Thursday, March 3, 2016

Cybersecurity in Manufacturing: What? Why? How? And How Much?

By Chris Hamilton, Cybersecurity Working Group Member
Figure 1- Cybersecurity: Changing Threat Landscape

In your day-to-day routine, how focused are you on topics of cybersecurity?  Do you follow exploits published by SANS, ICS-CERT, etc and relish in unique 0-Day findings? Or, do you passively hear of hacks on the news and think, “I’m glad that wasn’t my company!”  For most of us, the answer would be the latter. However, the scale of attacks on the manufacturing sector and proportional loss to businesses in recent years has demonstrated the necessity of secure integrated control systems. 

The constantly shifting threat landscape can be daunting to follow – and it shows – in fact, the 2016 Vormetric Data Threat Report states that, “64% of IT execs think achieving basic compliance will stop most breaches.” With the increasing nation-state threat, breaches are becoming more sophisticated and creating APTs (Advanced Persistent Threats) with new levels of potency.  

The “script-kiddies” of yesterday, taking advantage of single exploits, have grown up to become a highly trained, educated and government-sponsored team of professionals.  This team is dedicated to stealing a target’s IP (intellectual property) and/or using that company’s weaknesses to damage an entire industry.  The scale is massive, and the threat is real.


Figure 2 - Verizon 2015 DIBR

Amidst the growing and changing attacks on the cyber front, many of the fundamentals have not changed.   It is still true that most exploited vulnerabilities – 99% in fact, according to Verizon’s 2015 DIBR (Data Breach Investigations Report) -- came over a year after that exploit had been discovered and patched.  The importance of patching will continue to be critical to a secure infrastructure.

Want to get a real feel for insecurity as it exists today?  Try searching for protocols or devices you hold near and dear to your heart through the SHODAN connected-devices search engine at  You should not find a device-speaking Modbus or EtherNet/IP directly connected to the internet, but you will.


A coming of age of the cybersecurity threat landscape can be shown not only through the scale of attacks, but also through attackers’ focus, complexity, and funding.  

A few questions could be asked:  Was Stuxnet the pivotal transition from meandering threats like Conficker to The Saudi Aramco Breach?  Was this one of the first of examples of how everything changed?  

Figure 3- Inside The Aftermath Of The Saudia Aramco Breach
One of the key points of the Saudi breach was the company’s ability to quickly disconnect its systems (physically) from each other and the internet.  Financial and business systems went down and nobody got paid. However, manufacturing operations such as legacy oil manufacturing, continued to function.  

What happens when these manufacturing systems inevitably become a connected Integrated Computer System (ICS) through business drivers for KPI monitoring, scheduling, resourcing, IIoT, or other drivers? What happens to the oil company whose manufacturing infrastructure is wiped by an attack of this scale?  What happens to a global manufacturing company that can no longer produce any product?

MESA has formed a cybersecurity working group to focus on the needs of our community in relation to cybersecurity awareness.  The initial goal of this group is to produce appropriate guidance relatable to our audience addressing the What? Why? How? And How Much? around successfully implementing industry best practices for security on the plant floor. 
The team is currently accepting input from the community to help gauge what topics mean the most to you and to determine the most beneficial approach to proving worth of this subject (be it ROI, Risk Avoidance, or another factor).

We value our community’s input; please fill out our short survey here.  If you would like to contribute to the development of this working group, please contact Megan Calles at or visit the Cybersecurity Working Group page.


Barth, Bradley. "Survey 64 Percent of IT Execs Think Achieving Basic Compliance Will Stop Most Breaches." SC Magazine. SC Magazine, 22 Jan. 2016. Web. 28 Jan. 2016.


"2015 Data Breach Investigations Report (DBIR)." Verizon Enterprise Solutions. N.p., n.d. Web. 28 Jan. 2016.

Rashid, Fahmida Y. "Inside The Aftermath Of The Saudi Aramco Breach." Dark Reading. N.p., n.d. Web. 28 Jan. 2016.

Hulett, Marguerite.  "Cybersecurity: Changing Threat Landscape."

About the Author 

Chris Hamilton
Sr. Technical Consultant, Manufacturing IT/OT
Grantek Systems Integration 

Chris started his professional career in web design, databases, and server management with a focus in security at every level, but grew up around process flow and P&IDs in Biochemical Pharmaceuticals.  In his roles at Grantek he has worked as a controls engineer, a systems engineer and an IT/OT consultant to bridge the gap between IT and Controls teams in order to help clients realize more efficient operations, leverage or implement standardized systems and most importantly understand the line between IT and OT and how it can and will shift with emerging technology and industry changes.  He specifically focuses on the OT side today providing network audits and road mapping a migration plan for a client’s legacy or inefficient hardware as part of a client provided, or jointly developed OSA (Manufacturing Operations Systems Architecture).

No comments: