What IT can learn about cybersecurity from manufacturing

This is apparently such a problem that Honeywell built a physical kiosk to scan USB drives and format them in a specific way that tells ports in the plant to accept them. USB drives without the special formatting won’t work inside the plant.

In facing this threat and others, the manufacturing industry is a bit different than the tech world. Its workers and managers are accustomed to dealing with risks and the tradeoff companies have to make between risks and producing a product. In many cases of cybersecurity concern, companies hire the services of groups such as FWI to protect their online brand from things such as phishing.

These risks might be equipment that can cut off an employee’s leg or a burner that can roast a group of people in seconds. Dealing with these types of risks gives them a far more practical mindset when it comes to evaluating security risk. They look at cybersecurity as an extension of the risk management practices already employed at the plants.

“Your workers know what to do when they see a faulty ladder on the floor,” said Mike Spear, global operations manager, Industrial Cyber Security, in a presentation at the event. “Do they know what to do if they see a USB in the parking lot labeled executive salaries?”

While in the IT world people seem ready to throw up their hands in the face of people trying to phish employees, plant operators are coming up with training plans to educate workers, as well as processes that should ensure that employees aren’t accidental risk vectors.

Another aspect of the manufacturing world’s view of security that caught my attention is that they are well aware that every increase in security comes with a commensurate cost. In many ways, they are readily able to evaluate the costs in both dollar and safety terms to decide how much security they need.

For example, a breach at a paper pulping plant could mean a plant shutdown, which leads to a specified cost in terms of lost production and costs to restart the plant. Yet paper pulping isn’t as essential as something like electricity generation or keeping a nuclear plant secure, so the cybersecurity experts at Honeywell recommend that those paper plant operators don’t have to be as secure.

These are the sort of tradeoffs every company has to make regarding security, but in the manufacturing business, they have a clear understanding of the economic and welfare costs of a security breach, allowing them to map to a layered set of security best practices. The consumer device industry could use something like that. (If they did, they’d probably have to admit both the risk of keeping users’ personal data stored indefinitely on servers and its inherent value in case of theft.)

Not everything can map directly, but I did walk away respecting that when it comes to security and assessing risk, the IT world can learn from the manufacturing world.