The increasing convergence of Operational Technology (OT) and Information Technology (IT) in modern manufacturing environments enables big gains in productivity, efficiency and innovation.
Until just a few years ago, every plant was a silo unto itself. Now, data from geographically disbursed plants can be easily shared through the cloud; detailed information about production inputs and output yields can be accurately measured across the entire enterprise; automated machine learning models can analyze process efficiency; and a growing number of inexpensive Industrial Internet of Things (IIoT) devices and sensors capture data that previously was limited to Supervisory Control and Data Acquisition (SCADA) and Distributed Control Systems (DCS).
While the OT-IT convergence presents unprecedented potential for significant returns, it also increases the potential for damaging cyberattacks on systems that used to be isolated and out of harm’s reach. Hacking is an active threat, underscored every time a high profile incident makes the news.
The impacts can be steep. Manufacturing for the government or critical infrastructure is a prime target for espionage and intellectual property theft. System outages, especially with high-value manufacturing, can impose significant financial consequences.
While controlled shutdowns even for basic maintenance are costly enough, an unexpected outage from a cyberattack can mean painful losses for every production minute lost.
Changing Operations Increase Risk
The entire manufacturing paradigm is in flux. Pursuit of digitization’s benefits encourages many manufacturers to run experimental Proof of Concept (POC) projects around process and sourcing innovations. While not all POCs will pay off, those that are successful are often left in place without the normal inspection that a production-quality solution should have. They can consequently become open targets for cyberattacks.
There is also pressure rooted in the global supply chain crisis of the last two years for manufacturers to move as fast as possible. Up until that point, everyone had been working to very tight just-in-time inventory requirements that kept suppliers highly interdependent.
The crisis laid bare the need for increased security; we have seen first-hand how the disruption of one company that makes a fundamental component can cause serious downstream impacts. And don’t forget, even small companies in the chain can be targeted as a channel for attacks on others in the chain or on the ultimate end customer.
Given the shifting dynamics, there is also understandable economic pressure to consolidate cyber responsibilities under one security team. Realistically, OT and IT professionals have traditionally not understood each other’s domains.
But for security to be effective, that gap must be overcome and the operational realities of both functions factored into one comprehensive cyber strategy.
3 Steps to Tackling the Cyber Journey
As with everything in manufacturing, it is best to take a systematic approach.
Begin with an assessment of currently installed equipment – the vintage, the level of data that can be collected and how it is networked within the factory. Map how and where equipment needs to expand or change. Will IIoT be integrated? If so, define a suitable architecture by evaluating what use cases will have the most impact on stepping up machine performance, or increasing throughput, yield or quality.
Factor cyber in at this stage, blueprinting security, IIoT and networking, in a cohesive, holistic fashion. The same applies to POCs that may become integral to a production process.
Stay mindful of equipment changes intended to solve a specific problem in a factory. For instance, a new camera system may be installed to augment human staff in performing visual inspections or counting products at the end of the line. If the camera system is not incorporated into the security schema, it becomes a new point of attack.
Embrace proven standards and best practices. While there are no specific cyber regulations for manufacturers to comply with, there are practices government agencies follow as well as regulations in the nuclear power sector [such as the North American Electric Reliability Corporation Critical Infrastructure Protection (NERC CIP)] that are well-proven and effective defense measures that manufacturers can leverage as guidance.
The Cybersecurity and Infrastructure Security Agency (CISA) recommends the NIST cybersecurity framework – mapped to five phases: Identify, Protect, Detect, Respond and Recover – to secure critical networked assets. While many organizations rely on software-based firewalls as a main line of defense, firewalls can be breached.
For high value assets, CISA recommends (and many government and nuclear agencies utilize) hardware-enforced security devices such as data diodes and cross domain solutions that ensure one-way only data flows. The 62443 series of standards published by the International Society of Automation (ISA) and International Electrotechnical Commission (IEC) also reference the value of this unhackable technology.
Because everything can’t be moved to a higher level of security at once, adopting hardware-enforced cybersecurity will reduce the attack surface, so the architecture and workflows can be moved in the right direction bit by bit. Doing this in parallel also means that with an event like the spring 2021 Colonial Pipeline attack, hardware-protected workflows can stay open, even if firewalls must temporarily shut down.
Finally, conduct periodic audits. Is risk being created through new equipment, POCs or other processes? Without curtailing innovation, make sure anything new falls within the established cyber policies.
The plant manager should sign off regularly, attesting that there are no known vulnerabilities – cyber or otherwise – created by chance or overlooked. While some companies may conduct such a process annually, it may be prudent to do it more frequently, perhaps semi-annually, given the current pace of change.
Today’s manufacturing fits into an expanding definition of critical infrastructure. We’ve learned that we can no longer take for granted on-demand availability of everything from computer parts to bathroom tissue.
With the growing convergence of OT and IT, it’s more important than ever that manufacturers cyber-secure their facilities and capabilities to keep business moving and goods flowing wherever and whenever they are needed.