Hacked without knowing it

Engineering and IT Insight: Cyber-criminals are stealing manufacturing companies’ intellectual property (IP). Is your lack of cyber security hardware, software, and best practices giving away millions of dollars of IP to unknown competitors without your knowledge?


It is hard not to be afraid, maybe very afraid. Recent news articles and security analyst reports have listed the types of attacks and illicit information gathering directed against manufacturing companies, and they are not what you may expect. Much of the current press announcements are about stealing credit card information, social media account passwords, and social security numbers, but cyber-criminals are after something much more valuable in manufacturing companies—their intellectual property (IP). While national security agencies are pushing companies to harden critical infrastructure against disruptions from cyber terrorists, there is less attention given to protecting the intellectual property that manufacturing companies have spent millions of dollars to develop.

Advanced persistent threat

Companies compromised by directed attacks, usually called advanced persistent threats (APTs), have included those in the aerospace, energy, transportation, pharmaceutical, biotechnology, engineering services, high-tech electronics, chemicals, food and agriculture, and metals industries. Information stolen has included product development data, test results, system designs, product manuals, parts lists, simulation technologies, manufacturing procedures, descriptions of proprietary processes, standard operating procedures, and waste management processes. This is information that can be used to replicate production facilities. Many companies think this information has little value outside their company, but if they have global competition and the competition can replicate products and processes at a fraction of the cost, there will be damages.

Most of your competitors will not resort to using illicitly acquired information, but if your competition is based in a country with limited intellectual property rights, or even in a country actively stealing manufacturing IP, then you are at risk. If you are at risk, you may have already been hacked and not even know it. Intellectual property theft is done in a stealth mode. There is a saying among cyber security experts that there are only two types of companies: those that have been hacked, and those that don’t yet know they have been hacked.

Once an APT has established access, the thief will periodically revisit the victim’s network over several months or years and steal technology blueprints, proprietary manufacturing processes, recipes, SOPs, and test results. APTs have been known to maintain access for several years and steal gigabytes of data before they were eventually detected.

If you don’t want an unscrupulous competitor to use your SOPs, production processes, product definitions, and recipes, then it is up to you to ensure that your IT department is protecting your manufacturing IP. The IT department is probably already protecting its financial and personnel records, but it may not realize the value of your manufacturing IP.

With physical security, a company can reduce your risk by operating in safe neighborhoods, alarming all of your windows and doors, and hiring security guards. Unfortunately, with cyber security there are no safe neighborhoods. The Internet has put cyber-criminals only one click away from your doorstep, so we are all in the same electronic neighborhood. There is no equivalent for the neighborhood beat cop who looks for suspicious behavior and checks that doors and windows are closed and locked. In the electronic neighborhood you have to protect yourself. This means that companies need to install firewalls for protection to the outside, and firewalls and account protections within the corporate network. Interior firewalls provide the same level of protection as locked interior doors and filing cabinets inside locked buildings. You don’t want to make a cyber-criminals’ jobs easier by giving them unrestricted access once they are inside the corporate network. Don’t believe that a single firewall will protect all of the internal systems; install firewalls and security access between business systems and manufacturing systems.

Access points

With physical security, windows and doors are the ways in and out. With cyber security, the ways in and out can be different. Many attacks are introduced through infected USB drives and email, but report back through Internet communications. IT departments should have procedures in place to monitor all outbound Internet traffic for suspicious and atypical behavior. For example, there may be a burst of communications to overseas servers from a manufacturing server at the same time every day, or a set of port scans coming from a server that should be running only document management services. These are indications of a compromised system. Maybe you cannot always keep the bad guys out, but you can recognize when you have been hacked and you can keep them from phoning home.

With physical security, companies can employ security services to monitor alarms and provide guards to look for suspicious activity. If your manufacturing IP has value and would put you at a corporate disadvantage if stolen, then you need to employ active measures to maintain security. These can be accomplished through port scans, checks of actual installed vs. approved programs and libraries, checks of actual vs. approved accounts, and checks of actual vs. approved scheduled tasks. These checks need to be scheduled so they don’t disrupt production systems. Fortunately, someone stealing intellectual property does not want you to shut down production. The thief wants to get your information without you knowing, so many thefts are not from production systems but from the secondary support system, such as document servers, design systems, and backup systems. This means the IT department can usually be very aggressive in checking support systems without impacting production systems.

