Plant connectivity provides tons of advantages in production efficiency, competitiveness, and supply chain integration. It can't be ignored -- no matter how disturbing the possibility of cyber attack may be. That risk is daunting. Once you're connected, malicious bugs, viruses, and lay-in-wait thieves can enter a network and freely travel out of the plant and into products or other companies if the cybersecurity is inadequate. If you connect out to your supply chain partners, they share your vulnerabilities.
Another complication of cybersecurity is the manufacturer's need to mitigate its risk with insurance. Sounds like a great idea, but insurance companies are struggling to figure out how to evaluate a company's exposure. To further complicate cyber risk, automakers are struggling to create cybersecurity standards before the government steps in with regulations. This is part two of a two-part series.
At the Siemens Automation Summit last month in Las Vegas, Pranav Saha, a cyber security expert from Booz Allen Hamilton, explained the dangers of systems without sufficient cyber protection. "The plant becomes connected as a competitive move. A lot of companies are suppliers as well as manufacturers, so they want to connect to their customers," said Saha. "When they connect their production environment, their systems are naturally at risk, but so are the systems of their customers."
The compelling value of connectivity has taken the plant network far beyond its traditional reach. "There used to be three different environments: the plant network, corporate IT, and the industrial Ethernet. Now it's all one," Saha told Design News. "You can connect to customers and do plant analytics. You connect to your customers so you share information as fast as possible."
Your Data. Get It. Protect It. Practical information on embedding sensors in 3DP, automation & inventory control, big data as a diagnostic tool, cloud storage and security risks, and more in the Industry 4.0: Smart Strategies for Data Collection and Protection track at Automation Technology, Sept. 21-22, 2016 in Minneapolis. Register here for the event, hosted by Design News’ parent company UBM.
The changing nature of manufacturers is also opening new vulnerabilities. Manufacturers are beginning to offer services to their customers, and those services often include connectivity. "Product companies are becoming service companies, so it's not just security of production equipment that's a concern," said Saha. "Cybersecurity has to include the protection of services. The producer's network crosses into the customer's network, and that threatens the relationship to the customer."
Safety Strategies and Risk Mitigation
At the C-suite, executives are seeking two forms of protection to reduce their risk: deploy strong cybersecurity and buy some insurance. Yet obtaining insurance against potential damage from a cyber attack is not simple. "Insurers are trying to figure out how to write cyber policies, and manufacturers are trying to figure out how to buy cyber insurance to mitigate their risk. It's hard to price the insurance policies," said Saha. "Before an insurance company writes a policy, they want to do an assessment of the risk, but that's difficult. It's tricky from all sides."
Insurers are struggling to get their sea legs in cyber risk. So far, it's hard for them to tell if a manufacturer is at risk or not. "The financial services industry came up with an assessment of cybersecurity. It's a 50-page questionnaire that doesn't really prove anything," said Saha "They're still trying to figure out how to assess cybersecurity. You can't eliminate the risk, but it's hard to tell what the actual risk is."
The Safety Imperative in Automotive
Another area of major concern is the hackability of cars. The auto industry was stunned by the hacking of a Jeep Cherokee last year, especially since driver safety was an issue. "Automotive companies were willing to accept a lot of cyber risk, but when they saw that cyber attacks could affect safety, they realized it could affect the brand," said Saha. "That changed their view of risk. Now they say they're not willing to accept any safety risks."
Automakers dashed back to the drawing board to try and overcome the cyber vulnerabilities of individual cars. "We're seeing laggards and leaders in automotive. In 18 months, every automaker will make a sizeable investment in cybersecurity," said Saha. "The issues may start in the plant. Then it goes beyond the plant because the plant hack creates problems with the vehicle on the road."
Another potential nightmare for the auto industry is the possibility of government regulations on cyber safety. Automakers are rushing to create powerful cyber protections so that government officials won't feel compelled to regulate them. "Will the government make laws mandating cyber security? Will there be an executive order for a cybersecurity framework?" said Saha. "The auto industry is concerned that the government will get ahead of them, so they're trying to come up with their own standards."
Rob Spiegel has covered automation and control for 15 years, 12 of them for Design News. Other topics he has covered include supply chain technology, alternative energy, and cyber security. For 10 years he was owner and publisher of the food magazine Chile Pepper.