It’s widely understood that the adoption of smart technology is a central issue in modern manufacturing, and adoption has been accelerated by the COVID pandemic and labor shortages. In 2021, St. Norbert College’s Industry 4.0 Needs, Skills & Talent Survey reflected exactly that trend, with nearly three-quarters of Northeast Wisconsin manufacturers indicating plans to increase investments in automation in the next three years.
And there are plenty of other tech topics on manufacturers’ lips: industrial IoT, big data analytics, cloud computing, virtual reality. But there’s one Industry 4.0 concern that trumps them all: cybersecurity.
Rightfully so, says Fox Valley Technical College IT Department Chair Joe Wetzel, because when it comes to cybercrime, manufacturers are exposed in ways they may not even understand.
“Everything is smart today,” Wetzel says. “Like a huge industrial saw has a computer built into it monitoring how many revolutions the blade’s gone through so [it] can do predictive analysis.”
But when a company sets up its IT and security protocols, Wetzel says, it’s likely not thinking about updating firmware in a saw.
“These devices are giving us some really great data with which you can do some really cool stuff, but as far as security, that’s definitely a vulnerability,” says Wetzel, who adds that there is an entire Google-like website, shodan.io, listing IoT devices that are online and exposed, usually because they have been configured incorrectly. (“You don’t want to be on there,” he warns.)
“The manufacturing industry is built around distribution and production, so security isn’t really something that gets thought about,” Wetzel says. “But manufacturers don’t even know what ports are open on their devices. Some of the software is run on older operating systems that aren’t being patched. For threat actors, it’s all low-hanging fruit.”
Business on the line
Mike Schlagenhaufer, a manufacturing consultant for Acuity Insurance, says manufacturers are not only increasingly vulnerable to cyberattacks as they add employees and technology, but they also have the most to lose: vital equipment, relationships on both sides of the supply chain and, in many cases, the very essence of their business — their intellectual property.
“How do you put a value on intellectual property? If it’s the secret sauce to your pizza, that’s probably worth a lot to you,” Schlagenhaufer says. “I mean, yes, you can have ransomware and that’s a way of getting money. But if I have your intellectual property, I can sell it anywhere in the world and now your business suddenly has competition — or is being put out of competition.”
Currently, Schlagenhaufer says, the mainstream insurance industry is not set up to offer such protections. Insurance can help in the event of ransomware attacks or property loss, he adds, but it should always be relied upon as a last resort.
By the time you’re in the position of filing a cyber insurance claim, he says, a company is already in dire straits so practicing good cyber hygiene is the first, most critical step.
“With COVID, I wash my hands, wear a face mask and I don’t go in the disco dancing,” Schlagenhaufer says. “And with IT we change the passwords every 60 days on our laptops, we use encryption. That’s the basics.”
Cleaning up our act
But basic cyber hygiene is something that continues to elude many companies, Wetzel says. For those starting from scratch, he and Schlagenhaufer both recommend bringing in a consultant to “try to break into your system.”
“If you get that audit done, you can look at your policies, your firewall, antivirus, software patch management … all of that comes into play,” Wetzel says. “I mean, that’s scary to have an external person come in and look at your whole organization because you’re afraid of what they are going to find. But if you don’t do this, you have threat actors who are scanning your systems. They’re doing their own audit and trying to figure out how to get inside — and they’re good.”
And for companies that are linked in the supply chain, it isn’t just about understanding and preparing for your own vulnerabilities — it takes a village.
“If one business in that chain has a big breach, it impacts everyone and it’s like all of a sudden we can’t get cardboard boxes and the whole chain chokes,” Wetzel says. “That’s what we ran into with the meat industry [in June 2021], as soon as they got hit with ransomware. All of that’s built on business relationships and then all of a sudden somebody upstream is causing me to lose business because I can’t get the products I need. [Companies] will do whatever they can not to have that issue including paying ransoms.”
Call a meeting to talk through scenarios, Wetzel advises. “Spend some time and see if you can get a different vendor this week. Make sure you’ve got a plan,” he says.
Getting on the same page
Schlagenhaufer acknowledges that cybersecurity protections can be difficult to administer in large part because of a lack of global or even national standards. ISO — the International Organization for Standards — has attempted to outline basic cybersecurity practices, he says, but in his experience there’s only about a 10% chance a given company is on board with the standard.
“We need government, academics and industry to sit at one table and say what do we need to do, instead of us all having our own little thing,” Schlagenhaufer says.
And, for now, he says the insurance industry isn’t in a position to enforce coverage standards or audit cybersecurity policyholders.
“If loss control comes out to your building, we’re going to see if you have a sprinkler system, concrete walls. We see that and we understand that,” Schlagenhaufer says. “But if you tell me you encrypt your emails and limit access and that your data is backed up every day, that’s your word and I can’t prove that.”
But, Wetzel says, stricter insurance standards are undoubtedly on the horizon.
“The insurance companies are starting to say, ‘Here’s the deal; you’ve gotta do this and this and this if you want insurance,’” he says. “The costs just keep going up.”
The cost of cybercrime
John Sileo, president and CEO of the Colorado-based technology think tank The Sileo Group, says he believes there’s an opportunity to make a real difference in the manufacturing world through cybersecurity education. He will bring his unique insights to Northeast Wisconsin Oct. 26 as the keynote speaker for the Manufacturing First Expo & Conference in Green Bay. As the event’s keynote sponsor, Acuity’s Schlagenhaufer will introduce Sileo at the event. Registration is open at manufacturingfirst.com.
“Manufacturers, to this point, haven’t had the level of attack that we’ve seen in hospitals, defense, technology and financial, but it’s coming,” says Sileo, who agrees that basic personal cyber hygiene is the best defense against cyberattacks.
“There’s so much that’s dry and technical about cybercrime, and yet in the end it’s really about individuals making decisions. Social engineering, or manipulating the humans in the manufacturing environment, is huge because it is generally less about the technology and more about the misuse of technology by humans,” he says. “That personal aspect, while it doesn’t immediately seem important, is absolutely vital.”
Sileo should know. He lost his identity, his wealth and his multi-million-dollar software company to cybercrime — and his troubles started with throwing mortgage documents in the trash.
“I think that’s what the manufacturers will really identify with,” Sileo says of his upcoming speech and sharing his personal story, “losing their business at the hands of cybercrime.”
A call to action
Schlagenhaufer and Wetzel both say it’s well past time for companies to get serious about cybersecurity.
“We are getting better, but it’s hard,” Wetzel says. “The big thing for manufacturing companies right now is to identify what is your most valuable data, is it being secured properly, do the right people have access to it, and is it being backed up appropriately.”
And if you don’t understand your smart devices and how they’re communicating with the world, Wetzel says, fence them off.
As automation soars to an all-time high, Schlagenhaufer says the answer to manufacturers’ cybersecurity conundrum shouldn’t be to slow down technology but to speed up IT.
“Manufacturers, we are good at making widgets,” he says. “We’re not good at this IT stuff. We hire people who are more involved with the making of the widgets and not in the IT department. I’m a big Industry 4.0 guy. I love it. But the risk, we don’t understand.
“I don’t want companies to stop adopting Industry 4.0 because we need it — but we need to understand that we need to beef up our IT departments. Data is knowledge. Data is money.”