Search: |
CMH Holiday Shutdown!
Our offices will be closed December 25th through January 6th, we reopen January 7th
If you need urgent assistance during this time, please call 806.744.8003 or email:[email protected]
Search: |
HOME → ARTICLES → Industry 4.0 and Foundry Cyber Security
President
CMH Manufacturing Company
www.cmhmfg.com
Casting process simulation has been used by many foundries to design the process for production of castings before castings are made or before equipment is built or altered. Computer modeling has the ability to evaluate process designs in much less time, and at much less cost, than building equipment and producing sample castings.
McKinsey defines industry 4.0 as "the next phase in the digitization of the manufacturing sector, driven by four disruptions: the astonishing rise in data volumes, computational power and connectivity, especially new low-power wide-area networks; the emergence of analytics and business intelligence capabilities (BI); new forms of humanmachine interaction such as touch interfaces and augmented-reality systems; and improvements in transferring digital instructions to the physical world, such as advanced robotics and 3-D printing."
Industry 4.0 and IIoT will be changing the way foundries do business. In traditional foundries the information technology (IT) and operational technology (OT) departments were back room wire heads that no one in management understood their use of unheardof acronyms. These two areas of expertise have very different priorities and goals that lead to a finished casting. We cannot live like that today. In Industry 4.0 and IIoT huge amounts of data are being created and shared in foundry operations such as:
This vast amount of information will be shared via IIoT, the cloud, digital threads, and real time data analytics. We will rely on our desktops, laptops, handheld devices to do things that were once done with memos and face to face communication. Obviously, there is a need for heightened cyber security.
All this new technology and data transfer have given the criminals new ways to attack and rob us. Cyber attacks are a real threat regardless of the size of your business. I know this firsthand because my company’s bank account was robbed by cyber thieves. This painful incident is proof that cybercriminals are innovative, organized, and have no morals. That being said, your defense must be more innovative and organized. Despite this new threat many foundries have been slow to respond, often thinking we are well protected, or it cannot happen to us. There is no simple solution to protecting your foundry's data. We must combine high tech security with a culture of workplace security and employee training.
Foundries must take a universal approach to Industry 4.0 cybersecurity; a policy method that includes people, process and technology. They must develop a security plan and identify the biggest risks to the foundry operations referred to previously. Some of the questions include:
Creating a traditional risk assessment matrix is a good way to plan for failure. An example is:
Once the matrix is completed for all foundry operations, real time events can be in an OT report that states risk. Then clear guidance on how to improve foundry procedures and safely implement Industry 4.0.
Although in no particular order of importance, some of the weakness found in my company’s operations are:
Now that risks have been identified, we must develop security procedures. Due to the critical nature of cybersecurity the Cybersecurity and Infrastructure Security Agency (CSISA) was created by the Federal Government. Their catalog is available at https://www.cisa.gov/ publication/cisa-services-catalog In addition, on 12/04/2020 Congress passed Public Law No:116-207 “The Internet of Things Cybersecurity Act of 2020." This bill requires the National Institute of Standards and Technology (NIST) and the Office of Management and Budget (OMB) to take specified steps to increase cybersecurity for Internet of Things (IoT) devices. IoT is the extension of internet connectivity into physical devices and everyday objects. Other frameworks and standards such as IEC 62443, ISO 27001 and 27002, NIST Special Publication 800-82 and the NIST Framework for Improving Critical Infrastructure Cybersecurity have been created as guides.
While both IT and OT are important, foundry managers must make a clear distinction between IT and OT management. This can be difficult in that IT and OT priorities are sometimes different.
The following tables illustrates how nine key points can differ:
Now that the key differences between IT and OT have been identified, the foundry manager must:
The simple installation of a noncritical device such as a Wi-Fi printer can open a weakness. An even greater threat can be the use of personal smart phones and USB devices to conduct company business. The uncontrolled access to servers can also result in many gigabits of garbage being stored. Training must also be tuned to each employee’s ability. The molders understanding of cybersecurity might not be the same as your PLC programmer.
To help foster heightened OT security, equipment manufacturers that want to help foundries implement Industry 4.0/IIoT should provide hardware, PLC programing, HMI programing, software, and networking that provides segmentation and segregation between foundry systems and non-authorized users. Unfortunately, the more systems connect, the more exposed and vulnerable the underlying sensitive manufacturing layers become. Unless specifically isolated, as network-connected devices, a compromised IIoT device can provide access to the rest of the OT segment it is on. Multiply that times thousands of individual devices, and you can see where the potential security issues proliferate. Therefore, the security of IIoT devices on the OT network is just as important as all the other network-connected components running the machinery.
Equipment manufacturers need to change how we secure networks in an Industry 4.0/IIoT age. As pointed out IT and OT sometimes conflict so how do we connect the lower OT operations directly to the IT operations while maintaining cybersecurity? What role does the cloud play in all this? How can we reconcile the ability of IIoT devices to send data directly to the cloud with the need to properly secure them against the growing potential for compromise?