Hacked without knowing it

Engineering and IT Insight: Cyber-criminals are stealing manufacturing companies’ intellectual property (IP). Is your lack of cyber security hardware, software, and best practices giving away millions of dollars of IP to unknown competitors without your knowledge?

05/21/2013


It is hard not to be afraid, maybe very afraid. Recent news articles and security analyst reports have listed the types of attacks and illicit information gathering directed against manufacturing companies, and they are not what you may expect. Much of the current press announcements are about stealing credit card information, social media account passwords, and social security numbers, but cyber-criminals are after something much more valuable in manufacturing companies—their intellectual property (IP). While national security agencies are pushing companies to harden critical infrastructure against disruptions from cyber terrorists, there is less attention given to protecting the intellectual property that manufacturing companies have spent millions of dollars to develop.

Advanced persistent threat

Companies compromised by directed attacks, usually called advanced persistent threats (APTs), have included those in the aerospace, energy, transportation, pharmaceutical, biotechnology, engineering services, high-tech electronics, chemicals, food and agriculture, and metals industries. Information stolen has included product development data, test results, system designs, product manuals, parts lists, simulation technologies, manufacturing procedures, descriptions of proprietary processes, standard operating procedures, and waste management processes. This is information that can be used to replicate production facilities. Many companies think this information has little value outside their company, but if they have global competition and the competition can replicate products and processes at a fraction of the cost, there will be damages.

Most of your competitors will not resort to using illicitly acquired information, but if your competition is based in a country with limited intellectual property rights, or even in a country actively stealing manufacturing IP, then you are at risk. If you are at risk, you may have already been hacked and not even know it. Intellectual property theft is done in a stealth mode. There is a saying among cyber security experts that there are only two types of companies: those that have been hacked, and those that don’t yet know they have been hacked.

Once an APT has established access, the thief will periodically revisit the victim’s network over several months or years and steal technology blueprints, proprietary manufacturing processes, recipes, SOPs, and test results. APTs have been known to maintain access for several years and steal gigabytes of data before they were eventually detected.

If you don’t want an unscrupulous competitor to use your SOPs, production processes, product definitions, and recipes, then it is up to you to ensure that your IT department is protecting your manufacturing IP. The IT department is probably already protecting its financial and personnel records, but it may not realize the value of your manufacturing IP.

With physical security, a company can reduce your risk by operating in safe neighborhoods, alarming all of your windows and doors, and hiring security guards. Unfortunately, with cyber security there are no safe neighborhoods. The Internet has put cyber-criminals only one click away from your doorstep, so we are all in the same electronic neighborhood. There is no equivalent for the neighborhood beat cop who looks for suspicious behavior and checks that doors and windows are closed and locked. In the electronic neighborhood you have to protect yourself. This means that companies need to install firewalls for protection to the outside, and firewalls and account protections within the corporate network. Interior firewalls provide the same level of protection as locked interior doors and filing cabinets inside locked buildings. You don’t want to make a cyber-criminals’ jobs easier by giving them unrestricted access once they are inside the corporate network. Don’t believe that a single firewall will protect all of the internal systems; install firewalls and security access between business systems and manufacturing systems.

Access points

With physical security, windows and doors are the ways in and out. With cyber security, the ways in and out can be different. Many attacks are introduced through infected USB drives and email, but report back through Internet communications. IT departments should have procedures in place to monitor all outbound Internet traffic for suspicious and atypical behavior. For example, there may be a burst of communications to overseas servers from a manufacturing server at the same time every day, or a set of port scans coming from a server that should be running only document management services. These are indications of a compromised system. Maybe you cannot always keep the bad guys out, but you can recognize when you have been hacked and you can keep them from phoning home.

With physical security, companies can employ security services to monitor alarms and provide guards to look for suspicious activity. If your manufacturing IP has value and would put you at a corporate disadvantage if stolen, then you need to employ active measures to maintain security. These can be accomplished through port scans, checks of actual installed vs. approved programs and libraries, checks of actual vs. approved accounts, and checks of actual vs. approved scheduled tasks. These checks need to be scheduled so they don’t disrupt production systems. Fortunately, someone stealing intellectual property does not want you to shut down production. The thief wants to get your information without you knowing, so many thefts are not from production systems but from the secondary support system, such as document servers, design systems, and backup systems. This means the IT department can usually be very aggressive in checking support systems without impacting production systems.

Making your own safe neighborhood, locking and protecting your assets, and employing active measures to check for security breaches are the main tools for protecting your manufacturing intellectual property. There are bad guys out there, and they want to break in. You should work with your IT department to make sure you can keep the bad guys away from your manufacturing IP.

