Hacking into the Manufacturing Industry
Originally hackers have been known as pranksters, infiltrating companies and the public services with harmless messages or stunts.As years have passed this has reversed, with companies employing ethical hackers to test and safeguard their systems. Whilst originally hackers have been known as harmless disrupters, choosing to embarrass badly behaving companies or to enter and leave a network undamaged, increasingly this in not the case. Alarming also, is the growing reliance we have on technology open to attack. Whereas previously hackers where limited to attacking service organisations, withholding, or threatening to share customer information (a scary enough prospect), hackers now have scope to change how a business performs on an operational level. With many industrial processes such as steel production or CNC turning relying on computer systems, an attack on the manufacturing trade could have similarly fatal consequences.
In this article we look at which businesses are – or should have – safeguarded themselves against growing attacks.
In 2015 an unnamed steel mill was attacked in Germany. One of the first of its kind, this attack caused physical damage, hijacking the central control system so that a furnace couldn’t be shut normally, causing physical danger to its employees (Wired, 2015). Mirroring the sinister nature of the Stuxnet hack on an Israeli nuclear weapon site, the hackers managed to infiltrate the system despite not being online, using messages across a separate network to find log in details to the bespoke control system. This move caused experts to acknowledge although there are many production management and communication systems that boast cohesion, in order to protect a network or minimise disruption these need to exist separately, at absolute minimum protected by a web application firewall (Entrepreneur, 2015).
More recently Renault reported halting production in May after a cyber-attack hit computer systems, whilst Nissan were additionally reported at hacked, although denied to say whether production was affected (Autocar, 2017). Computer Weekly argues cyber security breaches have been occurring for over a decade and are common occurrence, as such attacks go unreported (Computer Weekly Security Editor, 2015). Companies are reluctant to inform their customers and shareholders of an attack because of the impact it could have on their reputation. However lack of knowledge leads to a dangerous naivety, particularly for manufacturers, as producers of physical goods. Doug Wylie, Rockwell Director of Security commented; “there are some further reaching consequences that come with industrial control. We’re dealing with systems that are facilitating controls of critical infrastructures, oil and gas, water, food and beverage.” (Industry Week, 2013).
However, not all attacks are as direct. One of the most common approaches are viruses designed to gather information, either from a competitor or a hacker wanting to sell that data on. Manufacturing accounts for almost 70% of total UK research and development costs (EEF, The Manufacturer, 2017), and hackers are happy to exploit those wanting to keep intellectual property private. State sponsored attacks on intellectual property are the most popular; Australia, Britain and the United States all recently signed agreements with China to stop such attacks, after accusations that Chinese hackers stole trade secrets from manufacturers, tech and pharmaceutical companies (Phys Org, 2017).
So what can you do? Industrial specific cyber security software is on the rise, and there are plenty of options. The most comprehensive and unbiased directory is the Cybersecurity 500, which lists the global top 500 based on customer feedback, sector knowledge and other considerations, ignoring company size as a factor. You can find it here. Other suggestions are holding induction training and company workshops in cyber security, as the most common infiltrations are through emails this will filter a large number of potential viruses from being let in by employees. Extra precautions and education around company phone use should also be considered, as employee’s accessing work through Wi-Fi could find connection security compromised. After phone companies Three and Talk Talk seperately admitted to over 100,000 customer’s details being exposed across 2015 and 2016, possibly it’s worth having company applications accessible only on site.
The Broder Blogger.