Cyber security in manufacturing

Cyber security in manufacturing

Infoseq’s information and cyber security advisor, John Endacott raises the awareness and education regarding the security of systems that support manufacturing, design and information sharing within the aerospace supply chain.

Our increasing dependency on technology in engineering continues. The merging of Operational Technology (OT) and Information Technology (IT) also continues. Traditional protocols typical of non-routable networks found in OT environments are being replaced by routable equivalents that use the same Internet Protocol (IP) as the Internet and corporate IT systems.

There are key dependencies on technology throughout manufacturing lifecycles, including MRP, CAD/CAM and CNC equipment, increased use of rapid prototyping, additive and subtractive manufacturing, as well as manufacturing processes in the aerospace industry with increased adoption of structural composite components, metal matrix composites, etc.

Engineering projects are by their nature, very collaborative. Information is frequently shared between parties, often among complex, convoluted and sometimes opaque supply chains. “Our supply chain is secure”, is easy to claim, yet difficult to measure or accomplish. These dependencies on technology require us to be able to appropriately secure the systems that underpin our design and manufacturing capabilities.

The security controls applied should be risk-based and ideally a blend of cyber aware staff via appropriate ongoing training and awareness, robust processes and policies and carefully selected technical controls. Our staff are often our last line of defence when it comes to system security. Social engineering continues to be a common method used to open doors as part of information gathering, reconnaissance activities prior to a more targeted attack on a system. A member of staff not clicking on a malicious link or opening an attachment in an email may be key to preventing a security incident.

Regardless, the goal has to be to identify an appropriate mix of controls for a given business or circumstance. Systems need to be resistant and resilient to negative impacts that may be caused by both deliberate/malicious and accidental actions.

It’s reasonable to assume that for all but the most minor of incidents, it’s much cheaper to prevent an incident than it is to recover. However, should an incident occur, we also need to be able to detect and react to that incident.

To meet these lofty goals, the technology systems and security controls require due consideration and design. Security requirements should be identified and factored in to systems from the earliest stages of a project.

Manufacturing has some very specific scenarios that require special consideration. For example, how to secure the un-patchable – IT systems typically have a lifecycle of 2-5 years, whereas OT is often required to be operational for decades. This can result in key infrastructure running unsupported software that no longer receives security fixes for known bugs from the vendors. This vulnerability is made worse by the trend for increased connectivity, especially with untrusted systems like the public Internet or less trusted corporate IT systems, supply chains, vendor support contracts, etc.

Systems must be designed to be resilient to attack and to provide appropriate countermeasures that are proportionate to the sensitivity of the assets being protected – why use a £100 lock on a £5 bicycle.

The ongoing challenge is to support our businesses in an ever-changing environment. In most cases, we’re trying to provide excellent engineering services, not necessarily over-engineered cyber security solutions. This means better understanding what assets we have that may require protection and who/what to protect to protect them from. Once understood, appropriate risk management activities can be conducted.

There is help freely available. The technical authority for Her Majesty’s Government (HMG) have made much of their security advice available on the Internet. With the recent launch of the UK’s National Cyber Security Centre and its mantra “Helping to make the UK the safest place to live and do business online”, as well as HMG’s cyber strategy go some way to demonstrating commitment in this area.

There are many other excellent sources of guidance – the opportunity is in the interpretation of this guidance and industry best practices and how to apply them in proportionate, pragmatic and cost-effective ways. We all, at least, need to be doing the basics well.


Share This Article