Making your own safe neighborhood, locking and protecting your assets, and employing active measures to check for security breaches are the main tools for protecting your manufacturing intellectual property. There are bad guys out there, and they want to break in. You should work with your IT department to make sure you can keep the bad guys away from your manufacturing IP.

- Dennis Brandl is president of BR&L Consulting in Cary, N.C., www.brlconsulting.com. His firm focuses on manufacturing IT. Contact him at dbrandl@brlconsulting.com. Edited by Mark T. Hoske, content manager, CFE Media, Control Engineering and Plant Engineering, mhoske@cfemedia.com.

ONLINE extra

This posted version contains more information than the print / digital edition issue of Control Engineering.

At www.controleng.com, search cyber security for more on related topics.

See other articles for 2013 at www.controleng.com/archive.

See other security and safety articles

The Top Plant program honors outstanding manufacturing facilities in North America. View the 2015 Top Plant.
The Product of the Year program recognizes products newly released in the manufacturing industries.
Each year, a panel of Control Engineering and Plant Engineering editors and industry expert judges select the System Integrator of the Year Award winners in three categories.
Doubling down on digital manufacturing; Data driving predictive maintenance; Electric motors and generators; Rewarding operational improvement
2017 Lubrication Guide; Software tools; Microgrids and energy strategies; Use robots effectively
Prescriptive maintenance; Hannover Messe 2017 recap; Reduce welding errors
The cloud, mobility, and remote operations; SCADA and contextual mobility; Custom UPS empowering a secure pipeline
Infrastructure for natural gas expansion; Artificial lift methods; Disruptive technology and fugitive gas emissions
Mobility as the means to offshore innovation; Preventing another Deepwater Horizon; ROVs as subsea robots; SCADA and the radio spectrum
Research team developing Tesla coil designs; Implementing wireless process sensing
Commissioning electrical systems; Designing emergency and standby generator systems; Paralleling switchgear generator systems
Natural gas engines; New applications for fuel cells; Large engines become more efficient; Extending boiler life

Annual Salary Survey

Before the calendar turned, 2016 already had the makings of a pivotal year for manufacturing, and for the world.

There were the big events for the year, including the United States as Partner Country at Hannover Messe in April and the 2016 International Manufacturing Technology Show in Chicago in September. There's also the matter of the U.S. presidential elections in November, which promise to shape policy in manufacturing for years to come.

But the year started with global economic turmoil, as a slowdown in Chinese manufacturing triggered a worldwide stock hiccup that sent values plummeting. The continued plunge in world oil prices has resulted in a slowdown in exploration and, by extension, the manufacture of exploration equipment.

Read more: 2015 Salary Survey

Maintenance and reliability tips and best practices from the maintenance and reliability coaches at Allied Reliability Group.
The One Voice for Manufacturing blog reports on federal public policy issues impacting the manufacturing sector. One Voice is a joint effort by the National Tooling and Machining...
The Society for Maintenance and Reliability Professionals an organization devoted...
Join this ongoing discussion of machine guarding topics, including solutions assessments, regulatory compliance, gap analysis...
IMS Research, recently acquired by IHS Inc., is a leading independent supplier of market research and consultancy to the global electronics industry.
Maintenance is not optional in manufacturing. It’s a profit center, driving productivity and uptime while reducing overall repair costs.
The Lachance on CMMS blog is about current maintenance topics. Blogger Paul Lachance is president and chief technology officer for Smartware Group.
The maintenance journey has been a long, slow trek for most manufacturers and has gone from preventive maintenance to predictive maintenance.
Featured articles highlight technologies that enable the Industrial Internet of Things, IIoT-related products and strategies to get data more easily to the user.
This digital report will explore several aspects of how IIoT will transform manufacturing in the coming years.
Maintenance Manager; California Oils Corp.
Associate, Electrical Engineering; Wood Harbinger
Control Systems Engineer; Robert Bosch Corp.
This course focuses on climate analysis, appropriateness of cooling system selection, and combining cooling systems.
This course will help identify and reveal electrical hazards and identify the solutions to implementing and maintaining a safe work environment.
This course explains how maintaining power and communication systems through emergency power-generation systems is critical.
click me