As industry becomes ever more connected, the risk of cyber-attacks is increasing, delegates at this year’s Automotive Logistics Supply Chain Conference in Atlanta were warned.
Automation, technology and network communications are now central to the daily operations of carmakers and their suppliers, with a vast amount of information and data now stored digitally. OEMs and their parts or service suppliers share data through various digital channels to make operations, including manufacturing and logistics, more efficient.
At the same time, the vehicle itself is becoming a digital hub connected to the carmaker and an extension of the online social life of its occupants. This increasingly complex level of interconnectedness supporting the industry makes the need for cyber-security more crucial than ever, according to Klint Walker (pictured), cyber-security advisor at the US Department of Homeland Security (DHS), because the faster the industry becomes connected, the more vulnerable it becomes to attack.
It is not just smaller companies with less investing power that are vulnerable, as the high-profile attacks over the last couple of years on Renault-Nissan, Honda, Maersk, Cosco Shipping Line, FedEx and DHL have shown. And it is how companies are attacked through their wider digital networks that is important to understand, said Walker, who works at DHS’ Cyber-security and Infrastructure Security Agency (CISA).
“The security for your organisation is only as good as the security of every other person you do business with,” he stated.
The DHS is charged with protecting 16 critical infrastructure sectors in the US, and the automotive industry covers more than one of those. It is part of the critical manufacturing sector but also involved with transport systems, commercial facilities, IT and the chemicals sector.
Thanks to the growth in device connectivity and internet communications – the internet of things (IoT) – each business has multiple channels of entry through which hackers can gain access to important information and exploit it to their gain through theft or ransomware. As Walker put it, the ‘attack surface’ is getting bigger all of the time.
By way of example, Walker said that when carrying out penetration testing on companies to assess their vulnerability, his favourite method was to go through the heating, ventilation and air conditioning (HVAC) systems of a location to get into the corporate network.
[mpu_ad]“Or I have used the elevator control systems to get access to private data because it is all interconnected; you are using one network to connect everything,” he said.
Technology mismatchOne of the main problems in making manufacturing operations and logistics networks secure is the need to marry information and operational technology that were never designed to work together because of their different lifecycles. New IT systems are typically introduced in three-to-five-year update cycles, while operational systems can be in place for 40 years or more.
Walker said that the ways companies reduce risk to operational technology differs from the controls that can be easily applied in the IT environment. There are constraints that can make reducing cyber-security risk much more difficult; he gave the example of anti-virus protection, something that is commonplace in IT networks but can be difficult to deploy and maintain in an operational system.
Walker said critical manufacturing systems were designed as self-contained networks, separate to IT, where one had to be physically present to administer any changes to them.
“Today [however] we have integrated them so that a person in a plant on one side of the country can administer the critical systems in a plant on the other side of the country, or link them with a business partner for real-time data flow for inventory control management,” Walker pointed out. That opens up the operational systems, the critical running of the plant, to attack, he added.
What is more, the people tasked with securing operational technology are now more likely to be IT specialists.
“Colleges are putting out IT specialists every year but there are not many operational technology experts coming out of trade schools any more, and certainly not many security operational technology specialists,” said Walker. “We are asking IT people to secure a technology they are not familiar with – and this is causing hardships through the organisations.”
There are lessons to be learned from the airline industry, which is subject to daily attacks on its security, according to Walker.
“People are using thumb drives to hack airplanes and it is happening every day around us,” said Walker. “The ‘bad guys’ know what to do and are looking for a way to make money out of it.”
Information technology vs operations technology (click to enlarge)
Personnel accessOne of the most vulnerable channels for nefarious access to corporate networks is the employee and their own personal online activity.
“How many of you use your home network to connect to your corporate one to work from home?” asked Walker. “The bad guys will attack your home network to get to your corporate network. The only thing protecting your corporate network is the VPN session and if you log on they have the tunnel right back to your network too.”
Walker also pointed to the vehicle itself as a risk point.
“Think of the American automobile and all the things we are trying to put in it,” he said. “We are trying to make the car an extension of our home life. Those are all new attack vectors for the bad guys. The moment we put it in there is the moment they start looking at how they will break it and use it to their advantage.”
There have been recorded cases of autonomous vehicles being hacked already and the cyber-physical risks of large-scale hacking of internet-connected autonomous vehicles is now a cause for real concern. It was an area of discussion at last month’s meeting of the American Physical Society, where Skanda Vivek of the Georgia Institute of Technology presented his research on the subject.
Walker said it was crucial for company managers to know about their cyber-security processes and how they were integrated into the operational environment. It was also crucial to convey that to those working with data to understand how important it is, whether it be employee healthcare data, payroll, social security, customer, intellectual property or supply chain data.
Walker said it was crucial to plan to deal with cyber-attacks and exercise that plan effectively, because it is not a question of if an attack happens, but when.
“Know exactly what you need to do and who to do it with, because it is hard to make friends in a foxhole,” said Walker. “Make those friends now and know who to reach out to and how you are going take care of your business partners and your organisation, and do it securely.”