As manufacturers continue to adopt more automated packaging solutions, concerns around cybersecurity increase. According to a report by Crypsis on cybersecurity, after healthcare and financial services, manufacturing is the third-most targeted industry for bad actors in the United States. The coronavirus (COVID-19) pandemic has brought even more challenges, with hackers taking advantage of production systems through an increased percentage of telecommuting employees. In fact, cybersecurity research firm CrowdStrike reports that in just the first half of 2020, the manufacturing sector saw an 11% increase in network attacks and intrusions from total 2019 numbers.
While automation is undoubtedly the future, creating opportunities to enhance efficiency, productivity and flexibility, the technology shift can also create vulnerabilities for companies lacking critical safeguards. Manufacturers should not underestimate the complexity of systems that collect and analyze sensitive data as part of an automated production line and should employ and regularly test their cybersecurity measures. Without these steps, manufacturers risk serious security threats.
Here are the top four considerations for brands to protect against cybersecurity threats as consumer packaged goods (CPG) companies continue to adapt to a new normal:
1. Set strict, strategic boundaries for remote access
The objectives of remote access are two-fold: to streamline operations and allow workers to be productive. While remote access allows external sources to assist with operational issues, some associated dangers lurk. These threats can be intentional, with the attacker corrupting or changing information to cause product damage or holding information for ransom. They can also be accidental — the result of mistakenly overwriting a file or deleting important information.
Data security is critical, as intellectual property and proprietary manufacturing processes and products are at stake. The key is to limit remote data access to information that is strictly required for the operational task at hand. Using a cookie manufacturer as an example, the time and temperature at which cookies are baked will likely be irrelevant to a technician looking to address an issue with a palletizer. Any data unrelated to the immediate problem area should be encrypted and hidden from view.
However, if a manufacturer requires an external source to monitor oven data for the purpose of identifying trends and possible solutions that can enhance operations, cookie temperature information can potentially be remotely accessed. Knowing this can create vulnerabilities, and executing the data monitoring setup will require training on both the side of the manufacturer and the supplier in order to ensure data is exchanged only in the permitted parameters and is otherwise secure.
2. Avoid IT/OT silos: Find common ground
Information Technology (IT) and Operational Technology (OT) departments often hold different priorities. Corporate IT teams typically believe that anything pertaining to information transfer is in their domain and, as such, are protective and restrictive of that information. OT teams, in contrast, take responsibility for creating the product and assume ownership of anything affecting production.
If an issue arises that requires remote attention, the OT department may wish to grant some data access to resolve the problem and minimize production downtime. However, the IT department may be hesitant to grant that same access, as doing so could compromise the information they strive to protect. The two groups rarely speak the same language, creating silos, but one body cannot exist without the other. When working against one another, they can leave an opening for an attack. To avoid this risk, manufacturers should establish a constant and effective stream of communication between IT and OT.
3. Understand what data you are monitoring, and why
Manufacturers often employ remote data access with the hopes of a more sophisticated operation that uncovers opportunities to enhance efficiency. While built on good intentions, this approach can create more challenges than benefits if there is a lack of understanding around what is being measured and why.
As a result, when an external body requests information, management may grant access based on questions such as “How much uptime will we benefit from?” or “How much will this enhance productivity?” but will fail to narrow down goals and parameters and instead permit unnecessarily broad access. Proving the need for remote access — and its specific areas of focus — should be high on the priority list for companies seeking greater levels of automation.
4. Invest in your workforce
Hardware and software infrastructure and the tools required to allow remote access must be up-to-date and compatible with both the manufacturer and supplier. Staff on either side must also receive the proper training to support this infrastructure, particularly as the need for remote access increases. People remain the weakest link where cybersecurity is concerned, as it is easy to leave information unlocked. Best efforts and honest intentions will not keep cyber terrorism at bay. Therefore, training must be robust. In addition, the more sophisticated cyber terrorists become, the more training must evolve.
Consider, 29% of CPGs still do not allow remote access. This means that should a problem occur, an external supplier can only help via the telephone or by sending a technician — which takes time. In the era of COVID-19, this is even more of an issue. It may take days to fix an issue that is causing a stoppage to operations, when there is the possibility it could be fixed remotely.
Stay connected with solutions at PACK EXPO Connects
As levels of automation increase across the manufacturing industry, it is vital to consider the security of proprietary data in order to protect both intellectual property and the efficiency of operations. Robust measures in terms of hardware and software and the appropriate levels of training are key to minimizing points of risk, at the same time, striking a balance with external partners in order to create positive production outcomes.
As manufacturers and end-users continue to navigate the changing landscape of data and cybersecurity, the brand new live, web-based PACK EXPO Connects 2020 (Nov. 9-13), produced by PMMI Media Group, will provide the same opportunities and insights the industry has relied on through the PACK EXPO portfolio of trade shows for more than 60 years. The event will serve as North America's resource for the most advanced packaging technologies across a wide range of industries and will facilitate exhibitor and attendee interaction through live chats, product and equipment demos, as well as engaging educational sessions.
For more information and free registration online, visit www.packexpoconnects.com.
Tom Egan is VP, industry services, for PMMI, The Association for Packaging and Processing Technologies.
PMMI, The Association for Packaging and Processing Technologies, represents more than 900 North American manufacturers and suppliers of equipment, components and materials as well as providers of related equipment and services to the packaging and processing industry. We work to advance a variety of industries by connecting consumer goods companies with manufacturing solutions through the world-class PACK EXPO portfolio of trade shows, leading trade media and a wide range of resources to empower our members