Posted By Jeff Moad, May 19, 2017 at 3:11 PM, in Category: Cybersecurity
The one piece of good news coming out of the recent WannaCry ransomeware attack, which infected over 200,000 computers worldwide and at least temporarily crippled hospitals, shops, and schools, is that it does not appear to have directly targeted the control systems on which most manufacturing plants and equipment rely. Although the outbreak did reportedly upend some manufacturing operations—including production at Renault automotive plants in the U.K. and France—the exploit apparently targeted vulnerabilities in some unpatched instances of the Microsoft Windows operating system which is not at the core of most Programmable Logic Control (PLC) systems and Distributed Control Systems (DCS) in production operations at most plants.
Still, you would expect that the global scope of the WannaCry attack and the speed with which it spread would have inspired manufacturing leaders to take a closer look at whether their plants and people are really prepared to repulse or at least recover from the next attack on increasingly connected and vulnerable industrial systems.
In conversations with manufacturing leaders just a few days after the WannaCry attack, however, I noticed an interesting ambivalence. On one hand, these leaders said, they understand and are very concerned by rising cybersecurity risks facing manufacturers, particularly as more production assets become digitally connected.
On the other hand, some manufacturing leaders say, they aren’t quite sure what role operations, production, or engineering executives can or should play when it comes to protecting their organizations from accelerating cyber attacks. What questions should they be asking, and what management best practices should they be putting in place to protect their plants? They just aren’t sure.
This ambivalence has also shown up in recent ML Council research. The Council’s Next-Generation Leadership survey, released last month, showed that, while manufacturers believe their organizations must beef up cyber security knowledge and expertise, only 5% of respondents believe cybersecurity is a top leadership challenge related to Manufacturing 4.0 adoption. In other words, cybersecurity is a growing concern, but manufacturing leaders don’t necessarily put it at the top of their own to-do lists.
This is perhaps not surprising. Many manufacturing folks tend to see cybersecurity as primarily a technical issue, one that their company’s information technology organizations should be on top of.
It’s true that the IT function at most companies has plenty of hard-earned experience dealing with escalating cyber threats. But the “it’s IT’s problem” line of thinking overlooks a couple of important realities.
First, the threats posed by cyber attacks on manufacturing/production operations are typically different than those facing the enterprise processes that the IT organization is most often charged with protecting. Bad actors targeting enterprise systems are most often seeking to steal data assets that they turn into cash through scams such as identity theft. But bad actors targeting manufacturing systems are most likely to seek the disruption of production assets. This poses a unique set of risks—from unplanned plant shutdowns to threats to plant and worker safety—that all manufacturing leaders should be involved in understanding and mitigating.
Second, cybersecurity in both the enterprise and manufacturing domains isn’t just a matter or keeping the bad guys out of the network. Although intrusive attacks such as WannaCry get all the press, the fact is that many if not most security lapses come from inside the organization in the form of authorized employees either doing bad things or making mistakes. How do you think the tools that generated the WannaCry attack got out of the NSA in the first place?
So that means, as much as putting the right firewalls, encryption, authentication, and patch management in place, cybersecurity in manufacturing is about change management, training, and culture change. Therefore, particularly as companies transition to the digitized, connected M 4.0 era, manufacturing leaders will have a big role to play in protecting their organizations and operations from cyber threats.
Manufacturing leaders should be involved in the following 5 ways:
- Define a full cyber risk and recovery plan that is aligned with the needs of operations. Renault’s reaction to the WannaCry attack reportedly was to unplug its plants from the corporate network. But what if the attack had reached control systems and production assets? Was there a plan for that? Plans should include compensations for the impact of parts shortages on other plants and the ability to quickly adjust schedules based on real-time demand and supply;
- Drive improved collaboration between manufacturing business units and the IT organization, focusing on the unique requirements and vulnerabilities of manufacturing units;
- Have a fully updated and maintained inventory of production equipment and system configurations, changes, and security already in place. Surprisingly, many manufacturing organizations simply don’t have this today due to an abundance of legacy systems and processes and the fact that many control systems and data historians don’t provide the equivalent of change logs;
- Model proper security behavior and culture from the top down, beginning with policies that keep unauthorized and dangerous devices and applications out of the plant;
- Create processes and metrics for evaluating and measuring cybersecurity performance and maturity and make sure progress on this is moving in the right direction.
Manufacturing leaders do have a cybersecurity role to play, and the sooner they embrace it, the safer their plants and people will be.
Written by Jeff Moad
Jeff Moad is Research Director and Executive Editor with the Manufacturing Leadership Community. He also directs the Manufacturing Leadership Awards Program. Follow our LinkedIn Groups: Manufacturing Leadership Council and Manufacturing Leadership Summit