Cyber Security and Manufacturing

Note: I wrote this article for the June 2013 IMTS Insider 

When you live in the Washington, DC, area, cyber security and security in general are simply a part of your daily life. This is true whether or not you are in the computer industry or a different industry altogether. As manufacturing continues to embrace complete supply chain integration, cradle to grave digital thread tracking of parts, open and royalty-free standards such as MTConnect, as well as networking across the board, the importance of cyber security in manufacturing will continue to grow. This article will be the first in a series of articles on the topic of cyber security.

At one end of the cyber security spectrum would be basic password security practices, and at the other end would be protecting a plant against a state-of-the-art nation-state attack on a manufacturer’s infrastructure. Most individuals have heard of the most famous cyber security event in manufacturing - Stuxnet. Stuxnet was a computer worm that targeted Siemens PLCs with the goal of remaining undetected, changing the frequency of drives to cause production issues with industrial equipment such as centrifuges. Iran’s nuclear program was believed to be a primary target. The scope of this series of articles is not designed for the level of detail needed to properly discuss the security issues needed to protect a company against a Stuxnet class piece of software. Instead, these articles will address the more common security practices that can help all companies in manufacturing, as well as other companies in different non-manufacturing industries.

The way to think about security is first from the absolute highest level and then work your way down from there. The highest levels of security have to do with the nature of information in general, such as data at rest and data in flight. Data at rest is information that is sitting on disk drives and should be encrypted. Data in flight refers to information that is being moved from one location to another and should also be encrypted. Encryption means that the information is “scrambled” and is not readable without the appropriate key. The size of these keys and the encryption algorithm are just a couple of the decisions that must be made. Individuals earn Ph.Ds researching these topics alone. The National Security Agency has acres of computers that are tasked with decrypting information as part of its Signals Intelligence (SIGINT) mission. The other key NSA mission is information assurance. We will discuss information assurance in future articles.

Does your company have a CSO – Chief Security Officer? If the company is a large, world-class manufacturer, they better have a CSO. If not, does your manufacturing plant undergo cyber security audits? Who in your company is responsible for cyber security? Being disconnected from the Internet is likely not a viable option. Some companies use a demilitarized zone as a security perimeter. A DMZ is a network that is fenced off a company’s network and acts as another security layer between the Internet and a company’s network.

If your company does have a CSO, then that person would be very aware of the resources that are available, such as U.S. Department of Homeland Security National Cyber Security Division. NCSD operates the Control System Security Program. As is stated at the Industrial Control Systems Cyber Emergency Response Team’s homepage, their mission is to “reduce risks within and across all critical infrastructure sectors by partnering with law enforcement agencies and the intelligence community and coordinating efforts among federal, state, local, and tribal governments and control systems owners, operators, and vendors. Additionally, ICS-CERT collaborates with international and private sector Computer Emergency Response Teams (CERTs) to share control systems-related security incidents and mitigation measures.”

In the computer industry, the Computer Emergency Response Team Coordination Center at Carnegie Mellon University’s Software Engineering Institute is where many times the first warnings of computer malware, viruses and worms are made known. These warnings and suggested procedures to remediate are sometimes called “CERTS” for short. Security experts carefully monitor the CERTS that come out to make sure they are being proactive in their cyber security measures.
Cyber security is a world unto itself and the goal of these articles is to explain these technical concepts in layman’s terms to help readers better understand, appreciate, and hopefully act upon.

NOTE: If there are specific areas of security that you would like me to address, then please comment on my blog here and I would be happy to incorporate them in a future article.