- Dennis Brandl is president of BR&L Consulting in Cary, N.C., www.brlconsulting.com. His firm focuses on manufacturing IT. Contact him at dbrandl@brlconsulting.com. Edited by Mark T. Hoske, content manager, CFE Media, Control Engineering and Plant Engineering, mhoske@cfemedia.com.

ONLINE extra

This posted version contains more information than the print / digital edition issue of Control Engineering.

At www.controleng.com, search cyber security for more on related topics.

See other articles for 2013 at www.controleng.com/archive.

See other security and safety articles



Engineers' Choice Awards
The Engineers' Choice Awards highlight some of the best new control, instrumentation and automation products as chosen by Control Engineering subscribers.
System Integrator Giants
The System Integrator Giants program lists the top 100 system integrators among companies listed in CFE Media's Global System Integrator Database.
System Integrator of the Year
Each year, a panel of Control Engineering and Plant Engineering editors and industry expert judges select the System Integrator of the Year Award winners in three categories.
How to Maximize Factory Automation Efficiency with Low Cost Machine Vision
This eGuide illustrates solutions, applications and benefits of machine vision systems.
Wireless Reliability in Harsh Environments
Learn how to increase device reliability in harsh environments and decrease unplanned system downtime.
Human Factors and the Impact on Plant Safety
This eGuide contains a series of articles and videos that considers theoretical and practical; immediate needs and a look into the future.
August 2018
Augmented reality and virtual reality education, autotuning PID control, cybersecurity advice, educating engineers
July 2018
Ladder logic best practices and object-oriented programming, safety instrumented systems, enclosure design issues and challenges, process control advice
June 2018
Discrete and process sensor fundamentals, autotuning controls, system integrator roundtable
Edge Computing
This article collection contains several articles on how today's technologies heap benefits onto an edge-computing architecture such as faster computing, better networking, more memory, smarter analytics, cloud-based intelligence, and lower costs.
Data Center Design
Data centers, data closets, edge and cloud computing, co-location facilities, and similar topics are among the fastest-changing in the industry.
PLCs
Programmable logic controllers (PLCs) represent the logic (decision) part of the control loop of sense, decide, and actuate. Featured articles in this digital report compare PLCs and programmable automation controllers (PACs), industrial PCs, and robotic controllers.
SIDB

Find and connect with the most suitable service provider for your unique application. Start searching the Global System Integrator Database Now!

August 2018
SCADA standardization, capital expenditures, data-driven drilling and execution
June 2018
Machine learning, produced water benefits, progressive cavity pumps
April 2018
ROVs, rigs, and the real time; wellsite valve manifolds; AI on a chip; analytics use for pipelines
John O. Ayuk, PE, CFSE, PMP, CAP
Automation Engineer; Wood Group
Doug Baker
System Integrator; Cross Integrated Systems Group
Jose S. Vasquez, Jr.
Jose S. Vasquez, Jr.
Fire & Life Safety Engineer; Technip USA Inc.
Data Centers: Impacts of Climate and Cooling Technology
This course focuses on climate analysis, appropriateness of cooling system selection, and combining cooling systems.
Safety First: Arc Flash 101
This course will help identify and reveal electrical hazards and identify the solutions to implementing and maintaining a safe work environment.
Critical Power: Hospital Electrical Systems
This course explains how maintaining power and communication systems through emergency power-generation systems is critical.
Engineers' Choice Awards
The Engineers' Choice Awards highlight some of the best new control, instrumentation and automation products as chosen by Control Engineering subscribers.
System Integrator Giants
The System Integrator Giants program lists the top 100 system integrators among companies listed in CFE Media's Global System Integrator Database.
System Integrator of the Year
Each year, a panel of Control Engineering and Plant Engineering editors and industry expert judges select the System Integrator of the Year Award winners in three categories.
How to Maximize Factory Automation Efficiency with Low Cost Machine Vision
This eGuide illustrates solutions, applications and benefits of machine vision systems.
Wireless Reliability in Harsh Environments
Learn how to increase device reliability in harsh environments and decrease unplanned system downtime.
Human Factors and the Impact on Plant Safety
This eGuide contains a series of articles and videos that considers theoretical and practical; immediate needs and a look into the future.
August 2018
Augmented reality and virtual reality education, autotuning PID control, cybersecurity advice, educating engineers
July 2018
Ladder logic best practices and object-oriented programming, safety instrumented systems, enclosure design issues and challenges, process control advice
June 2018
Discrete and process sensor fundamentals, autotuning controls, system integrator roundtable
Edge Computing
This article collection contains several articles on how today's technologies heap benefits onto an edge-computing architecture such as faster computing, better networking, more memory, smarter analytics, cloud-based intelligence, and lower costs.
Data Center Design
Data centers, data closets, edge and cloud computing, co-location facilities, and similar topics are among the fastest-changing in the industry.
PLCs
Programmable logic controllers (PLCs) represent the logic (decision) part of the control loop of sense, decide, and actuate. Featured articles in this digital report compare PLCs and programmable automation controllers (PACs), industrial PCs, and robotic controllers.
SIDB

