Four years ago, President Barack Obama and Attorney General Eric Holder approached their senior leadership teams with a request that was both traditionally straightforward and abnormally complex. Chinese military officers, reportedly under orders from the People’s Liberation Army, were hacking into some prominent names in American manufacturing and filching intellectual property. What could the United States do to stop them?
Robert Mueller, then the director of the Federal Bureau of Investigation, initially suggested that the government treat China as a “cyber national threat actor on the security side,” before opting to charge the country under the Computer Fraud and Abuse Act. The FBI started a criminal case against the military officers, and used criminal authorities to investigate them and their activity on U.S. networks. The result, in May 2014, was the indictment by a Pennsylvania grand jury of five hackers. Listed among the victims were U.S. Steel, United Steelworkers, Alcoa, SolarWorld and Westinghouse Electric.
That set a precedent and, earlier this year, helped spark the new proposed Cybersecurity National Action Plan. Part of Obama’s final presidential budget, it calls for $19 billion and covers basics like two-factor authentication, systems updates and specialists. That might be enough to at least bend the curve on the influx of cyber threats.
“I think it’s something like 97% of Fortune 500 companies have been hacked in one way or another by the Chinese military,” FBI supervisory special agent Ganpat Wagh said. “And the other 3% haven’t figured out they’ve been hacked yet.” This, Wagh said, is the Chinese model of using military intelligence to benefit its economy. “It doesn’t matter what the industry is. They want to get a foothold.”
Cybersecurity has been one of the top tech buzzwords for years now, probably ahead of Big Data and lagging behind Internet of Things, and it will remain high on the list for the foreseeable future. It certainly should for manufacturers, who, “generally, are lacking behind other industries because people think criminals are still just going after credit card information,” said Matt Neely, who studies attack vectors of manufacturers as director of strategic initiatives at SecureState. “That’s evolved, and they’re going after a lot more.”
The information is often readily available. According to Global State of Information Security Survey: 2015, a report from PricewaterhouseCoopers, 36% of manufacturers haven’t implemented security standards for third-party providers, 42% don’t perform security risk assessments of third-party vendors, 46% don’t perform vulnerability assessments, and 47% don’t have a strategy for cloud computing.
“Manufacturing doesn’t get nearly the same level of attention” as other industries, like finance and retail, “even though the risks are there,” said Gregory P. Stein, an associate at Ulmer Berne LLP in Cleveland and vice chair of the firm’s data privacy and information security group. “There are other focal points, the first of which is intellectual property, which is a potential target for an attack. It’s difficult to tell where this information lies and how best to get your hands around it. You really have to do deep dives and talk with people within your organization to see where this sits.
“Where is your sensitive information? How do you protect it?”
And what can you do today to make sure your interconnected manufacturing business is up to speed and under control?
Peter Macdiarmid, Getty Images
Cut to the chase. The first step is to be aware of cybersecurity, which is not difficult these days thanks to the inundation of headlines, conference panels, and recent proposed government spending. The IoT and the potential connectivity of tens of billions of devices has also helped increase acknowledgement of the threat.
“It’s important to remember that security is not an add-on, security is not an overlay,” said Maciej Kranz, vice president of the corporate strategic innovation group at Cisco. “Security needs to be embedded in all of our systems, in all of our infrastructure, in all of our software, at the architectural level.”
The second step is to think about where potential cyberattacks might come from. According to that same PricewaterhouseCoopers report, 62% of all manufacturing breaches are a result of the actions of current or former employees, with 30% attributed to competitors and 26% to hackers (there is, obviously, some overlap among those groups). Whether internal or external, though, the average breach is, incredibly, 205 days old by the time it’s detected.
“You have to think of different threat vectors from different means, different entities,” said Frank Kulaszewicz, senior vice president of architecture and software at Rockwell Automation. “It could be physical, it could be malware, connectivity, internal, external – and you can’t assume that your IT systems are simply going to protect that environment for you.”
After that, prepare, develop, test and own an incident response plan, the technological equivalent of a fire drill if a fire could wipe out your physical and digital factory. Write it down and update it. Define every member of your team, both in-house and third-party, and put somebody in charge. Talk with your local federal law enforcement agents (never a bad idea to get together with your local FBI agents, especially since at least some are receptive to late-night calls for breaches). Practice regularly.
“If you’re not the slowest camper running from the bear, you’re fine,” McNeely said. “When you move into the realm of hacktivists or organizations looking to steal IP, they’re going to be a lot more focused on the organization. Your company can be not at all of interest one day, and the next they learn you’re involved in some seemingly random area and they’ll target your company specifically.
The questions you should be asking about your company's cybersecurity policy and practices:
What are the most valuable intellectual properties and customer-based assets we need to protect?.
Where are those assets housed? In house? In the country? In the cloud? Are they all on the same network server?n
What cybersecurity risk, vulnerability and compromise assessments have we done in the last year?
How do we protect our most important assets with the right financial, hardware, software and human resources?
How do we train our employees to deal with cybersecurity attacks?
Are we doing due diligence of our third party or outsourced vendors to assure they aren’t a source of cybersecurity attack? Can they recover from a cyberattack against their own network?.
Adapted from the 2015 ebook Navigating the Cybersecurity Storm: A Guide for Directors and Officers, by Paul A. Ferrillo, counsel in Weil, Gotshal & Manges’ litigation department
“They could be looking for specific information, too, and we’ve seen attacks that take a long period of time with a lot of patience.”
Many cybersecurity threats aren’t even necessarily interested in you and your organization. The heck with your intellectual property. They might want access to another company on your supply chain, and lying in wait for it can require even more patience.
“This isn’t a global manufacturer issue,” said David Carlson, senior vice president of the U.S. manufacturing and automotive group and practice leader at Marsh. “It could be a small, Tier 1, Tier 2 supplier. What they’re waiting for is, they want to find out who your large manufacturing customers are, and they want access to them. They want access to GM’s capital systems, and they know you supply them, so they’ll send something and they’ll wait. This is what you see, the equal-opportunity hacking.”
Analytics and Cybersecurity
Last thing. Pay attention to big data — and particularly analytics. Numerous industry experts and manufacturers mentioned an increased focus on and implementation of analytics tied to cybersecurity, and you will likely continue to hear and read about it.
“You have your endpoints, and you can have secure communications back to collect the massive amounts of data,” said Jeff Jones, principal and cybersecurity strategist at Microsoft. “Then some of these newer advances can be leveraged on the security side. We have telemetry from the consumer and other areas that feed in to identify potential IP addresses associated with malware in the last 30 days, which can then benefit a solution.”
It’s not a magic bullet, or a silver bullet, or whatever term you prefer for a perfect solution. But it is another tool, another solution. When you need to secure your factory, your processes, everything that defines your company, nothing is more important than anything else.
Because, as Kranz of Cisco said, “hope is not a strategy.”