With all the different sectors listed as critical by the Department of Homeland Security, it’s easy to understand how some fail to get the attention they deserve. After all, losing power, water, or medical care may seem a lot more serious than not getting the latest tablet or smart phone. However, our economic sectors do not operate in isolation. Instead, they are an intricate set of dependencies with factories providing a steady stream of spare parts to power plants and water facilities, new instruments to operating rooms, and a host of other components most of us never think about. More importantly, though, manufacturing is a key driver for the global economy, and outages affecting even the most frivolous luxury good can have a ripple effect leading to lost jobs, reduced economic output, and civil unrest. Additionally, disruptions in one country or region can affect others in a positive or negative way. Consequently, the motivation for sabotage, intellectual property theft, and market manipulation are entirely plausible.
Nearly every day, we find stories in the news of disgruntled insiders stealing key process documents on their way out the door, nation states hacking for the latest research and development, and malcontents looking to disrupt operations and threaten human lives. By all accounts, the problem is getting worse. I recently spoke with someone who runs his own computer forensics firm, and he indicated that nearly every case his company handles involves an employee suspected of stealing intellectual property from his/her employer on behalf of a competitor. Many of these are manufacturing customers. So it stands to reason that if competitors are willing to elicit a competitor’s employees to assist in such a theft, they are likely to fund the hacking of their competitors and possibly the sabotage of their operations.
The last category, sabotage, is probably the hardest for many to comprehend and yet is the one that affects everyone. By contrast, the theft of trade secrets and other sensitive information is often difficult to monetize easily, is often time sensitive (e.g., information on an upcoming acquisition, planned procurements), and the use of it may tip off the victim and law enforcement. Moreover, sabotage can be outsourced with fewer entanglements. Finally, it is easier to pull off. Most factories operate with a set of tightly linked interdependencies with little room for error. This is because cost efficiency is paramount in much of manufacturing, where the difference between profit and loss for a company is often based on just-in-time delivery of supplies, the extension of factory machinery beyond its useful life, and automation of complex processes. Introducing even a small amount of latency into an assembly line, changing order entries in the enterprise resource planning (ERP) system, or altering the temperature in a smelting process could have cascading effects causing damage to factory equipment, defective products, work stoppage, or even deaths. Moreover, because factories often depend on each other, the failure to deliver a part in a timely manner from one factory could lead to delays or outages in factories producing the finished product. We frequently see that happen when natural disasters interrupt operations in one part of the world, only to see the ripple effect elsewhere.
The reality is that even with the general absence of cybersecurity regulations, Sarbanes-Oxley notwithstanding, manufacturing has good reasons to enhance its cybersecurity posture. Let’s review some of them.
Whenever intellectual property comes up, thoughts quickly turn to some magical formula, like the recipe for Coca-Cola® (The Coca-Cola Company), or some new-fangled invention hidden away in some lab. But often, the most valuable information is not how to make something, but how to make it cheaper. The modern factory is obsessed with controlling costs through reductions in waste, energy efficiency, automation, supply chain optimization, and shipping as much product as possible in as little space. For many manufacturers, the crown jewels are not in the lab but in ERP and industrial control systems, and because those systems have tentacles across the whole organization, cybersecurity protections are not as simple as locking up a secret formula. Protection requires a strategic approach that analyzes all business processes, prioritizes them, and selects controls that are both effective and don’t disrupt the delicate balance of safety, cost efficiencies, and innovation.
Sabotage is commonly thought of as some sort of physical destruction or obstruction to a manufacturing process. And that is certainly one aspect. However, in the cyber domain, the term has a broader context. Any action that degrades network performance, such as a denial-of-service attack, or preventing the timely delivery of information can be viewed as sabotage. This could be as simple as blocking e-mails providing the status of supply shipments. Moreover, the modern factory makes heavy use of performance data, energy usage statistics, environmental readings, and many other factors to make a wide variety of decisions. If that information is unavailable or, worse yet, is inaccurate, the results could be catastrophic, leading to harm to humans, expensive machinery, and the bottom line. Any cybersecurity analysis must take into account these possible impacts and design of both controls and underlying processes to make these events extremely unlikely.
Supply Chain, Market Manipulation and Reputation
Sometimes the biggest risks are those one has the least control over. Manufacturing heavily depends on supply chains that are reliable and consistently produce quality products. And in many industries, product quality and reliability is based on software that is prone to manipulation via cybersecurity attacks. Manufacturers must ensure that appropriate due diligence is paid to the source of such materials and that the supplier follows good cybersecurity practices in both the manufacturing process and other parts of the fulfillment process (e.g., shipping, storage, integration). Moreover, manufacturers themselves need to be cognizant of these cybersecurity risks for the products they provide to their customers.
Similarly, companies rely on market information to gauge production schedules, determine the availability of supplies, and when to make deliveries. For some industries, this information can take the form of consumer surveys, shipping container pricing and availability reports, and even weather reports. In addition to verifying the accuracy of the data and having alternate sources, manufacturers need to operate in an environment where the data could be wrong or unavailable.
Finally, in the brave new world of social media, a company’s reputation can go from stellar to abysmal in a matter of minutes. While all organizations must concern themselves with reputation, manufacturers operate on very tight margins with competitors that will use any bad press to their advantage. Oftentimes, the only differentiator for highly commoditized markets is one’s brand. Consequently, manufacturers need to remain diligent in how they are perceived, both in regard to the quality of their products and customer service, but also regarding other less obvious issues like their environmental practices, labor relations, employee safety programs, and even the state of their cybersecurity program. That means remaining vigilant of events on social media, including the posting of inaccurate or misleading information. Postings by disgruntled current and former employees are also an area to watch.
While manufacturing is a frequently ignored aspect of critical infrastructure, we do so at our peril. It is a key part of our economy and can have a direct impact on the lives of millions of employees, customers, and residents of the local communities where they reside.