Hacked without knowing it
It is hard not to be afraid, maybe very afraid. Recent news articles and security analyst reports have listed the types of attacks and illicit information gathering directed against manufacturing companies, and they are not what you may expect. Much of the current press announcements are about stealing credit card information, social media account passwords, and social security numbers, but cyber-criminals are after something much more valuable in manufacturing companies—their intellectual property (IP). While national security agencies are pushing companies to harden critical infrastructure against disruptions from cyber terrorists, there is less attention given to protecting the intellectual property that manufacturing companies have spent millions of dollars to develop.
Advanced persistent threat
Companies compromised by directed attacks, usually called advanced persistent threats (APTs), have included those in the aerospace, energy, transportation, pharmaceutical, biotechnology, engineering services, high-tech electronics, chemicals, food and agriculture, and metals industries. Information stolen has included product development data, test results, system designs, product manuals, parts lists, simulation technologies, manufacturing procedures, descriptions of proprietary processes, standard operating procedures, and waste management processes. This is information that can be used to replicate production facilities. Many companies think this information has little value outside their company, but if they have global competition and the competition can replicate products and processes at a fraction of the cost, there will be damages.
Most of your competitors will not resort to using illicitly acquired information, but if your competition is based in a country with limited intellectual property rights, or even in a country actively stealing manufacturing IP, then you are at risk. If you are at risk, you may have already been hacked and not even know it. Intellectual property theft is done in a stealth mode. There is a saying among cyber security experts that there are only two types of companies: those that have been hacked, and those that don’t yet know they have been hacked.
Once an APT has established access, the thief will periodically revisit the victim’s network over several months or years and steal technology blueprints, proprietary manufacturing processes, recipes, SOPs, and test results. APTs have been known to maintain access for several years and steal gigabytes of data before they were eventually detected.
If you don’t want an unscrupulous competitor to use your SOPs, production processes, product definitions, and recipes, then it is up to you to ensure that your IT department is protecting your manufacturing IP. The IT department is probably already protecting its financial and personnel records, but it may not realize the value of your manufacturing IP.
With physical security, a company can reduce your risk by operating in safe neighborhoods, alarming all of your windows and doors, and hiring security guards. Unfortunately, with cyber security there are no safe neighborhoods. The Internet has put cyber-criminals only one click away from your doorstep, so we are all in the same electronic neighborhood. There is no equivalent for the neighborhood beat cop who looks for suspicious behavior and checks that doors and windows are closed and locked. In the electronic neighborhood you have to protect yourself. This means that companies need to install firewalls for protection to the outside, and firewalls and account protections within the corporate network. Interior firewalls provide the same level of protection as locked interior doors and filing cabinets inside locked buildings. You don’t want to make a cyber-criminals’ jobs easier by giving them unrestricted access once they are inside the corporate network. Don’t believe that a single firewall will protect all of the internal systems; install firewalls and security access between business systems and manufacturing systems.
With physical security, windows and doors are the ways in and out. With cyber security, the ways in and out can be different. Many attacks are introduced through infected USB drives and email, but report back through Internet communications. IT departments should have procedures in place to monitor all outbound Internet traffic for suspicious and atypical behavior. For example, there may be a burst of communications to overseas servers from a manufacturing server at the same time every day, or a set of port scans coming from a server that should be running only document management services. These are indications of a compromised system. Maybe you cannot always keep the bad guys out, but you can recognize when you have been hacked and you can keep them from phoning home.
With physical security, companies can employ security services to monitor alarms and provide guards to look for suspicious activity. If your manufacturing IP has value and would put you at a corporate disadvantage if stolen, then you need to employ active measures to maintain security. These can be accomplished through port scans, checks of actual installed vs. approved programs and libraries, checks of actual vs. approved accounts, and checks of actual vs. approved scheduled tasks. These checks need to be scheduled so they don’t disrupt production systems. Fortunately, someone stealing intellectual property does not want you to shut down production. The thief wants to get your information without you knowing, so many thefts are not from production systems but from the secondary support system, such as document servers, design systems, and backup systems. This means the IT department can usually be very aggressive in checking support systems without impacting production systems.
Making your own safe neighborhood, locking and protecting your assets, and employing active measures to check for security breaches are the main tools for protecting your manufacturing intellectual property. There are bad guys out there, and they want to break in. You should work with your IT department to make sure you can keep the bad guys away from your manufacturing IP.
– Dennis Brandl is president of BR&L Consulting in Cary, N.C., www.brlconsulting.com. His firm focuses on manufacturing IT. Contact him at email@example.com. Edited by Mark T. Hoske, content manager, CFE Media, Control Engineering and Plant Engineering, firstname.lastname@example.org.
This posted version contains more information than the print / digital edition issue of Control Engineering.
At www.controleng.com, search cyber security for more on related topics.
See other articles for 2013 at www.controleng.com/archive.