The innovations that lie behind the term ‘Fourth Industrial Revolution’ – in the fields of artificial intelligence, autonomous machines and network technologies – have the potential to revolutionise the ways in which manufacturing businesses operate. In addition to promising improved efficiency, productivity and growth, however, they pose a number of challenges.
Of these, one that seems to give particular cause for concern relates to the issue of security. How safe are smart factories from hackers? In a digitally interconnected world, how effectively can a business’s unique data be shielded from unwanted view? To what extent can operations be made safe from malicious attack?
They are fair questions. The very essence of Industry 4.0 is networked information transmission. Where earlier advances in machine capability or in computing science took place within discrete fields – with applications then percolating into traditional systems – newer technologies are concerned with using data exchange to overleap boundaries. Machines now talk to machines. A factory robot’s behaviour may be modified by feedback from another device in the system.
In the manufacturing world, mechanical engineering and IT are increasingly one and the same. And both, of course, are now fundamentally integrated into the business dynamic. What some call the Digital Supply Chain is a sort of ecosystem in which every aspect of the manufacturing process – from procurement of materials, through spare part management, to distribution logistics – is continually modified in real time in response to changes in the larger picture.
It does not take long to lose count of the security risks implicit in this picture. The very principle of connectedness on which Industry 4.0 is founded tends to create a milieu that is naturally open, porous and without borders. Devices on the factory floor come and go. New customers and suppliers may be networked in every day. The storage of vital data is entrusted to public clouds.
The resulting attack surface – the range of potential entry points into the system – is inevitably large, extending far beyond the IT director’s laptop or CEO’s mobile phone.
Is it really “Easier to hack than a home computer”?
Last year the cyber-security company Trend Micro released a report demonstrating that manufacturing robots can be easier to hack into than a home computer. The report’s authors remotely infiltrated the code of an robotic arm, the kind commonly used in assembly, welding and other industrial work. The hack instructed the machine to deviate very slightly in the execution of its programmed task.
The deviation was subtle enough to escape the notice of the robot’s operator and yet, had it impacted on the construction of something like a drone rotor, the consequences would have been catastrophic. Trend Micro’s researchers identified five different ways in which the behaviour of industrial robots might be compromised.
Any networked appliance (any component, that is, of the Internet of Things) is a potential vulnerability. Malware such as the high-profile Mirai virus scans the internet for accessible devices like routers, DVRs or CCTV cameras that may be only weakly protected. Those machines which it can log into Mirai then infects and recruits into a zombie-like army of internet presences with the potential to down an individual server by overwhelming it with traffic (the kind of assault known as Distributed Denial of Service – DDoS).
Vulnerability in perhaps the most important area of the system was illustrated earlier this year by an invasion of the cloud space used by transportation giant Tesla. Rather than aiming at espionage or vandalism, hackers were able to find their way into a Tesla cloud platform whose processing power they then exploited to garner cryptocurrency (through the activity known as ‘mining’). That sensitive information was on this occasion not stolen was merely Tesla’s good luck.
Are all smart businesses really this easy to compromise? Far from it.
The first – and certainly the most reassuring – thing to point out about all the encroachments outlined above is how easily preventable they were. Every one could have been blocked with basic encryption. The internet is littered with devices running on default security settings (the word ‘password’, for example, serving as the password). These are the machines Mirai targets. The administrative portal for Tesla’s cloud was, incredibly, not password-protected.
Whether due to oversight, inexperience or lack of training, whole swathes of the emerging smart business landscape are at the moment thus unprotected. This is easily fixed with a little basic awareness training.
And encrypting log-in details is only the first and most obvious thing that can be done to harden security. Administrators are able to shrink a system’s attack surface by installing virus and spyware protection, restricting or segmenting file sharing between programs, and regularly applying software patches. Here, customisation is key.
This said, and without denying the effectiveness of such measures, the ‘lock-up’ approach to security has natural limits within a conceptual model built on the free flow of data. Truly smart businesses cannot, in the end, secure themselves by firewalling all their operations off from the outside world. Tellingly, the latest thinking about security is considering areas in which cryptography can be reconciled with transparency.
The idea behind blockchain, for example, is that certain data can be protected not so much by old-fashioned privacy as by being intelligently shared. A constantly updated record of events agreed upon by all who receive the distributed files, blockchain technology preserves data streams in a form that is unalterable and, because totally decentralised, immune from localised attack.
Originally developed to support the use of cryptocurrencies, blockchain is increasingly being thought of by smart manufacturers as a way of securing the data generated by a supply chain’s events and transactions.
Of course no system can ever be completely safe from determined attack. But it is worth emphasising that counter-hacking tactics are both currently underused and subject to improvement within the context of ever-evolving strategies.
The analogy with the fight against terrorism is self-evident. And as that analogy implies, when security measures are complemented by vigilance of mindset and, where necessary, swiftness of resilience, there is every reason to forecast for smart businesses a future of business as normal.