More than 35% of cyber espionage attacks in the United States are targeted at manufacturers, more than any other business sector, according to a recent U.S. national defense industry association study.

To ward off today’s determined hackers, manufacturing companies of all sizes must now urgently analyze and protect both their internal operations, and their entire supply chain ecosystem, to prevent malicious disruption, the theft of intellectual property, data ransom attempts, or competitive denials of service.

Chandra Brown, MxD CEO

As manufacturers accelerate the deployment of digital technologies to modernize and interconnect their facilities and supply chains, they also open up new risks for cyber-attacks, stressed Chandra Brown, CEO of MxD, during a recent virtual plant tour for Manufacturing Leadership Council members.

Smaller companies are especially at risk, Brown added. “Hackers are very aware that there may be more vulnerabilities in smaller companies, and their attack vectors on large companies can start with targeted attacks on the smaller companies within their supply chain.”

And a cyber-attack can be fatal: 60% of small companies go out of business within six months of an attack.

MxD, which was designated as the National Center for Cybersecurity in Manufacturing by the U.S. Department of Defense in 2018, took virtual plant tour participants through two cybersecurity demonstration areas within its 22,000-square-foot Innovation Center in Chicago to highlight what can be done.

Build a Cyber Wall

MxD’s framework for cyber security is designed to address the five major cyber security elements published by the National Institute of Standards and Technology (NIST): identify, protect, detect, respond, and recover.

First up on the tour was MxD’s Cyber Wall, which is configured to help manufacturers understand the vulnerabilities of, and required protection for, Operational Technology (OT) systems, which are vulnerable because they typically are based on microcontrollers or PCs that are increasingly connected to local area or wide area networks. As MxD demonstrated the Cyber Wall, they provided the following tips for meeting the first two NIST elements:

Identify: If you don’t know how many devices you have connected to your network, find out. There may be more than you think — the average could top 4,000 in a 100,000-square-foot factory. It’s also key to know what operating system you’re running, how often it’s updated, and if it has the most recent security patches.

Protect: The next brick in the cyber wall is installing software on each device that will keep you updated on whether it’s connected and, if so, if it’s running the latest, most secure software version.

To illustrate how the Cyber Wall works, MxD uses two identical PLC industrial control systems, each attached to a unique network of PCs, routers, switches, and firewalls. One is protected with “whitelisting,” or application control, while the other is not. Rather than trying to keep a list updated with malicious software that is constantly propagating, application control only allows software that is expressly approved. When a USB drive loaded with an unknown malicious executable file is loaded into each system, the protected system blocks the executable file since it is an unrecognized application, while the unprotected system allows it to start malicious activity.

All it takes is one person to plug in a suspect USB or click on a phishing email to set a hacker loose in the system. That’s where network segmentation comes in. The MxD protected system is contained within its own segmented network, with access controlled by a firewall that manages both internal and outside access, so if a hacker does break in, you can keep any damage from spreading to other areas within the facility.

Erect a Cyber Platform

To address the remaining three NIST cybersecurity framework segments — detect, respond, and recover — MxD demonstrated its Cyber Platform. Like the Cyber Wall, the demonstration was based on programmable logic controllers used to power the OT control system, in this case to operate an array of pumps and values to direct liquid through separate clean and wastewater pipe networks. It includes 20 sensors to monitor temperature, flow rates, pressures, and other factors.

Detect: Like most factories, the MxD cyber platform uses an intrusion detection system (IDS) to monitor network traffic and note an anomaly, such as when a hacker tries to take over the PLC. It then alerts appropriate personnel to investigate.

Respond: The most important thing is to have a plan, including official, easy-to-locate policies and procedures. These generally include 1) bringing the system to a safe halt; 2) disconnecting the affected system from the network to keep the corruption from spreading; 3) communicating the incident to the proper internal and, if appropriate, external personnel and law enforcement; 4) performing a root cause analysis to determine how the problem happened and how to mitigate similar incidents in the future.

Recover: While the details will vary across industries, a recovery plan generally should include 1) having a documented plan on how to bring the systems back online — manufacturers should have software backups of all systems, including OT, so they can revert to the last backup that happened before the hack; 2) review the root cause analysis to determine what corrective actions are needed; 3) bring the system back online. MxD engineers did a failure modes and effects analysis (FMEA) when designing the Cyber Platform to determine potential hacker targets and worst-case scenarios ahead of time so they could build recovery mechanisms into their systems. Even if you have an older legacy system, it’s worth doing an FMEA to help drive effective recovery plans, they said.

The goal of manufacturing security is “to operate securely, not to secure operations,” stressed the MxD panel at the end of the virtual tour. The goal always has to be to ensure continuous production, not to be 100% secure.

As cyber threats evolve, manufacturers must also evolve the tactics they use to thwart those threats. But don’t expect to ever be able to thwart them completely. The most important thing, concluded MxD, is to have a plan in place to get back up and running before too much damage is done.