Factories across the world are increasingly switching to internet-connected sensors, monitors and other devices to operate and supervise their manufacturing operations more intensely. But the proliferation of such equipment is posing new cybersecurity risks.
Shop floor devices such as programmable logic controllers, remote terminal units and human-machine interface equipment have been in use for nearly half a century, said Sean Peasley, a partner at Deloitte who specializes in internet of things and cybersecurity.
“The thing that has changed over the last 20 years is internet connectivity, with the devices being connected first to an organization’s internal network and then to the internet,” Peasley said.
The devices typically monitor and gather information on the performance of machines, allowing operators to control a large factory floor or infrastructure spread out over an extended area such as a pipeline network or a utility grid. With the advent of 5G wireless technologies, experts believe that such devices could not only be connected to the internet for monitoring but even remote operations far removed from the shop floor.
Although companies have invested heavily in securing computer networks that handle financial information, customer databases and other systems in an office environment, they have not invested as much in securing shop floor technologies, Peasley said. He cited a Deloitte survey on manufacturing companies from 2016 that showed that nearly one-third of the respondents never conducted a cyber risk vulnerability assessment of their industrial control systems.
Worldwide spending on internet of things — including such devices as smart lightbulbs, thermostats and TVs, but also factory equipment — is expected to increase about 15.4 percent to $745 billion in 2019, according to a January forecast by International Data Corp. The industries that are likely to spend the most on such equipment are manufacturers, transportation companies and utilities, followed by consumer companies, IDC said.
Lawmakers have been concerned about the spread of internet-connected devices and have grappled with ways to draw attention to the security risks posed by such gadgets but their focus is still aimed at consumer devices rather than factory-floor equipment.
Earlier this month, a group of lawmakers led by Democratic Sen. Mark Warner of Virginia reintroduced legislation that would require federal government agencies to buy only those internet-connected devices that meet minimum standards of security. A companion bill in the House was introduced by Rep. Robin Kelly, an Illinois Democrat.
Members of Congress introduced several bills in the 115th session addressing broader security risks posed by connected devices. Some passed the House, but none became law.
In September, California became the first to enact legislation that requires makers of connected devices to incorporate “reasonable security features” to protect the device as well as the data collected, stored or transmitted by it from unauthorized access, disclosure, destruction or modification. The law takes effect in January.
Drawn by their weak security, hackers already have targeted connected devices. On Oct. 21, 2016, hackers using a malware botnet exploited default passwords that are hard coded into home internet routers and digital video recorders to break and take control of those devices and then used them to launch a distributed denial of service attack that took down the internet all across the U.S. East Coast.
Still, despite the current vulnerability of internet-of-things devices, manufacturers see connected devices as key to modernization and improvements of their production processes.
Companies expect that internet-connected devices on the shop floor is “going to lead to significant improvements in asset utilization, quality, productivity, and employee safety,” said Mark Wheeler, director of supply chain solutions at Zebra Technologies, a Lincolnshire, Illinois-based company that provides such equipment for a variety of industries.
What is congressional recess? Explaining time off in the House and Senate
While lean manufacturing and just-in-time production techniques have largely relied on shop floor supervisors to visually identify tools and materials, internet-connected devices now provide an “eye in the sky visibility about materials, people and tooling so they can predict when an issue is likely to occur and deal with it before it impacts the production line,” Wheeler said.
Manufacturers of consumer goods, including car makers and those that make dishwashers, refrigerators and washing machines, are leaders in adopting internet-connected devices on shop floors. But process manufacturers, including food and beverage makers, chemical companies and textile makers, are also switching to such devices, Wheeler said.
A food and beverage maker wanting to switch a production line from one product to another to meet market demand can benefit from connected devices that show if raw materials, tooling and staffing are in place to make changes quickly, Wheeler said.
As factories begin employing millennial employees who have grown up touching, swiping and talking to devices, they “are not going to be turning valves, swinging wrenches, and doing those type of things” as much as older factory employees might have, said Matt Watchinski, vice president for global threat intelligence at Talos, which is Cisco’s intelligence arm.
That is a factor that is pushing factory modernization, he said. Younger employees “will want to click a button and tell a machine to do it.”
Shop floor training
Another issue is that applying security practices in a factory and educating factory employees about network security are different from how it is practiced in office environments, Watchinski and Deloitte’s Peasley said.
Corporate and office computer networks are often subjected to penetration testing to check if they can withstand attacks, but such techniques cannot be applied to a factory because they could result in an assembly line shutting down, Peasley said, adding that other passive techniques may be needed.
Factory employees need to be taught about the dangers of phishing emails and allowing unauthorized access to networks, and not to plug in thumb drives into devices as they may be accustomed to doing, Peasley said.
Information security experts also need to be cognizant of new devices on their networks that need to be safeguarded, Watchinski said.
As factories modernize, many of them are replacing monitoring devices using older protocols that were mainly internal to the factory with new, more powerful devices that connect to the internet, Watchinski said.
“So that means all these things we have never seen before in the information security and IT landscape are going to start showing up on our networks,” Watchinski said. “All of a sudden I’ve got 12,000 pipeline sensors that are on my network and I need to treat them as I would any other device” on a corporate network that needs protection and increased cybersecurity.
Security experts will have to contend with underground criminal gangs looking to exploit connected devices to steal money and operate coin-mining operations, for example, as well as nation-state hackers, Watchinski said.
In June last year the FBI said the Kremlin was behind a hacking operation called VPNFilter, which allowed hackers to penetrate network routers who then used the access to get into corporate networks, examine traffic and collect users’ credentials.
The hack also allowed the operators behind the penetration to deploy a sniffing tool that looked for industrial control systems, Watchinski said.
Medical devices, pipeline sensors and smart meters being deployed by electric utilities could all become vulnerable to such tactics without adequate security protocols, Watchinski said.