Automotive production networks have become far more connected but also more exposed to problems with IT and OT network security and compatibility. Nick Boughton, digital lead at Boulting Technology, explains how manufacturers should be more aware and prepared
Nick Holt: What are the most common types of threat to manufacturers IT operating systems?
Nick Boughton: While there are certainly people around the world whose intention it is to hack and disrupt company IT networks, it’s quite often that problems occur from incidents within a company’s network, and that are not intentional. Disruption can be due inadvertent physical damage to cabling or IT equipment and also members of staff unwittingly introducing viruses into the IT network through accessing information via USB sticks, etc. There have been some examples of this where manufacturing operations have been shut down as a result of an employee downloading insecure content.
The challenge now is that these manufacturing networks are increasingly connected so the potential for disruption is far greater. The different areas of operation are no longer isolated so if a virus is introduced into one section then you can have a domino effect across an entire factory or even multiple sites. However, companies are now more aware of these risks and these incidents are becoming less common.
How can manufacturers manage data through their supply chain?
At a recent conference I attended, a concept called Digital Continuity was discussed and this looked at how the digital cycle can and should be managed across any number of linked users and suppliers. This would seem to be a formalization of what has been an ongoing process of ensuring strong links throughout a supply chain. But this is certainly a challenge especially when you consider trading globally with many different companies that will use different standards and protocols.
In the context of vehicle manufacturers, over the years many car companies have gone through a number of different owners as they have been bought and sold, and this often sees different systems and protocols being introduced and overlaid on existing systems. This creates issues because individually they may still be valid in relation to a specific area of operation, but they are not the same and may not work together in a network structure. So, managing this type of scenario, trying the create a more joined-up, secure production operating system from different IT systems and platforms, without any disruption to ongoing production, is challenging. Also, these systems are often in the background, one step removed from the actual manufacturing operations, but still essential to the process.
In recent years the areas of operational technology (OT) and information technology (IT) have become much more connected. As a result, operational systems are subject to much closer monitoring regarding any unexpected changes or problems.
What is the biggest challenge in securing a global manufacturing network?
Manufacturers need to raise the level of vigilance, ensuring their staff are made aware of security protocols and any potential threats, as the causes of problems in relation to system security and integrity can come from the small, seemingly insignificant issues not just major attacks on a network. Also, its increasingly important to ensure there is a joined-up policy across the supply chain, as in the case of global manufacturing networks there may be different working cultures that need to be understood and taken into account; it’s not ideal to have say seven different factories in seven different countries all working in entirely different ways.
The external security threats are ever changing, becoming more sophisticated, so manufacturers will have to continuously adapt their systems and protocols in order maintain a high enough level of security for their networks. Rapidly changing technology also adds potential risk, for example the huge increase in the number of connected devices being used in controlling and monitoring production operations.
One of the main problems in making manufacturing operations networks secure is the need to marry IT and operational technology that were never designed to work together. The biggest issue: The different lifecycles. New IT systems are typically introduced in three-to-five-year update cycles, while operational systems can be in place for 40 years or more.
Walker said that the ways companies reduce risk to operational technology differs from the controls that can be easily applied in the IT environment. There are constraints that can make reducing cyber-security risk much more difficult; he gave the example of anti-virus protection, something that is commonplace in IT networks but can be difficult to deploy and maintain in an operational system.
Walker also noted that the people tasked with securing operational technology are now more likely to be IT specialists. “Colleges are putting out IT specialists every year but there are not many operational technology experts coming out of trade schools any more, and certainly not many security operational technology specialists,” said Walker. “We are asking IT people to secure a technology they are not familiar with – and this is causing hardships through the organisations.”