Hacking into the Manufacturing industry
Hacking is a longstanding threat. The first attack was in 1903, when a magician disrupted a telegraph product demonstration, to mock its security with offensive Morse code messages. Often played out by “geeks” or the overlooked in society, the epidemic has been allowed to spread, with a long line of scholars and child geniuses unmasked as perpetrators behind the computer screen, causing mischief to businesses, their workplace, or the government.
A Shift in Target
As years have passed this has reversed, with companies employing ethical hackers to test and safeguard their systems. Whilst originally hackers have been known as harmless disrupters, choosing to embarrass badly behaving companies or to enter and leave a network undamaged, increasingly this in not the case. Alarming also, is the growing reliance we have on technology open to attack. Whereas previously hackers where limited to attacking service organisations, withholding, or threatening to share customer information (a scary enough prospect), hackers now have scope to change how a business performs on an operational level. With many industrial processes such as steel production or CNC turning relying on computer systems, an attack on the manufacturing trade could have similarly fatal consequences.
In this article we look at which businesses are – or should have – safeguarded themselves against growing attacks.
The 2015 steel mill attack
In 2015 an unnamed steel mill was attacked in Germany. One of the first of its kind, this attack caused physical damage, hijacking the central control system so that a furnace couldn’t be shut normally, causing physical danger to its employees (Wired, 2015). Mirroring the sinister nature of the Stuxnet hack on an Israeli nuclear weapon site, the hackers managed to infiltrate the system despite not being online, using messages across a separate network to find log in details to the bespoke control system. This move caused experts to acknowledge although there are many production management and communication systems that boast cohesion, in order to protect a network or minimise disruption these need to exist separately, at absolute minimum protected by a web application firewall (Entrepreneur, 2015).
Cyber security within the automotive industry
More recently Renault reported halting production in May after a cyber-attack hit computer systems, whilst Nissan were additionally reported at hacked, although denied to say whether production was affected (Autocar, 2017). Computer Weekly argues cyber security breaches have been occurring for over a decade and are common occurrence, as such attacks go unreported (Computer Weekly Security Editor, 2015). Companies are reluctant to inform their customers and shareholders of an attack because of the impact it could have on their reputation. However lack of knowledge leads to a dangerous naivety, particularly for manufacturers, as producers of physical goods. Doug Wylie, Rockwell Director of Security commented; “there are some further reaching
consequences that come with industrial control. We’re dealing with systems that are facilitating controls of critical infrastructures, oil and gas, water, food and beverage.” (Industry Week, 2013).
Using intellectual property
However, not all attacks are as direct. One of the most common approaches are viruses designed to gather information, either from a competitor or a hacker wanting to sell that data on. Manufacturing accounts for almost 70% of total UK research and development costs (EEF, The Manufacturer, 2017), and hackers are happy to exploit those wanting to keep intellectual property private. State sponsored attacks on intellectual property are the most popular; Australia, Britain and the United States all recently signed agreements with China to stop such attacks, after accusations that Chinese hackers stole trade secrets from manufacturers, tech and pharmaceutical companies (Phys Org, 2017).
So what can you do? Industrial specific cyber security software is on the rise, and there are plenty of options. The most comprehensive and unbiased directory is the Cybersecurity 500, which lists the global top 500 based on customer feedback, sector knowledge and other considerations, ignoring company size as a factor. You can find it here. Other suggestions are holding induction training and company workshops in cyber security, as the most common infiltrations are through emails this will filter a large number of potential viruses from being let in by employees. Extra precautions and education around company phone use should also be considered, as employee’s accessing work through Wi-Fi could find connection security compromised. After phone companies Three and Talk Talk seperately admitted to over 100,000 customer’s details being exposed across 2015 and 2016, possibly it’s worth having company applications accessible only on site.
Autocar. (2017). Renault and Nissan targeted by ransomware hackers. Retrieved from Autocar: https://www.autocar.co.uk/car-news/industry/renault-and-nissan-targeted-ransomware-hackers
Computer Weekly Security Editor. (2015). BlackHat 2015: Industrial hacking – the untold story. Retrieved from Computer Weekly: http://www.computerweekly.com/news/4500251365/BlackHat-2015-Industrial-hacking-the-untold-story
EEF, The Manufacturer. (2017). UK Manufacturing Statistics. Retrieved from The Manufacturer: https://www.themanufacturer.com/uk-manufacturing-statistics/
Industry Week. (2013). Technology: Hackers Take Aim at Manufacturing. Retrieved from Industry Week: http://www.industryweek.com/technology/technology-hackers-take-aim-manufacturing
Phys Org. (2017). China agrees to fight corporate hacking in Canada. Retrieved from Phys Org: https://phys.org/news/2017-06-china-corporate-hacking-canada.html