Plant Security Should Not Be a Planning Afterthought

Back in the day — you know, a couple years ago — people talked up the benefits of end-to-end shop-floor visibility and how smoothly the supply chain could work if engineering, manufacturing, and throughput data were instantly and always available to connected, trusted partners.

However, I don't remember much being said about the inherent security risks involved or how a company could sufficiently manage this exchange of information while protecting its brand, intellectual property, and other trade secrets.

Since most supply chain discussions come full circle one way or another, the topic recently landed again on my radar screen in the form of an IDC Manufacturing Insights newsletter. “Taking Plant Floor Security Seriously” was the lead story, Pierfrancesco Manenti and Lorenzo Veronesi noting that manufacturers are increasingly concerned about a potential rise in cybercrime and disruptive terrorist threats. The growing popularity of online product sales and stepped up business application mobility has drummed up renewed interest in the subject.

“Businesses now need to employ a much more focused approach to risk management and increased attention to information security to safeguard their online assets,” the authors wrote. To which I say, “Only now are manufacturers thinking about this stuff? C’mon, really?”

Admittedly, although I haven't heard of many plant-level security breaches in recent years, I'm sure they happen more often than we think, with only the most serious infringements publicized. Who wants that kind of information leaked to the media? But, since high-tech headlines occasionally float back to IP infringement cases and counterfeit products entering the market, I have to think there are at least a few holes in manufacturing's protective walls.

The newsletter summary talks about this gap, and it's disturbing what the authors' research has uncovered (the full report can be purchased here). Based on the results of a global survey (the exact details of who participated in the survey and how many respondents were polled were not included in the summary), IDC found:

    Almost half of the respondents, a shockingly high figure, don't even know how many security events have occurred in the past 12 months. Nor do they know the nature of those events — whether they are through applications, network devices, or smartphones. They also don't know the probable source of the breach — employees, suppliers, customers, or hackers.

Some of the problems, according to IDC, seem to stem from inadequate budgets. While fewer than 60 percent of respondents believe that “the budget and commitment are in place to address security requirements,” more than 18 percent of respondents said they “were prepared to accept that some vulnerable areas will simply not be protected because of cost-saving measures.” The authors further noted:

    This lack of awareness and measurement is even more frightening when manufacturers look at emerging security threats on the plant floor. Plant floor security is only discussed regularly in very few industries — like utilities, energy, or transportation — which are considered 'critical infrastructure' by governments. But for the majority of the manufacturing sector, security on the plant floor has been largely neglected so far.

Some unsettling news has forced the industry to take another look, IDC states. In March, for instance, the Security Incidents Organization (also known as the Repository of Industrial Security) stated 60 incidents occurred globally on plant floors between 1999 and 2010, many of which involved lost production time, destruction of property, environmental, health, and safety issues, and even fatalities.

According to the Security Incidents Organization and IDC, the emergence of widely reported Stuxnet — a piece of malware able to reprogram programmable logic controllers (PLCs) and disrupt critical industrial processes — represents a significant wakeup call for industrial awareness and plant floor security management. Apparently, Stuxnet was introduced in a nuclear plant in Iran via a common USB drive.

Additionally, IDC's analysts point out that the growing interconnectivity of manufacturing technology increases security risks. Today's plant floor technologies, such as manufacturing execution systems, supervisory control and data acquisition, PLCs, and distributed control systems, are frequently designed on open architectures, which are at greater risk of security breaches.

On the positive side, more than half of manufacturers IDC surveyed said they have already changed the priority assigned to their security efforts, or are planning to change it over the next 12 months. They said they expect to see a shift in security investments from back-office IT security to manufacturing IT security. Also, the importance and visibility of security threats on the plant floor has taken a higher position on the corporate agenda, with more than 70 percent of respondents stating that their chief information security officers are responsible for plant floor security.

So tell me, without crossing the line, what security risks lurk on the high-tech manufacturing floor? Generally, what are supply chain, manufacturing, and IT executives doing about it? What kinds of security assessment, monitoring tools, or best-practices can help companies address trouble spots?

9 comments on “Plant Security Should Not Be a Planning Afterthought

  1. AnalyzeThis
    April 27, 2011

    I'm not really sure how much detail I should go into here, but there are indeed numerous risks with manufacturing floor security in the high-tech sector. Really, this should be obvious by the amount of counterfeit/leaked product that even the mainstream audience finds out about.

