AD: Why do manufacturers need to be concerned with Internet security?
Dehning: More and more, manufacturing systems are connected to companies’ internal network and, through that, to the Internet. Many of these systems are not new and were never designed with them being connected to the Internet in mind. Therefore, many of them lack even a very basic level of IT security. Unlike most office systems, manufacturing systems can actually do physical harm. Therefore, a lack of IT security with these systems can potentially lead to injuries and even deaths. That’s on top of the risk of disrupted production processes, which can cause high financial losses.
AD: How does the IIoT (industrial Internet of Things) make their manufacturing systems vulnerable?
Dehning: Connecting systems to the Internet that were never meant to be connected makes them vulnerable. Even if an IIoT device itself has a good level of security, it might affect the underlying manufacturing system in a way that it stops working properly. If, for example, a sensor that is supposed to provide information essential for internal functions of a manufacturing system is being asked for information by the IIoT device too often, the sensor might no longer be able to provide its actual function.
AD: How does a manufacturing company’s supply chain figure into security concerns?
Dehning: Many manufacturing companies these days are closely connected to their partners in the supply chain — downstream and upstream. A lot of sensitive data is exchanged between different members of a supply chain. Sensitive data might include actual production figures, financial information, and detailed product data, such as CAD files. Security is always only as good as the weakest link, so companies should be concerned about the level of IT security of their supply chain partners.
AD: Can intellectual property/trade secrets be compromised?
Dehning: Absolutely. There is a long list of instances involving hackers stealing secrets at the behest of foreign governments. Many other data breaches within companies occur simply by negligence, ignorance or a combination of both, and bad actors are talented at finding exploits. Some companies become so large that a tiny flaw in their security can go unnoticed, even with an experienced IT department.
AD: What about internal and external communications? Why is it important to secure these as well?
Dehning: With external communication, it’s obvious — forms of malware, ransomware, and phishing scams are sophisticated enough to look authentic, and employees may not be aware of what they’re clicking in their e-mails. With internal communication, there are two aspects:
First, employees and others who can rightfully access internal data can cause damage intentionally or unintentionally. Therefore, access to data should be restricted to those who need the access for their work. This is not an easy decision, as it is often unclear who actually needs what data. Therefore, read access may be quite open, but write access should be restricted or, at least, there should be good backup procedures in place. Second, insecure internal systems and networks leave the door wide open for any attackers who, more often than not, have malicious intents.
AD: Are there any examples you could cite of those who have suffered losses because of security breaches?
Dehning: The most prominent example is Stuxnet, a computer worm, that is believed to have been used to attack the Iranian nuclear program. Stuxnet was delivered by USB memory sticks and found its way through printer drivers and internal computer systems to the centrifuges used to enrich uranium. It is reported that the attack led to damaged centrifuges and insufficiently enriched uranium. While many will see this attack as a positive event, it is an example of a successful attack to well protected industrial systems using less protected office systems as a way of entry.
AD: Are the threats mostly coming from overseas or are they domestic as well?
Dehning: Hackers live all around the world. State-sponsored threats are mostly coming from countries such as Russia, China, and North Korea. Criminal hacking activities often seem to be originating in Russia.
AD: What steps should companies be taking to protect their operations?
Dehning: Be aware that the risk of being attacked is real. All companies are under attack, only some don’t realize it. Identify your most valuable data and systems. Identify potential attack vectors. Assess the risk levels and potential costs of security incidents. Protect your data and systems according to the outcome of this analysis, using technical and organizational protection measures.
AD: Can this be handled internally, or should manufacturers seek outside help?
Dehning: All companies will use some kind of IT security products. Whether they need additional outside consulting from cybersecurity specialists depends on the size of the company and the available internal IT security expertise. Most companies will need outside expertise, because their internal level of knowledge around IT security is insufficient. That is especially true for small and medium-size businesses.
AD: What’s ahead as far as new threats and new responses?
Dehning: Ransomware attacks — big during the last two years — seem to be happening less, but they’re still around. Cryptominers that illegally use attacked IT hardware to, for example, generate Bitcoins are more prominent right now. CEO fraud seems to be on the rise, and phishing attacks are happening all the time. A new trend is the use of AI techniques by attackers to get around protective systems.