Cyberattacks from just one compromised device can open your entire enterprise to profound risk, so avoid acquiring surplus or repaired automation products.
By Andrew Hastert, commercial program manager, Channel Services, Customer Support & Maintenance, Rockwell Automation
You don’t have to go far to hear stories about the growing threat of cybersecurity. These stories always come packed with the drama and mystery of a binge-worthy Netflix show. Shadowy figures living in Eastern Europe, nation-states sponsoring underground criminals, USB drives passing hands in the shadow of a national monument ... throw in a Maserati chase in the mountains and you have the next James Bond film.
It’s comforting to know the fictional targets are almost always a corrupt company or crooked politician and, at the end of the movie, you can go home and rest soundly knowing you’re safe.
The reality is much scarier than fiction. If you haven’t read Andy Greenberg’s recent Wired article “The Untold Story of Notpetya, the Most Devastating Cyberattack in History,” do so now, then come back to this later.
As you’ll learn, the targets for these attacks are normal companies from which we all benefit. Suddenly the pills we take, the food we eat, the things we buy and ship, physical access to the buildings we walk in and out of, our global supply chain is at unprecedented risk.
The conservative estimate for the NotPetya attack yielded $10 billion in losses, but the personal impact for consumers as well as the employees who could have unwittingly caused these downtimes are unfathomable. The cause? For most of these companies, a little-known application living on a server rack in a corner of their operations took down their entire global supply chain.
The NotPetya attack on its own created an explosion of need for industrial cybersecurity work, and this challenge is only going to snowball.
The Good and Bad of Connectivity
With the Industrial Internet of Things (IIoT) and the explosion of IP addressable devices, there are now more IP addresses than humans on the planet.
According to Business Insider, we can expect the number of IP addresses to reach close to 35 billion (Cisco predicts this will grow to 50 billion by 2020), with more than 20 billion of those accounted for in IoT and enterprise applications.
Anyone who’s taken a quick stroll through an industrial facility wouldn’t be surprised by these numbers. Access control, HVAC, utilities, production systems, machines, gas safety systems, machine safety systems, batch processing and material handling all are connected, and the information is leveraged to drive plant-wide and enterprise-wide productivity. Plants don’t only rely on information to improve maintenance and energy use; they rely on this connectivity to run — and safely.
There’s a hidden threat lurking in plants all over the globe, and it’s the most overlooked threat in the supply chain. The obvious threat vectors in cloud application hosting, unpatched network infrastructure and nefarious email spam are getting characterized and patched by “white hat” hackers all over the globe.
Where’s the breach in the moat? Billions of IP addressable smart devices that are critical to plant operations — and connected to the operations network — are suddenly the ultimate Trojan Horses, especially when you consider where these devices could come from.
If you’ve followed some of Bloomberg’s recent reporting, you know that some nation states are embedding tiny chips within U.S. connected devices with the sole intent of infiltrating and disrupting. This has been named the most significant supply chain attack known to be carried out on American companies. Suddenly, every automation product purchased from surplus providers suddenly opens the plant to significant risk in loss of intellectual property and unintended downtime.
There are some obvious ways to mitigate this risk. At Rockwell Automation, for example, we’re being proactive in addressing this threat through strict supply chain management and focus on product authenticity. By selling our products direct or through an Allen-Bradley? authorized distributor network, we help ensure customers receive new, genuine products with factory warranty that are not counterfeit, stolen or compromised. See a recent ruling we brought before the U.S. International Trade Commission (ITC).
This, of course, doesn’t stop enterprising procurement managers from buying this technology from nonauthorized resellers with the hopes of reducing acquisition costs. This will still introduce the risk of increasing long-term support costs, intellectual property infringement, noncompliance with validation standards, and, worse, opening plants to untold security threats, so there are no savings.
Procurement leaders around the globe can rest easy knowing there are other ways to reduce acquisition costs without installing significant risk in the plant floor by buying surplus automation products. Manufacturers can save significant money in remanufacturing and improve overall equipment efficiency (OEE) by cutting downtime and reduction in frequency of failure.
Recent cyberattacks like NotPetya have taught us that it only takes one compromised device to open the entire enterprise to unfathomable risk in lost production and intellectual property. Take action by making sure the people in your organization understand these risks and don’t just repair on the open market or buy surplus products in its place. Your company’s production and reputation are worth it.
The Journal From Rockwell Automation and Our PartnerNetwork? is published by Putman Media, Inc.