Cybersecurity: making manufacturing secure
Graham Thomson, chief information security officer at Irwin Mitchell discusses cyberthreats and the ways in which the industry can secure its operations.
Manufacturing is the third most likely sector to experience a data breach, after financial services and insurance. But it’s among the least protected, according to the manufacturers’ organisation Make UK.
Cyber threats are constraining UK industry’s progress with digitalisation.
Companies can be hacked, covertly observed, and have their assets damaged or stolen while remaining completely unaware until it’s too late.
Because Industry 4.0 technology makes a company more connected to machines, the internet and other companies, firms are wary – with good reason – that high levels of digital adoption will increase their exposure to cyber attack. In a study with cyber security providers Vauban Group, Make UK found that while manufacturers are investing in digital technologies, 35% think that cyber vulnerability is inhibiting them from doing so fully.
Cyber attacks also show how closely integrated business IT (business communications and computing, storage and back-office technology) is with operational technology today.
“For Industry 4.0 especially, IT and OT have already converged, and at a speed greater than companies have been able to secure them adequately,” says Graham Thomson, chief information security officer at Irwin Mitchell. Industrial cyber attacks will increase, Graham says, impacting industry in areas like breaches of security, outages, data and IP theft, physical damage to IT systems and to capital equipment.
There are several ways a cyber criminal can attack a manufacturing company, including phishing and other “social engineering” techniques, resulting in malware (virus) infections like ransomware and Trojan horses.
Phishing is the fraudulent attempt to acquire sensitive information like passwords and protected files, or to deploy booby-trapped files, by posing as a trustworthy party. It’s the most common form of cyber attack because there’s a constant stream of different vulnerabilities that a hacker can take advantage of. It could be elicited through a fake advertisement on social media, or masquerading as an email from a work colleague.
The risk is magnified with such attacks because companies can’t always detect the level of security risk being introduced. “Say a company installs a new HVACS [air conditioning] system, but they didn't know this is accessible via the internet,” says Graham. “It can be accessed from afar simply with a commonly-known password, if this isn’t set up securely.
“A hacker can play with the settings, making conditions too hot or cold to work efficiently, or possibly even use this system to then access other internal IT systems,” says Graham. “It's a very effective impact from a simple intervention.”
Hacking and modifying a factory operation can be achieved by attacking any management system of operations technology, or supervisory control and data acquisition (SCADA) architecture. Most manufacturing companies have a variety of these OT systems to manage their factories inside their corporate IT structure which are also accessible remotely, which is where criminals target.
Normally industrial companies have an ‘air gap’ between OT and machinery and their IT network, preventing easy access to the plant for cyber criminals. “Regularly we see simple methods like a USB stick breach the air gap,” says Graham, “So by itself, partitioning factories from the network with an air gap isn’t an effective measure.”
Password or credential stuffing
A rising cyber trend that manufacturers should know about is password stuffing.
The login pages for a website, email account, management or control system for operational technology are all at risk from this method.
Cyber criminals can acquire lists of previously compromised email address and password pairings. They run a program to populate login pages with millions of combinations.
“There are about 3bn passwords and usernames on these lists that have been compromised, where numerous security researchers have found these databases on the dark web,” says Graham. “They point the program at the login page, press go, and the combinations auto-populate until there’s a match.”
While the method relies on complete chance, it’s possible to gain unauthorised access using email addresses and passwords that were compromised years ago and are totally unrelated to the current business, where an employee used an identical or commonly-used password. The solution: use two-factor authentication for remote access to important systems, or at the very least enforce long random passwords.
Improve your cyber security
Appoint somebody with sole responsibility for cyber security for the organisation. Provide them with a framework and reporting structure. For SMEs, this may mean combining the job with another role like IT director.
Make security part of the organisation’s culture, not just an IT issue. “Being cyber secure covers employees’ behaviours, training, and deploying cyber safe processes. Staff need training and better awareness of the risks,” Graham says.
Become familiar with the different security standards. Several documents can tell you how to apply good IT security: many are free like NIST and CIS, some like ISO27001 are paid-for. Most are very lengthy, and will need a lawyer to translate appropriately for the business.
For more information on manufacturing topics - please take a look at the latest edition of Manufacturing Global.
Lion Electric to Construct US EV Manufacturing Facility
Who is Lion Electric?
Founded in 2008, is an innovative manufacturer of all-electric, zero-emissions, medium and heavy-duty urban vehicles. Lion Electric designs, manufactures, and assembles all components for its vehicles that have unique features specifically adapted to the users and their needs. “We believe that transitioning to all-electric vehicles will lead to major improvements in our society, environment and overall quality of life,” believes Lion Electric.
Lion Electric’s new Illinois Manufacturing Facility
Just two months after announcing plans to construct a battery manufacturing plant and innovation centre in Quebec, Lion Electric is expanding its locations further, selecting Joliet, Illinois for its new manufacturing facility in the US.
The new facility is said to “represent the largest dedicated production site for zero-emission medium and heavy-duty vehicles in the US,” as well as being the company’s biggest footprint in the market. The new facility will give Lion Electric the capacity to meet increasing demand for ‘Made in America’ zero-emission vehicles and bring production closer to customers.
It is expected that the first vehicles off the production line will be in the second half of 2022.
“Lion’s historic investment to bring its largest production facility to Illinois represents not only a win for our communities, but a strong step forward in our work to expand clean energy alternatives and the jobs they bring to our communities,” said Gov. J.B. Pritzker.
“The new Joliet facility will put Illinois at the forefront of a national movement to transition to zero-emission vehicle use, advancing our own goals of putting one million of these cars on the road by 2030. In Illinois, we know that a clean energy economy is about more than just vehicles – it’s about healthier communities and jobs for those who live there. We are excited to welcome Lion to the Land of Lincoln and look forward to their future success here.”
Lion Electric’s Agreement with the Government of Illinois
Over the next three years, Lion Electric will invest a minimum of US$70mn into Illinois. The new facility - totalling 900,000 square feet - is expected to create a minimum of 745 clean energy direct jobs in the next three years, and have an annual production capacity of up to 20,000 all electric buses and trucks.
Scaling electric bus production and decarbonising freight and transportation
As the US moves to electrifying its school buses, the additional production capacity at the facility will help Lion Electric to scale its electric bus production, as well as produce an increased volume of heavy-duty zero-emission trucks to help governments and operators in the US further the decarbonisation of freight and transportation fleets.
“Lion is the leader in electric school buses and has always been dedicated to the U.S. market, and our commitment to be close to our customers is one of the core values we have as a company. This significant expansion into the U.S. market will not only allow us to drastically increase our overall manufacturing capacity of electric trucks and buses but to also better serve our customers, while adding critical clean manufacturing jobs that will form the backbone of the green economy,” said Marc Bedard, CEO and Founder of Lion.
“I also want to acknowledge the crucial role that P33 and Intersect Illinois, civic groups committed to developing developing a long-term roadmap for the local tech industry, played in connecting Lion with the Chicago area’s business and civic community to help further commercial traction, as well as engagement with key workforce and supplier partners.”