internet of Things, engineers must make wise decisions about the technology. “Before you run out to BestBuy and pick up some internet-enabled device, think about the overall impact that device could have on your operation,” warns Williams. “Will you be able to maintain the device in the long term? Is it from a trusted brand or a company that will be out of business in six months? Can it be updated easily? Will you be able to tell if the device has been compromised?”
Fortunately, a variety of resources are available to help manufacturers navigate the brave new world of IIOT.
The first thing managers should do is verify that their plants comply with national and international cybersecurity standards and regulations, says Milazzo. These include the cybersecurity framework from the National Institute of Standard and Technology (NIST), the cyberthreat intelligence recommendations from the National Intelligence Strategy, and the ISA/99 IEC 62443 standard for industrial network cybersecurity from the International Society of Automation.
Adherence to such standards is not only useful, but it’s mandatory for assemblers that want defense contracting business.
NIST also offers standards and guidance for both manufacturers and consumers of IOT devices. Last summer, the agency published Core Cybersecurity Feature Baseline for Securable IoT Devices, and in January, it released Recommendations for IoT Device Manufacturers: Foundational Activities and Core Device Cybersecurity Capability Baseline.
“This ‘Core Baseline’ guide offers some recommendations for what an IoT device should do and what security features it should possess,” says Mike Fagan, a NIST computer scientist and one of the guide’s authors. “It is aimed at a technical audience, but we hope to help consumers as well as manufacturers.”
State MEP centers can offer invaluable help to manufacturers, as can internet service providers (ISPs), like AT&T. ISPs can provide risk-based assessments, IT and OT scanning, and other services to enhance cybersecurity.
“A lot of manufacturers don’t know their baseline level of internet traffic,” says Sundaresan. “But, if you know what normal looks like, you will be able to spot anomalous traffic.”
Software can help, too. Among other things, cybersecurity software can keep track of assets and software versions; detect anomalies in internet traffic; secure and segment factory networks, and provide access control and endpoint protection.
While it’s important to have up-to-date computers, controllers and software, assemblers also need address the human factor. “One of the biggest plant vulnerabilities is the people,” says Milazzo. “To address that, managers need to set up training courses on cybersecurity standards and conduct phishing tests and other games that target employees’ awareness of cybersecurity.”
Plan for the Worst
Hopefully, your assembly plant will never be the victim of a cyberattack. But, in manufacturing, as in life, engineers should hope for the best and prepare for the worst. Manufacturers can take steps to mitigate the effects of a cyberattack.
The most important is to have a recovery plan in place. “It’s definitely better to be prepared for an attack than to be in reactive mode. You don’t want to be scrambling to figure out what to do next,” says Sundaresan. “You should have an incident response plan, and you should test that plan against potential threats from both the IT side and the
OT side.
“The quicker you’re able to respond to a breach, the more you’ll be able to limit its impact and get your operation up and running again.”
Backing up critical data is another easy and obvious recovery measure—if it’s done right. Williams recalls helping a manufacturer that had been a victim of a ransomware attack. The attack, while burdensome, should not have been disastrous, because the company was regularly backing up its data. However, when the company tried to restore the lost data, it discovered that the backup system had not been working properly.
“The company never validated the data it was backing up,” he says. “That’s particularly important today, with so many people working from home.”
While ensuring cybersecurity will require some capital investment, the outlays may not be as bad as managers fear. And, they typically cost less than a cyberattack.
“Investments in IT and OT infrastructure can quickly pay for themselves just in terms of improvements to the overall business process,” says Williams. “And, once managers identify where their critical needs are, they can start budgeting for those investments over time.”
Of course, even the best security can be breached. To cover that eventually, manufacturers can invest in insurance against cyberattacks. “Cyber insurance covers things like data breaches and business interruption losses,” says Chang.