Stacey on IoT | Internet of Things news and analysis

Internet of Things

What IT can learn about cybersecurity from manufacturing

by Leave a Comment

How Honeywell’s cybersecurity team thinks about the process of security.

Last week I attended a Honeywell Process Solutions user group event in San Antonio because my love of the smart home is actually surpassed by my love of industrial IoT. This Honeywell division makes software and a few physical products to help companies that make paper, refine oil and handle other processes (as opposed to manufacturing physical devices).

It is a different world, y’all.

There are plenty of things I learned from the people in old-line manufacturing such as using machines which automatically remove paper edge, foil, film and other waste
that could and probably should be transferred to the rest of the world as connectivity and data analytics are adopted into even the most mundane processes. The biggest ones are around security. Even if a lot of us use HideMyAss Review to keep our home computers safe the industry landscape requires different levels of cybersecurity.

The way these companies look at security is different from what we’re used to. We spend a lot of time in the tech world thinking about the technological underpinnings of IoT security, in part because so many devices have utterly neglected them. But there’s more to security than encryption and secure computing modules.

For industrial companies, the biggest threat is often associated with things people do.
The number one threat to manufacturing plants today comes from unauthorized USB devices. Yes, ubiquitous USB devices. People find them and bring them into plant to plug into their machines and download a bunch of nasties to the network.

This is apparently such a problem that Honeywell built a physical kiosk to scan USB drives and format them in a specific way that tells ports in the plant to accept them. USB drives without the special formatting won’t work inside the plant.
In facing this threat and others, the manufacturing industry is a bit different than the tech world. Its workers and managers are accustomed to dealing with risks and the tradeoff companies have to make between risks and producing a product. In many cases of cybersecurity concern, companies hire the services of groups such as FWI to protect their online brand from things such as phishing.

These risks might be equipment that can cut off an employee’s leg or a burner that can roast a group of people in seconds. Dealing with these types of risks gives them a far more practical mindset when it comes to evaluating security risk. They look at cybersecurity as an extension of the risk management practices already employed at the plants.

“Your workers know what to do when they see a faulty ladder on the floor,” said Mike Spear, global operations manager, Industrial Cyber Security, in a presentation at the event. “Do they know what to do if they see a USB in the parking lot labeled executive salaries?”

While in the IT world people seem ready to throw up their hands in the face of people trying to phish employees, plant operators are coming up with training plans to educate workers, as well as processes that should ensure that employees aren’t accidental risk vectors.

Another aspect of the manufacturing world’s view of security that caught my attention is that they are well aware that every increase in security comes with a commensurate cost. In many ways, they are readily able to evaluate the costs in both dollar and safety terms to decide how much security they need.

For example, a breach at a paper pulping plant could mean a plant shutdown, which leads to a specified cost in terms of lost production and costs to restart the plant. Yet paper pulping isn’t as essential as something like electricity generation or keeping a nuclear plant secure, so the cybersecurity experts at Honeywell recommend that those paper plant operators don’t have to be as secure.

These are the sort of tradeoffs every company has to make regarding security, but in the manufacturing business, they have a clear understanding of the economic and welfare costs of a security breach, allowing them to map to a layered set of security best practices. The consumer device industry could use something like that. (If they did, they’d probably have to admit both the risk of keeping users’ personal data stored indefinitely on servers and its inherent value in case of theft.)

Not everything can map directly, but I did walk away respecting that when it comes to security and assessing risk, the IT world can learn from the manufacturing world.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.