In February, President Obama unveiled his proposal for the Cybersecurity National Action Plan (CNAP), which seeks to address the wide variety of cyber threats facing the national government, in addition to the country’s private sector and civilian population. The U.S., and a number of its allies, are enduring a growing number of cyberattacks vis-à-vis the manufacturing industry. Today, the factories that produce American medicine, food and automobiles are under attack from hackers hoping to tamper with chemical formulas, steal recipes and potentially shutdown production lines.
Possibly due to the low public profile of these attacks, the manufacturing industry is not directly mentioned in the President’s proposal. However, CNAP does include the potential for collaboration with manufacturers. In kind, the Department of Homeland Security describes critical manufacturing as “crucial to the economic prosperity and continuity of the United States.” The same can be said of pharmaceutical companies that produce our medicine and food factories that create products we all eat.
Should the federal government follow its own wise assessment, securing manufacturing will be a prominent component of CNAP’s ultimate purpose. Moreover, the manufacturing industry is experiencing a critical stage of cyber risk, which should amplify the importance of its security needs to the federal government.
The risk the manufacturing industry is experiencing is brought about by the massive, ongoing transformation of operational technology (OT) systems, also known as ICS/SCADA networks. The Industrial Internet of Things (IIoT) offers benefits to manufacturers and critical systems operators that are nearly impossible to refuse, ushering in what some are calling the fourth industrial revolution.
Undoubtedly, IIoT improves companies’ bottom lines by streamlining output and reducing costs, while also providing network operators with practical benefits, such as remote operation. However, this revolution has almost no system of self-defense. Any connection to the Internet provides access points to attackers worldwide.
To protect themselves while adopting IIoT, smart manufacturers are relying on traditional IT security solutions, which were neither built for nor protect OT systems, creating tremendous opportunities for adversaries. Minimizing the potential danger created by this connectivity should be a major priority for manufacturers and the government alike.
Accordingly, CNAP should seek to No.1) Increase awareness of cyber threats, real-life attacks and industry practices; No. 2) Encourage companies to incorporate industry standards and share best practices; and No. 3) Improve testing practices that assess the strength of industrial cybersecurity networks, which will advance preparedness.
One of the primary reasons that the manufacturing industry is at risk is due to a lack of knowledge and available education. The immediate monetary and practical offering of IIoT technology is clear, and businesses are well equipped to understand the financial and operational implications. However, the IIoT proposition is not as clear for manufacturers, from a cybersecurity standpoint.
Traditionally, OT operators have not had the need to really consider cyber threats when building and maintaining their production lines. Nevertheless, today’s changing reality requires cybersecurity awareness and education that allows security and OT professionals to work together to protect companies and their customers. CNAP could serve as a central point for the entire industry, allowing companies to collectively benefit from sharing information when new attacks method and breaches are discovered.
Improving Industry Standards
The initial CNAP called for the government to “double the number of cybersecurity advisors available to private-sector organizations with in-person, customized security assessments and implementation of best practices.” This strategy makes particular sense in the manufacturing industry, because raising business standards benefits companies and consumers alike.
Just a few weeks ago, Mars chocolate witnessed the impact just a small flaw in an industrial control system can have. A piece of plastic was found inside of a Snickers bar, forcing Mars to recall products costing them tens of millions of dollars, due to a non-malicious alteration. While Mars would certainly like its tens of millions of dollars back, the company is lucky its customers did not choke on, or get sick from, the plastic.
Other cases could be worse — try to picture how catastrophic the fallout would be if, for example, a hacker created a subtler change in the formula of a common medicine and covered their tracks: many lives would be lost. By maintaining a high standard of security against cyberthreats, and using up-to-date defense methods, such as passive monitoring of ICS/SCADA networks to improving IT/OT isolation, companies can go a long way in protecting themselves and their customers, ultimately benefitting the entire country.
Assessing and Protecting Vulnerabilities
Untested security solutions routinely fail. Unfortunately, most manufacturers cannot afford these failures. In some cases, their customers cannot either.
For a company to effectively protect itself it must first understand what its weaknesses and strengths are — any flaws in mission control systems need to be identified and protected. To support this process, CNAP outlines the creation of a National Center for Cybersecurity Resilience, which will serve as a platform for manufacturers and other members of the private sector to test their security solutions in a contained environment. In these environments, manufacturers can create replicas of their industrial networks and simulate attacks against them, to prepare a system of defense against the same strategies that are likely to be levied against them by cybercriminals. As the cyber landscape continues to evolve, these security systems should be evaluated on an ongoing basis.
The continued prosperity of the U.S. economy relies on the ongoing stability and security of its manufacturing sector. In kind, the manufacturing sector stands to yield a great deal of benefits from collaborating with the federal government to build a more resilient cybersecurity position. As more manufacturers connect to the Internet and hackers refine their approach, the lives of American citizens will hang in the balance.
Yoni Shohet is Co-founder and CEO of SCADAfence.