By Joe Toppe
The Upstate’s largest manufacturing hands are now plugging holes along digital supply lines to stave off the daily barrage of cyber attacks. For area suppliers linked to the larger OEMs, the virtual breaches have opened a new threat to the mass production of goods and the shipment of components.
Supply Chain Dive recently pinpointed likely threats ranging from industrial espionage for corporate information-gathering to using the infrastructure to access computing resources for Bitcoin mining and the online storage of illicit things like child pornography.
Who are these hackers?
“They’re everything from state-run cyber houses to bored teenagers in the basement,” said Jason Marlin, president at Champion Aerospace in Liberty.
State-run cyber attacks are typically after intellectual property while some are after resources to mine cryptocurrencies, he said. Because of things like “ransomware in a box” found on the dark web, “anyone can try their luck at becoming a cyber criminal.”
Although they are often less sophisticated, the National Institute of Standards and Technology also named internal threats as a potential source. The organization highlighted countless incidents of malicious insiders stealing a company’s intellectual property or other confidential information for personal profit or revenge. These internal attacks can be committed by current and former employees and contractors at any level of the organization, even the executive level, according to NIST.
What are they after?
In essence, Marlin said, “They’re doing it for property, money, or fame.”
“It is one of the biggest issues facing businesses today, and no matter how much effort we put into our organization to combat these threat vectors, we could still be put in a bad situation if one of our key suppliers has been hit,” he said.
There are manufacturing processes specific in nature and sometimes supplied by a single source, “so no matter how much work is done at the local level, we will always be vulnerable,” Marlin said.
NIST labeled compromised hardware and software, inferior information security practiced by lower-tier suppliers, third-party service providers with virtual access, and software vulnerabilities in supply chain management systems as major risks.
How did they get here?
While some of it is due to Industry 4.0, Chuck Spangler, president of the South Carolina Manufacturing Extension Partnership, said IoT (Internet of Things) devices offer cyber criminals the chance to gain access to a normally secure network.
New manufacturing machines are digital and can communicate with each other, he said. Although this is great for visibility along the supply chain, “it causes concern for breaches.”
Cyber security in the supply chain cannot be viewed as an IT problem only. NIST showed cyber risks also include sourcing, vendor management, supply chain continuity quality, and transportation security.
As more devices become internet-capable and the use of wireless devices in the manufacturing environment increases, “the need for more secure and reliable networks has never been greater,” said Katie Zarich, manager of external communications at Cummins Inc.
Some key drivers for improved network capability include the increased use of mobile devices on the plant floor, like tablets for manufacturing support, she said.
In addition to the increased digital functions on the manufacturing floor, a human element remains.
“The majority of those interacting with sensitive information simply don’t have the technical awareness of how that information can be accessed,” said Steve Prout, president of Solar Atmospheres in Greenville.
“The downflow of data into the supply chains has not been handled to ensure subtiers are as aware of data security requirements as they should be,” he said. “This is a very real issue and far bigger than most realize.”
Who is at most risk?
Spangler said small to midsized manufacturing companies are seen as low-hanging fruit.
Without in-house resources to implement a great cyber security plan, “some of these companies have been held hostage and had to pay to release their intellectual property,” he said.
Despite an affinity for the small to midsized firms, the larger manufacturers remain at risk, and according to some industry professionals, they are the central target of seasoned hackers.
Large manufacturers can store the most data and house the most sensitive information sellable on the deep web, said Deveren Werne, owner of Liquid Video Technologies and Mojoe.net in Greenville.
“They are where the hackers want to be,” he said. Today, “manufacturers must think about error trapping, remote ways of accessing connected devices, and preventing intruders from accessing theirs. It is one thing to make a product smart, it is a completely different thing to make a product secure.”
How often are the attacks?
“We are targeted daily,” Marlin said.
There are phishing attempts, multiple port reads, and many other daily threats detected, he said. From an IT department’s perspective, “we now spend 30 to 40 percent of our time on cyber security threats.”
The increasing interconnectivity of manufacturing supply chains has given rise to cyber attacks, and as more firms come online, that risk is only expected to grow.
In the future, Werne said, “Everyone and everything will be connected.”
Data and information will be passed from human to device in mere milliseconds, he said. “Securing that data means cyber security should remain a manufacturer’s foremost concern when developing any IoT device.”