In my role as leader of a product management team for a portfolio of Manufacturing Execution System (MES) products, I interact with many manufacturers globally on their challenges. Our products play a significant part in driving quality and efficient manufacturing orchestration. They further serve as a system of record through the electronic Batch Records (eBRs) and electronic Device History Records (eDHRs) generated.
Medications, food, cars, tires, batteries and many other important things are produced using these systems. Should they go down or the data recorded become compromised, this rapidly would cause large problems.
Cybersecurity is a growing concern. Attackers are increasingly focusing on operational technologies (OT) as the potential to get paid in ransomware attacks seems higher in OT than most other areas.
The surprising thing is that there are still many manufacturers out there with incredibly old automation and software in use. Both came with the plant and machines and have not been touched since they were commissioned.
Never touch a running system.
The “never touch a running system” rule still seems to be a widely adopted manufacturing philosophy. However, this philosophy does not align with cybersecurity best practice guidance of getting and staying current.
Security is a journey, never a destination; the attack surface that is exposed must be reduced as a continuous improvement process. This means that it is necessary to regularly upgrade products, systems and procedures in use while manufacturing. It is only when this continually happens that security best practices are being followed.
But touching running systems routinely to keep them secure comes at a cost. This cost is substantial, even more so when the system is validated and must maintain its validated state in regulated industries.
There are also standards aimed at confirming that security is designed into products and that the security posture continually improves for the full product use lifecycle. This requires a significant ongoing investment by product vendors for whom it is critical to be able to offer secure products. However, customers must invest in updating and upgrading to benefit from the vendor’s investment. Continually improving cyber position requires both sides to stay in sync to help mitigate the risk of a breach or attack. The Secure Development Lifecycle (SDL) of Rockwell Automation has been independently certified to IEC 62443-4-1 Maturity Level 4.
In a recent TÜV audit, the product teams of the MES portfolio of products I oversee were recognized for demonstrating compliance with the SDL of Rockwell Automation.
There are concerns about the prohibitive costs of upgrading and updating to get and stay current. While new secured versions are out, the uptake of these new secured versions could be higher. Apparently, manufacturers are not seeing the sense of urgency of acting.
Regulators are genuinely concerned about the impact of not implementing security best practice, including the possibility of putting countries and regions at a competitive disadvantage. Manufacturers may not invest what it takes because the investment needed cuts into margins, negatively impacting competitiveness in the short term.
I became aware of regulatory developments that are trying to level this playing field and ensure that cybersecurity best practices are adopted. Recently, I took the time to read the EU NIS 2 directive that forces countries in the European Union (EU) to adopt policies by October 2024. This is an important directive because these regulations are strict, wider-ranging and expected to be fully operational in 2027. Some examples:
- Annex I (sectors of high criticality) and Annex II (other critical sectors) include almost all segments we currently sell MES to. The expectation is that countries keep lists of these manufacturers and that competent authorities in the member states get powers to enforce the implementation of security best practices to help protect and respond in case of security incidents.
- Powers are far reaching in the sense that inspections and security audits will be done, and data must be shared. Warnings and binding instruction issued. Measures ordered with timelines and implementation thereof monitored.
- Fines of the higher of €10 million or 2% of annual turnover can be imposed.
- Managers can even be suspended (after a fair trial).
- In the EU at least, cybersecurity regulations soon will not allow continuing to manufacture with aging, unsecured OT. Responsible managers are personally liable.
Get good at touching and continuously improving running systems!
Suppliers and manufacturers must get good at managing the impact of getting and staying current and managing the impact and cost of doing so. Are you ready to take on this challenge?
