By Bruce Geiselman and Karen Hanna
In the wake of highly publicized cyberattacks that shut down businesses, cyber experts say plastics companies need to batten down the hatches.
“Plastics processors, equipment manufacturers and others in plastics-related businesses should be concerned,” said Steve Mustard, an independent automation and cybersecurity consultant and president of the International Society of Automation. “I have not heard from any companies that are worried, but that is part of our general lack of awareness of the risk. Companies still believe they are not a target, or that, because they’ve never been attacked before, it will not happen in the future.”
View from the ground
At one molding shop, the IT department is taking note.
As a one-man IT and cybersecurity team for a small automotive-parts maker, Joshua Nye has heard the alarm.
“It’s probably the thing that keeps me awake for most of the night is the unknown of what could happen just by a simple mistake, and it could be email. … It’s something I worry about quite a bit,” said Nye, who, as customer service and information technology manager at Team 1 Plastics Inc., oversees the computer technologies of a 24/7 custom molding shop.
With just 55 employees, Team 1 Plastics is a relatively small player among automotive-parts suppliers. Any attack along the supply chain could hurt business, so the company stays vigilant, and hopes its vendors and customers do, too.
To protect the company, Nye is diligent about loading software updates as they come out. The company runs redundant systems and has identified and backed up its critical data, so it can get up and running in a hurry.
Nye responded to a Plastics Machinery & Manufacturing email with a phone call, just because he didn’t recognize the sender. It’s a cautious approach he’s trying to pass on to his colleagues — sometimes, he concedes, to the point of being annoying.
“The key for me a few years ago was explaining to people that, ‘Hey, when I’m helping you with these emails, this not only helps you with Team 1, but it helps you personally, right?’ ” Nye said. “If a person’s trying to grab your bank account information or lock up your Social Security account … if you can work with me, this will actually help you personally, which also means that you’re not missing work because you’re dealing with these issues, which is also good for Team 1.”
Recognizing the threat
According to cyber experts, the opening salvo in an attack can be something as seemingly benign as an email. Machines running software that has not been updated also are vulnerable.
“It seems like you can stop 90 percent of these issues by making sure all your stuff is up to date,” Nye said.
Cyber experts warn that plastics companies can’t afford to be lax.
A board member of the Mission Critical Global Alliance, a nonprofit organization that works toward advancement and protection of mission-critical operations, Mustard is president and CEO of au2mation (National Automation Inc.), which provides automation and cybersecurity consulting. He addressed recent cyberattacks — involving a beef processor and pipeline — in a blog post.
“In the first half of 2021 alone, we have seen cyberattacks on our water supply, our fuel supply, and now our food production,” he said “All three are critical infrastructure sectors defined by the U.S. Department of Homeland Security. The critical manufacturing sector, of which plastics industry organizations are part, is another one of the 16 sectors identified by DHS.”
While the DHS does not specifically identify plastics processing as part of the critical manufacturing sector, several of the industries identified, including transportation equipment, aerospace, appliances, electrical equipment and component manufacturers, rely heavily on plastic parts.
Eric Vanderburg, VP of cybersecurity for TCDI, a Greensboro, N.C., cybersecurity and forensic services company, agreed that plastics processors are at risk.
“I think [cyber criminals] are trying to target anything that’s going to have an impact on the public,” he said. “Here, you see the disruption of beef. They can do the same thing to the plastics [industry] or use that as part of a supply chain attack on some other industry.”
Plant operators, especially in critical industries, need to be better prepared, Mustard said.
“We encourage every organization to take action to strengthen their cybersecurity posture to reduce their exposure to these types of threats,” Mustard said.
Risk vs. reward
While Team 1 Plastics takes pride in investing in the latest technologies, Nye said it pays to be cognizant of risks.
“The more people have entered the cloud, it’s hard to understand what data they have floating out there. And, if you lost your ability to reach it, and somebody else had that data, you’d be in a bad spot,” Nye said.
Increasingly, companies are integrating their internet technology (IT) and operational technology (OT) networks, which can lead to more efficient operations, but it also introduces new vulnerabilities, cyber experts said.
“The upside of digital transformation is that connectivity of OT environments to the IT environment and up to the cloud creates amazing opportunities for efficiency and competitive advantage,” said Grant Geyer, chief product officer at industrial cybersecurity company Claroty. “The soft underbelly of that is digital risk.”
At Team 1 Plastics, Nye hears the excitement of his colleagues when they discuss the gee-whiz capabilities of the newest Industry 4.0 technologies.
But instead of thinking about a technology’s benefits, he takes a safety-first view.
“I’ve had production managers or different people that come across things at different events or shows, and say, ‘Hey, we’d love to integrate this technology at the plant.’ And my first question is always, ‘What’s the security behind it?’ ” he said.
Camera-equipped robots, for example, might allow the company to operate with fewer people, or give employees the luxury of overseeing operations from anywhere. However, Nye said they’re easy to hack. He cautions that, with some technologies, security planning isn’t robust enough.
“Security always seems to come later on once they have an issue with it. And so, we heavily try to vet anybody coming to the company with anything industry 4.0 or cloud services to make sure that they’re already taking those steps to secure it.”
Advantages of linking IT with OT systems include smart factory solutions, predictive maintenance, just-in-time ordering systems and the ability to analyze inventory and efficiency of operations.
“The downside is that by connecting these environments together, you’re potentially opening Pandora’s box,” Geyer said.
In the event of an attack
If hackers gain access to a plant’s computer network, damages could range from stolen information to a shutdown of operations, Geyer said.
“If attackers get access to your plant, it really is dealer’s choice in terms of what they choose to do,” Geyer said. “It can be everything from stealing information that they can leak on the internet to locking up systems that they won’t unlock without a ransom being paid, to causing physical damage to equipment. In environments with chemicals, this involves employee safety. It really can have significant negative consequences to organizations.”
Companies must decide whether they would be willing to pay ransom, he said.
“There are many people in industry who have presented what I’ll call ivory tower approaches, saying that, ‘No, you should never pay the ransom because paying the ransom begets more ransomware,’ ” Geyer said. “Well, that certainly is unarguable, but it may be a bit idealistic. It’s idealistic to say, ‘If I ever get mugged, I’m not going to give up my wallet.’ But the reality is, when you’re staring down the barrel of a .44, you might feel a bit more forthcoming with your payment.”
Some criminal enterprises engaged in cyber ransom demands behave much like legitimate businesses.
“Some of these ransom gangs have a customer service desk; they have PR teams that try to give them the aura of pseudo legitimacy, but in reality, they are a bunch of cyber thugs,” Geyer said. “It’s not that the ransomware is happening from unknown and ungoverned locations. Many of these gangs are operating from Russia with explicit or implicit approval from the government.”
Geyer said he believes the U.S. has been “far too silent on the matter.”
“It’s like if you keep getting your lunch money taken away every day at the bus stop, and you just do nothing about it,” Geyer said. “You’re going to go hungry after a while. My perspective is that it has been far too long before the United States has drawn red lines about what is acceptable and unacceptable behavior to foreign countries and taken action. What we’re seeing now is the consequence of cyber gangs and nation-states acting with impunity against business and the U.S. national interests.”
Bruce Geiselman, senior staff reporter
Karen Hanna, senior staff reporter
au2mation, Spring, Texas, 713-344-3317, https://au2mation.com
International Society of Automation, Research Triangle Park, N.C., 919-549-8411, www.isa.org
TCDI, Greensboro, N.C., 888-823-2880, www.tcdi.com
Team 1 Plastics Inc., Albion, Mich., 517-629-2178, www.team1plastics.com