Featured Product
This Week in Quality Digest Live
Innovation Features
Edd Gent
Increasingly visible and accessible, but with caveats
Matt Fieldman
German system offers tips for U.S. counterparts
Belinda Jones
Reaping the benefits of manufacturing intelligence
Marni Baker-Stein
Closing the education-to-hiring gap

More Features

Innovation News
VSL hosts special edition of show at new center in Rotterdam
Latest line touts comprehensive coverage, ease of use
Same price, double the resolution and accuracy
Low-cost prevention of catastrophic failures
Diagnoses LVDT failures, disconnects, or short circuits
Using noncontact, interferometric technology
Quality doesn’t have to sacrifice efficiency
WFL continues a legacy of success

More News

Pat Toth

Innovation

Cybersecurity: A Critical Component of Industry 4.0 Implementation

Manufacturers may be more vulnerable than ever

Published: Wednesday, October 12, 2022 - 11:02

In an earlier article in this series, “Cybersecurity and Industry 4.0: What You Need to Know,” we discussed the four aspects of Industry 4.0: cyber-physical systems (CPS)/cobots, internet of things (IoT), cloud manufacturing, and automation, as well as how they are interconnected. Strong cybersecurity practices protect those interconnections, ensuring manufacturers’ systems consistently deliver accurate data in a timely manner—something critical to the success of an Industry 4.0 model.

In the past, enterprise systems in manufacturing facilities had distinct boundaries. The shop floor was separated from the office functions of the company both physically and electronically. Few production systems were connected to each other or the internet. In some ways, this approach, commonly known as “air gapping,” gave reasonable protection for small manufacturers. Without the risks associated with connectivity, manufacturers were seen by attackers as hard targets and not worth the effort.

Today, with the growing use of the internet and mobile devices, boundaries between traditional information technology (IT) systems, production systems, operational technologies (OT), or other equipment have almost disappeared. With the recent increase in the number of employees working remotely, the boundaries that remained in place were weakened further. Meanwhile, attacks to get around the air gap have become well known. Manufacturing is now the most targeted industry for cybersecurity attacks.

The fundamental guiding principle of cybersecurity is the CIA triad: confidentiality, integrity, and availability. Confidentiality limits access to sensitive company information; integrity ensures that company data and equipment remain trustworthy and accurate; and availability provides timely access to company data and equipment. Other attributes are sometimes added to the CIA triad, such as privacy and safety, but these are the generally accepted core principles and are things any Industry 4.0 adopter should consider.


The CIA triad is a model used to represent three core principles of cybersecurity: confidentiality, integrity, and availability.

What manufacturers need to consider with industry 4.0 implementation

My last blog introduced AthCo, a fictional medium-sized manufacturer of athletic apparel. AthCo had recently achieved rapid growth after the launch of its new athleisure collection, which relies on the in-house development of a new breathable fabric. The production method for the fabric is proprietary information that needs to be protected.

For many years, AthCo has used an enterprise resource planning (ERP) system and a customer relationship management (CRM) system. A great deal of data are produced from the ERP, CRM, and the “back office,” including transactional information.

With the implementation of Industry 4.0 through the use of sensors, cobots, cloud-based data analytics, a programmable logic controller (PLC), and data visualization, AthCo leadership can now retrieve and access data from every stage of the production process. This provides an instant snapshot of the production status and helps to monitor fluctuations and quickly address potential issues. Plus, the data AthCo now collects allow it to rapidly communicate internally and with its customers, suppliers, and business partners about things such as inventory levels.

But AthCo is learning that these improvements aren’t without risks. AthCo, just like any manufacturing company, needs to build the right infrastructure that can support and protect the collection, transformation, storage, and analysis of data.

Threats to manufacturers

Manufacturing systems must be protected against many types of threats. Most threats affecting small and medium-sized manufacturers fall into three categories:

