Are Your Processes Safe, Hackers Turn Attention to Manufacturing

The presence of “hackers” in the manufacturing industry is ever growing and more attention should be given to this increasing threat.

We are certainly familiar with unauthorized intrusions into the IT systems of the financial and retail industries – think Target, SONY, JP Morgan and even South Carolina’s Department of Revenue – but we are just now starting to see the risk in the manufacturing industry.

In 2014 a German steel mill was infiltrated and hackers who disrupted its control systems prevented the blast furnaces from being properly shut down.  The disruption to the control systems caused massive damage to the mill.

In 2015, a serious vulnerability in Chrysler’s UConnect “infotainment” system was discovered, allowing hackers to remotely control a 2014 Chrysler Jeep Cherokee.

In April of 2015, the FBI applied for a search warrant and stated that the suspect “exploited vulnerabilities with the IFE” (In Flight Entertainment system) and “overwrote code on the airplane’s Thrust Management Computer” while in flight, causing the airplane to climb, resulting in a lateral flight path.

In 2015, a South Korean nuclear power plant was reportedly hacked as claimed by a social media posting by the “President of Anti-Nuclear Reactor Group”.  While there were no critical systems accessed, the ability to penetrate internal systems is alarming.

While we traditionally think of hacking as identify theft, financial theft of other such activity, these examples show that for both manufacturing systems and resulting manufactured product, hacking is a real threat and no longer theoretical.

One only needs to think about medical devices, vehicles, digital road signs, mass transit systems, and plants (chemical,  nuclear, etc.), to understand the risks to the manufacturing industry both facilities and manufactured products.

The FDA and Dept. Homeland Security have already issued warnings of a potential vulnerability in over 300 medical devices including infusion pumps, defibrillators, pace makers, ventilators and the like.

For example, in April of 2015, the FDA issued a warning stating “The FDA, the U.S. Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), and Hospira are aware of cybersecurity vulnerabilities associated with the Symbiq Infusion System.”  (“The Hospira Symbiq Infusion System is a computerized pump designed for the continuous delivery of general infusion therapy for a broad patient population.”).

In response, a deep understanding of the communications and software of your products as well as the communication and operation of your industrial control systems (ICS) is critical to reducing this growing risk.

Unfortunately, as the manufacturing process has become more and more automated, the original design and creation of ICS, including supervisory control and data acquisition (SCADA) systems did not focus on cyber-security.  Further, ICS may not be updated, may not have the attention of IT (as it is in the production) so that vulnerabilities may not even be recognized.

Suggested options for increasing security and reducing the risk include: (a) budgeting for and hiring security consultants that understand the ICS and the industry; (b) employee training on security in general (stop using your birthday as a password and “abc123” or “qwe123” is not a password); (c) periodically have security audits preformed and make detection of intrusions a priority (proactive, not reactive such as using a Red Team); (d) investigate vendors and contractually hold vendors to your security standards; (e) create a response plan and (f) take advantage of outside resources such as the ICS-CERT program offered by the Dept. Homeland Security.

ABOUT THE AUTHOR: Doug Kim is a Shareholder with McNair Law Firm, P.A. A physics major and former computer engineer, he is a member of the firm’s intellectual property group. He is also current Chairman of the InnoVision Awards. Doug is also an editorial board member at South Carolina Manufacturing.