    Outsourcing is part of the problem, of course… there are many benefits to outsourcing, but “increased security” is nearly never one of them. It's very hard to keep tabs on the floor when it's long plane flight away, and obviously security “standards” can vary wildly depending on what part of the world you are in.

    Now as far as solving these problems, there are a wide-variety of strategies, tactics, and technology that can be utilized. But no matter what approach you are taking, I think your article is a very wise reminder to be more mindful of your security priorities.

  2. Ms. Daisy
    April 27, 2011


    Your conclusion of “Businesses now need to employ a much more focused approach to risk management and increased attention to information security to safeguard their online assets,” the authors wrote. To which I say, “Only now are manufacturers thinking about this stuff? C’mon, really?” brings home the seriousness of the need to include risk management in planning of manufacturing plants.

    Risk Management is often not considered as part of the planning process in start ups of many organizations which is unfortunate with all the online attacks. Focus is often on good product design, marketing, etc. by the planners. What needs to be part of the planning process is a structured identification, assessment, and prioritization of uncertainties ( positive or negative) both in the internal and external environments, followed by coordinated application of resources to minimize, and control the probability and/or impact of identified or probable risks. This is an essential part of the planning that is often neglected.



  3. Jennifer Baljko
    April 28, 2011

    DennisQ and Ms. Daisy – Thanks for pointing out where some trouble spots lie. Not planning early on and not being able to manage security across internal and outsourced operations definitely raise flags in my mind, too.

    This begs other questions as well: Why is plant security not a big part of the initial planning process or an important decision factor in the outsourcing supplier selection process? Are the gaps directly related to inadequately allocated budgets and resources, as IDC suggests? Or is more of “it won't happen to us” or “we'll deal with it when we have to ” attitude that pushes plant security further down the corporate priority scale?


  4. prabhakar_deosthali
    April 28, 2011

    Most of the established manufacturing setups have a very good physical plant security –  24 hour security personnel,  Material gate pass porcedures,  close circuit cameras on the shop floor and so on. The top management understands this very well and normally this physical security is directly reporting to the top management. This means that the plant security is of great concern to the top management. But the only thing is that the same top management has somehow not come to the terms that the information and data security is as important as the physical security of material and documents ina plant. This is the responsibility of the CIO s to bring the seriousness of this aspect of security to the top managment and convince them to allocate suuficient budget to implement the necessary information security systems .

  5. Jennifer Baljko
    April 28, 2011

    Well said, prbhakar_deosthali…seems like in today's hyperconnected, always-on world information and data security trumps – or at least should equal- physical plant security. Doesn't make any sense to put up barbed wire fence if the data can relatively easily slip through on a USB jump drive.

  6. Barbara Jorgensen
    April 28, 2011

    There was a story in the WSJ a couple of weeks ago that reported a memory module assembly business was robbed at gunpoint by five armed robbers. Gunpoint. They got away with $26 million in memory devices before they were apprehended. This type of thing used to take place farily frequently in the early to mid 1990s. Trucks from distribution compnaies were routinely hijacked. There was a lot of attention paid to physical security then, and it is possible it has become more lax. I think the focus is on IT security–and that is a very real risk–but less on the physical security of the goods themselves. It's a tough call to make when resources are limited–which do you invest in?

  7. Jay_Bond
    April 28, 2011

    It would seem like most of the security focus is on either intellectual property or other products easily counterfeited. It's amazing to find out that some people polled have no idea of what has gone on at their companies or about any preventative measures. I do know from a chemical company stand point, the largest concern is proprietary information. With new government standards in place, it is very hard to physically take property from these sites. I feel that any company that has information that is valuable should always consider their security needs both physical and proprietary.

  8. Taimoor Zubar
    April 28, 2011

    I think physical security of inventory is given much more importance as compared to IT security which is a considerably recent phenomena. Physical security of goods and equipment has been a fundamental part of plant management. I believe a lot of hardware resources (cameras, security locks etc) and human resources (security guards etc) are already deployed on plants. If there are not adequate resources deployed, it's the management's negligence. However, I don't think they are not aware of the risks and impact of inadequate physical security.

  9. Ms. Daisy
    April 30, 2011


    How true it is that we have turned our attention from physical security to cyber security mainly. This post surely exposes the danger of not paying attention to all potential risks.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.