Back in the day — you know, a couple years ago — people talked up the benefits of end-to-end shop-floor visibility and how smoothly the supply chain could work if engineering, manufacturing, and throughput data were instantly and always available to connected, trusted partners.
However, I don't remember much being said about the inherent security risks involved or how a company could sufficiently manage this exchange of information while protecting its brand, intellectual property, and other trade secrets.
Since most supply chain discussions come full circle one way or another, the topic recently landed again on my radar screen in the form of an IDC Manufacturing Insights newsletter. “Taking Plant Floor Security Seriously” was the lead story, Pierfrancesco Manenti and Lorenzo Veronesi noting that manufacturers are increasingly concerned about a potential rise in cybercrime and disruptive terrorist threats. The growing popularity of online product sales and stepped up business application mobility has drummed up renewed interest in the subject.
“Businesses now need to employ a much more focused approach to risk management and increased attention to information security to safeguard their online assets,” the authors wrote. To which I say, “Only now are manufacturers thinking about this stuff? C’mon, really?”
Admittedly, although I haven't heard of many plant-level security breaches in recent years, I'm sure they happen more often than we think, with only the most serious infringements publicized. Who wants that kind of information leaked to the media? But, since high-tech headlines occasionally float back to IP infringement cases and counterfeit products entering the market, I have to think there are at least a few holes in manufacturing's protective walls.
The newsletter summary talks about this gap, and it's disturbing what the authors' research has uncovered (the full report can be purchased here). Based on the results of a global survey (the exact details of who participated in the survey and how many respondents were polled were not included in the summary), IDC found:
- Almost half of the respondents, a shockingly high figure, don't even know how many security events have occurred in the past 12 months. Nor do they know the nature of those events — whether they are through applications, network devices, or smartphones. They also don't know the probable source of the breach — employees, suppliers, customers, or hackers.
Some of the problems, according to IDC, seem to stem from inadequate budgets. While fewer than 60 percent of respondents believe that “the budget and commitment are in place to address security requirements,” more than 18 percent of respondents said they “were prepared to accept that some vulnerable areas will simply not be protected because of cost-saving measures.” The authors further noted:
- This lack of awareness and measurement is even more frightening when manufacturers look at emerging security threats on the plant floor. Plant floor security is only discussed regularly in very few industries — like utilities, energy, or transportation — which are considered 'critical infrastructure' by governments. But for the majority of the manufacturing sector, security on the plant floor has been largely neglected so far.
Some unsettling news has forced the industry to take another look, IDC states. In March, for instance, the Security Incidents Organization (also known as the Repository of Industrial Security) stated 60 incidents occurred globally on plant floors between 1999 and 2010, many of which involved lost production time, destruction of property, environmental, health, and safety issues, and even fatalities.
According to the Security Incidents Organization and IDC, the emergence of widely reported Stuxnet — a piece of malware able to reprogram programmable logic controllers (PLCs) and disrupt critical industrial processes — represents a significant wakeup call for industrial awareness and plant floor security management. Apparently, Stuxnet was introduced in a nuclear plant in Iran via a common USB drive.
Additionally, IDC's analysts point out that the growing interconnectivity of manufacturing technology increases security risks. Today's plant floor technologies, such as manufacturing execution systems, supervisory control and data acquisition, PLCs, and distributed control systems, are frequently designed on open architectures, which are at greater risk of security breaches.
On the positive side, more than half of manufacturers IDC surveyed said they have already changed the priority assigned to their security efforts, or are planning to change it over the next 12 months. They said they expect to see a shift in security investments from back-office IT security to manufacturing IT security. Also, the importance and visibility of security threats on the plant floor has taken a higher position on the corporate agenda, with more than 70 percent of respondents stating that their chief information security officers are responsible for plant floor security.
So tell me, without crossing the line, what security risks lurk on the high-tech manufacturing floor? Generally, what are supply chain, manufacturing, and IT executives doing about it? What kinds of security assessment, monitoring tools, or best-practices can help companies address trouble spots?