At a recent Rhode Island Manufacturers Association breakfast, Cooley Group President and CEO Daniel R. Dwight listened as the roughly 500 attendees were asked if their businesses had ever been hacked.
About 40% said yes, and at the same time, the rest laughed. The question didn’t even need to be asked, Dwight said.
“People try to hack you constantly,” he said.
More companies, particularly manufacturers, are moving toward data-driven automation, a push known as Industry 4.0. The resulting industrial-control systems – machines that are operated remotely via a connection to the internet – simultaneously make operations more efficient and more vulnerable.
Consequently, cybersecurity has never been more important, Dwight said.
“As you [automate], you have to be parallel in implementing cybersecurity,” he said.
Wade Chmielinski, FM Global’s eastern division cyber consultant, says increasing numbers of his 550 clients from Virginia to Maine are seeking guidance when it comes to industrial-control systems.
Airports and other mass-transit hubs and chemical and power plants join manufacturers as businesses that have embraced automated systems. An attack on such systems could range from disruptive to disastrous for companies.
“A cyberattacker can come into a network, access that system in the warehouse and cause physical damage just like you’d get with a fire,” Chmielinski said. “We know it can happen, and we also know that there is a proliferation of the ‘internet of things,’ these small devices that automatically connect to the internet that allow you to do processes over your network. It’s extremely convenient but it adds a lot of risk because it’s exposing your system.”
‘We can secure their network, but securing a person’s mindset is … very challenging.’
Terrence Boylan, PacketLogix Inc. CEO
FM Global plans to offer engineering guidance on keeping industrial-control systems safe by late this year or early 2020, Chmielinski added.
An industrial-control breach could result in loss of power across a region, take down cellular networks or even disrupt water controls, said Terrence Boylan, CEO of PacketLogix Inc.
The Warren-based company has clients who range from defense businesses to local communities and universities.
Although awareness of the vulnerabilities of industrial-control systems is growing, Boylan says the businesses he works with are still more focused on attacks on data systems.
One growing area of concern is employee habits and behavior.
“We can secure their network, but securing a person’s mindset is actually a very challenging thing to do,” Boylan said, citing issues such as shared or reused passwords and storing passwords in easily accessible places.
Proper email hygiene is key, along with understanding the potential consequences of a breach. Clicking on a seemingly innocent PDF file from an unfamiliar sender, for instance, could allow a hacker to gain entry to a system, although an attack may not come for months.
Dwight, a member of the Manufacturing Leadership Council Board of Governors, won’t say if Cooley Group has ever fallen victim to a breach, or what the company is doing to prevent attacks. What he does say is that the Pawtucket-based business, which manufactures high-end waterproofing materials, roofing membranes and secure containers for fuel and chemicals, does not let down its guard.
“We’re addressing it,” Dwight said. “It’s a growing problem. … When you get more sophisticated on how to protect yourself, you find other ways that people are trying to get in.”
While a disruption to a company’s system rarely has ramifications outside of a specific circle, breaches within some types of networks such as mass-transit operations could command widespread attention, Chmielinski said.
“These are the types of devices that allow us to function as a society everywhere, and that’s the problem – there are so many of them,” he said. “All these things are so convenient and so great, but they’ve got vulnerability in them, so that’s where our interest lies.”
As Baltimore continues to recover from a ransomware attack earlier this year that temporarily brought routine transactions to a halt, officials in Providence remain vigilant in protecting city services from cyberthreats.
Although the city’s operations do include some industrial-control systems that regulate heating, cooling and power management, its main core is its business network.
The city relies on the internet to conduct much of its public business, such as bill payments, ticket payments and documents requests. Levels of protection include partnering with state and security agencies and law enforcement and keeping abreast of fast-changing malware, says Jim Silveria, Providence’s chief information officer.
Elizabeth Graham is a PBN staff writer. Contact her at Graham@PBN.com.