Traditional IT: These are the types of threat most companies are familiar with—ransomware, data loss or theft, and intellectual property theft. They often target a company’s IT infrastructure and employees through phishing attacks (e.g., fake emails) or weak passwords. Successful traditional attacks can cost a manufacturer time and money. They can damage themanufacturer’s reputation as well as its business partners and supply chain. Often, smaller manufacturers are vulnerable to these traditional attacks because they don’t consistently monitor and update their cybersecurity protections.
Operational technology (OT): Industrial control systems (ICS), industrial IoT (IIoT), or other shop-floor equipment usually have little internal cybersecurity protection because they were always considered secure if air gapped. Today, this equipment is often connected to the company network and internet, and attackers can compromise them even if they aren’t connected. Successful attacks to the OT environment can endanger proprietary company information, interrupt the manufacturing process, or affect the quality of products.
Customized software: Manufacturers frequently use software that has been adjusted, modified, or adapted to fit the demands and requirements of their businesses. Often, software must be tailored to allow for communications among different manufacturing systems. These adjustments may unintentionally introduce security vulnerabilities. Additionally, to prevent the equipment from malfunctioning, the software isn’t updated or patched to address newly discovered vulnerabilities. If the custom software wasn’t designed from the beginning with security as a priority, or if it’s not implemented and maintained correctly, it can be a point of entry to gain access to other systems.

Let’s look at some scenarios that AthCo might face based on each of the three types of threats:

Traditional IT: AthCo’s IT staff has been very involved in implementing Industry 4.0. In fact, it has been so busy that it overlooked a new software update that included a number of security updates. This allows a hacker to penetrate the company’s IT systems and gain access to its customer database. Although payments are processed using a third-party that wasn’t affected, customer names, addresses, and order information were compromised. AthCo had to follow local data-breach notification laws, which cost it several thousand dollars. Unfortunately, AthCo is unable to tell what other information or systems the hacker may have compromised, and its ability to trust its data and IT infrastructure is now fractured.
Operational technology (OT): A disgruntled AthCo design department employee shoulder-surfs the production manager’s remote-access control credentials during an off-site meeting. Several days later, the employee uses the stolen credentials to remotely log onto the production system, bring up screens, and randomly click on things, hoping to do as much damage as possible. These actions result in a complete production shutdown for three days as the manufacturer is forced to reconfigure its machines.
Customized software: AthCo has several pieces of older production equipment that still work, but it needed custom software to connect the machines to the new production management systems. A local software developer customized some open-source software to provide this connection. Unfortunately, AthCo didn’t stress cybersecurity as a priority to the software developer, and the software contained many vulnerabilities that weren’t managed. As a result, AthCo’s production methods for its new breathable fabric, the reason behind the success of its new collection, was stolen by its competitor through the vulnerabilities introduced in its custom software.

AthCo knows cybersecurity must be part of the company culture, especially as it moves toward increased Industry 4.0 implementation. Here are some things that you and AthCo can do to protect your investments:

• Have a cybersecurity awareness and training program for new and current employees that teaches what behaviors are appropriate, how to identify suspicious activity, and how to react if they see a problem. See this list of free and low-cost online cybersecurity learning content compiled by NIST.
• Perform a cybersecurity risk assessment every year. This provides an understanding of which cybersecurity risks to focus resources on and prevents waste. See NISTIR 7621 Rev. 1—“Small Business Information Security: The Fundamentals” for a simple guide on conducting a risk assessment.
• Have a conversation about cybersecurity with any service providers. Make sure cloud service providers protect your data from misuse and disclosure, that cleaning or maintenance providers are trustworthy, and that critical utilities such as power or internet guarantee an appropriate level of “uptime.”
• Understand the cybersecurity practices of suppliers. AthCo could request that each supplier submit a completed vendor assessment questionnaire. See NIST’s Assessment & Auditing Resources page. This will provide an understanding of the level of cybersecurity expertise within the supplier’s company.

AthCo will need to determine the level of risk it’s willing to accept and what specific cybersecurity practices it will want to apply. A useful roadmap for reducing cybersecurity risk in manufacturing can be found at NISTIR 8133 Rev 1—“Cybersecurity Framework 1.1 Manufacturing Profile.”

As Industry 4.0 matures, and as we approach the fifth industrial revolution (5IR), your manufacturing company should expect to see the interconnection of data and technology as a competitive advantage over less technologically advanced companies. Cybersecurity will continue to be a critical component of successful implementation of Industry 4.0 and beyond.

For more information on cybersecurity and Industry 4.0, please contact your local MEP center.

First published Sept. 7, 2022, on NIST’s Manufacturing Innovation Blog.

Discuss

About The Author

Pat Toth’s picture

Pat Toth

Pat Toth has more than 30 years of experience in cybersecurity and has worked on various NIST cybersecurity guidance documents, including “NISTIR 7621 Small Business Information Security: The Fundamentals.”