Find and connect with the most suitable service provider for your unique application. Start searching the Global System Integrator Database Now!

August 2018
SCADA standardization, capital expenditures, data-driven drilling and execution
June 2018
Machine learning, produced water benefits, progressive cavity pumps
April 2018
ROVs, rigs, and the real time; wellsite valve manifolds; AI on a chip; analytics use for pipelines
John O. Ayuk, PE, CFSE, PMP, CAP
Automation Engineer; Wood Group
Doug Baker
System Integrator; Cross Integrated Systems Group
Jose S. Vasquez, Jr.
Jose S. Vasquez, Jr.
Fire & Life Safety Engineer; Technip USA Inc.
Data Centers: Impacts of Climate and Cooling Technology
This course focuses on climate analysis, appropriateness of cooling system selection, and combining cooling systems.
Safety First: Arc Flash 101
This course will help identify and reveal electrical hazards and identify the solutions to implementing and maintaining a safe work environment.
Critical Power: Hospital Electrical Systems
This course explains how maintaining power and communication systems through emergency power-generation systems is critical.
Engineers' Choice Awards
The Engineers' Choice Awards highlight some of the best new control, instrumentation and automation products as chosen by Control Engineering subscribers.
System Integrator Giants
The System Integrator Giants program lists the top 100 system integrators among companies listed in CFE Media's Global System Integrator Database.
System Integrator of the Year
Each year, a panel of Control Engineering and Plant Engineering editors and industry expert judges select the System Integrator of the Year Award winners in three categories.
How to Maximize Factory Automation Efficiency with Low Cost Machine Vision
This eGuide illustrates solutions, applications and benefits of machine vision systems.
Wireless Reliability in Harsh Environments
Learn how to increase device reliability in harsh environments and decrease unplanned system downtime.
Human Factors and the Impact on Plant Safety
This eGuide contains a series of articles and videos that considers theoretical and practical; immediate needs and a look into the future.
August 2018
Augmented reality and virtual reality education, autotuning PID control, cybersecurity advice, educating engineers
July 2018
Ladder logic best practices and object-oriented programming, safety instrumented systems, enclosure design issues and challenges, process control advice
June 2018
Discrete and process sensor fundamentals, autotuning controls, system integrator roundtable
Edge Computing
This article collection contains several articles on how today's technologies heap benefits onto an edge-computing architecture such as faster computing, better networking, more memory, smarter analytics, cloud-based intelligence, and lower costs.
Data Center Design
Data centers, data closets, edge and cloud computing, co-location facilities, and similar topics are among the fastest-changing in the industry.
PLCs
Programmable logic controllers (PLCs) represent the logic (decision) part of the control loop of sense, decide, and actuate. Featured articles in this digital report compare PLCs and programmable automation controllers (PACs), industrial PCs, and robotic controllers.
SIDB

Find and connect with the most suitable service provider for your unique application. Start searching the Global System Integrator Database Now!

August 2018
SCADA standardization, capital expenditures, data-driven drilling and execution
June 2018
Machine learning, produced water benefits, progressive cavity pumps
April 2018
ROVs, rigs, and the real time; wellsite valve manifolds; AI on a chip; analytics use for pipelines
John O. Ayuk, PE, CFSE, PMP, CAP
Automation Engineer; Wood Group
Doug Baker
System Integrator; Cross Integrated Systems Group
Jose S. Vasquez, Jr.
Jose S. Vasquez, Jr.
Fire & Life Safety Engineer; Technip USA Inc.
Data Centers: Impacts of Climate and Cooling Technology
This course focuses on climate analysis, appropriateness of cooling system selection, and combining cooling systems.
Safety First: Arc Flash 101
This course will help identify and reveal electrical hazards and identify the solutions to implementing and maintaining a safe work environment.
Critical Power: Hospital Electrical Systems
This course explains how maintaining power and communication systems through emergency power-generation systems is critical.
click me