Cyber security: a must-have, not a nice-to-have

Posted on 1 Jun 2022 by Joe Bush

Ahead of Transform2022 Paul Hingley, Product Solution & Security Officer UK and Ireland for Siemens Digital Industries, talks about why cyber security in manufacturing is a must-have.

Manufacturing and production factories are a significant target for cyber criminals. Theft of sensitive data, disruption of access to systems or operational technology, or industrial espionage for competitive advantage have had devastating impacts across industries.

Global supply chains and manufacturing processes have been a target in the past year especially as industry navigated the challenges of the COVID-19 pandemic.

Some of the most common cyber attacks have been through phishing. The vulnerability of the industry is at a further risk due to exploitation of unpatched software, a point of entry that ransomware actors rely on more than any other to carry out their attacks.

When we think of ‘factories’, we may imagine ear-splitting machinery and grimy grease, not bits and bytes. However, in the age of Industry 4.0 the reality of the modern factory is very different. Information technology (IT) is embedded in production operations and industry experts simply call it the convergence of IT and OT (operational technology).

Cyber security
How resilient is manufacturing to cyber threats?

Early adopters of this convergence are already reaping its many benefits. For instance, a virtual model of a product developed using a digital twin helps plan and monitor the lifecycle of a product. The transformation also facilitates the creation of new business models; things like operation models in which customers no longer buy pieces of equipment and simply pay only for what they use. The entire process requires data, and lots of it.

All things come with a challenge, and as IT and OT are being converged, OT must increasingly deal with the problem of cyber attacks. The chinks in the armour arise from the bonds that link the machines to one another and the internet. Hackers can sneak through these unguarded fissures and cause devastating damage – damage that can even disrupt our daily lives if things go bad.

OTs loss of innocence

One of the first recorded OT cyber attacks was recorded in 2010 and became known around the world as the Stuxnet incident. It was the first time that hackers intentionally set their sights on OT. Cyber attacks on industrial facilities and automation systems have taken off ever since.

As a vendor to manufacturers of industrial automation systems, Siemens makes every effort to include its Product & Solution Security (PSS) initiative.

In our digitalised world, production plants are no longer shut off from the outside world. The efficiency gains created by digitalisation in production are simply too great to give up. However, work performed with such things as digital twins and artificial intelligence requires the real-time transmission of huge amounts of data and thus, a comprehensive network. Automation systems and control units have been a part of IoT for years now.

Collaborative approach to safeguard IT and OT

With digital transformation being so critical to manufacturers, cyber security has also become a priority. It must be available to always provide integrity of systems. However, despite the seriousness of cyber threats many companies continue to take a carefree attitude to their OT.

Studies from Siemens and customer interactions have shown that OT infrastructures are not protected from cyber attacks as opposed to IT infrastructures. This needs to change. IT and OT should be jointly responsible for machinery security.

cyber security
Global supply chains and manufacturing processes have been a target for cyber attacks in the past year

The long-life cycles of machinery, which sometimes extend for decades, complicate protection efforts when an interface to the internet must be added to the machinery. Another reason is the complexity and heterogeneity of companies’ plants. These two factors make it difficult to erect an integrated line of defence.

However, the biggest factor of all is the high priority that companies place on availability. A production operation should never go offline, even when security updates are installed. As a result, companies tend to put off such installations for a long time. In the process, though, companies can expose themselves to the risk of hacker attacks and the shutdown scenarios that they dread so much. Nonetheless, the scheduling of a patch window that includes a brief, orderly shutdown (if it turns out to be necessary) is certainly better than a week-long, ransomware-triggered stoppage.

Standalone solutions are frequently used

Large manufacturers have a better grasp of this situation. However, small companies, while they frequently understand what is at stake, lack the know-how needed to reinforce their lines of defence from hackers. Such companies generally rely on standalone solutions and don’t have an integrated security strategy for the entire company.

Most hackings in manufacturing take place for either a ransom or to steal company production secrets by competitors. Cyber security is that insurance policy which costs money and provides no benefits at first, but you urgently need it when damage could occur.

The other argument is that investments in cyber security pay off today even if no attack happens to be under way at that moment. In industries like the automotive sector or critical infrastructure, suppliers can forget about winning contracts if they cannot demonstrate that they meet certain standards or have certifications. Cyber security also enhances a company’s competitiveness and even clears the way for brand new digital business models.

In conclusion, as we have access to the latest technologies, let’s not forget that hackers also use sophisticated and new technologies to launch cyber attacks. So, manufacturers can be confident if they have taken the first step and invested in both their IT and OT cyber security.

Paul HingleyPaul began his engineering career in the Automotive Industry as a Project Manager following an Electrical Technical Apprenticeship with the Rover Group. He then moved to an OEM for process equipment primarily focused on the metals industry working as a project engineering interface with all overseas projects. This led to numerous management projects around the world delivering full turnkey solutions.

After working overseas for some years, he returned to the UK and worked in developing industrial control solutions from the enterprise layer to the shop floor.  This utilised new industrial control technologies such as Industrial communication networks and developing leading edge control concepts within the ICS environment.

Paul joined Siemens in 1997 as a Network Applications Engineer before becoming a Product Manager for industrial control systems and products. He then became the Business Unit Manager for Data Services. This was a team within the Siemens organisation responsible for the IIOT (Industrial Internet of Things) and Industry 4.0 via the Cloud based PaaS Mindsphere and now is Business Unit Manager for Communication Products, Industrial Safety and Security Services. This new business unit provides Network products, security and safety consultancy.