Plastics processors of all sizes are at risk for cyberattacks

    Sept. 6, 2022
    Cybersecurity experts say having a plan can prevent damage from being devastating.
    iStock/Getty/amxmeg
    Cyberbkgrnd Website 63090d1816ce8

    By Bruce Geiselman

    Malicious actors looking to make money, wreak havoc or amplify a message pose risks to plastics processors that are increasingly reliant on computer technologies to make parts. But Industry 4.0 can be implemented safely — if manufacturers have made security a priority.

    “The cybercriminals are out there. They’re constantly looking to get into organizations. They don’t care if you’re in plastics, if you’re into building computers, if you’re in health care, or if you are in education,” said James McQuiggan, an advocate with KnowBe4, a security-awareness training company.

    For plastics processors, an attack could come simply because of the business they’re in, warned Brian Wrozek, an analyst with market research firm Forrester. “Plastic manufacturers would also be targets of hacktivists — threat actors who do not like the plastics industry in general because of the environmental impact, whether it is real or perceived. In this case, the motive is not to steal information but to damage and disrupt operations. This could even put worker safety at risk.”

    But, Wrozek, McQuiggan and other experts said, plastics processors don’t have to be sitting ducks.

    “To protect themselves, they need to develop a cybersecurity strategy for their OT (operational technology) environment,” Wrozek said. “They do not need to avoid adopting Industry 4.0 concepts. They need to plan for and implement the necessary security controls. Just like other technology enhancements, it can be done securely or insecurely. All business decisions involve risk management, and Industry 4.0 adoption is no different.”

    No target too big or too small

    Whether a company is large or small, it could fall victim to cybercriminals, cybersecurity experts said.

    One of the biggest risks for companies is “victimless thinking,” McQuiggan said. Companies with such a mindset act as if they aren’t at risk because they aren’t big players like Google or Microsoft.

    Marty Wachi, who works in product marketing/business development at Moxa, an industrial connectivity company, also warned against taking the threat lightly.

    “Whether it’s in the plastics industry or any of the others we’re covering, they just don’t feel like there’s a threat that applies to them, so, that whole complacency and inaction makes them an easier target,” Wachi said.

    Some smaller companies might believe they are less vulnerable because they are a less attractive target. But that isn’t a guarantee of safety.

    “You don’t have to be a target to be a victim,” said John Cusimano, Deloitte Risk & Financial Advisory managing director, Deloitte & Touche LLP. “Size doesn’t really matter.”

    Large companies are more likely to address cybersecurity risks before they fall victim, said Jake Morella, Deloitte Risk & Financial Advisory senior manager, Deloitte & Touche LLP.

    “One of the things we see is your larger producers, while they may potentially be targeted more often, they also have more controls in place to protect themselves,” Morella said. “While your smaller mom-and-pop shops might not be specifically targeted, they’re less likely to have controls in place to prevent those more broad attacks that are kind of going out and hitting everybody.”

    But, while cybersecurity can often be a challenge for smaller companies without large IT staffs, sometimes there is an advantage to being small, said Chris Poulin, deputy CTO and director of technology and strategy at BitSight, a cybersecurity company that provides security ratings on companies, government agencies and other organizations.

    “It’s interesting, when we think about small organizations, sometimes they actually do better than large organizations because complexity is the enemy of cybersecurity,” Poulin said. “When you have a footprint that is broad, it is significantly more complex than a mom-and-pop shop, a plastics processor that may have 40 or maybe 100 employees.” 

    The threat is real

    In recent years, ransomware attacks — in which criminals try to extort money from victims by paralyzing their computer networks — have dominated the headlines. But cyberattacks can take many forms. Criminals might access a company’s IT system to steal personal data, like payroll information, about employees or information about clients. They could try to steal trade secrets or gain access to a company’s OT network — which collects data from the manufacturing floor — to steal trade secrets or tamper with equipment to hamper operations or even damage equipment.

    Cusimano has worked in cybersecurity for 13 years, and he has seen attitudes toward cybersecurity risks change dramatically.

    “Thirteen years ago, it was a bit of a stretch; it was more theoretical — could these attacks occur?” Cusimano said. “Over the last decade or so, I no longer have to spend any time convincing anybody this is a real problem. Almost every facility either has experienced their own cyber issues or they certainly know of another company or facility in their sector that has experienced ransomware, particularly in the last five years.” 

    In the early 2000s, Wachi said nation states tended to initiate attacks, typically targeting specific companies, organizations and critical infrastructure. However, over the years, cyberattacks have become more widespread, hitting a wider array of targets, because today’s cybercriminals tend to be more interested in money than harming infrastructure.

    Over the past year or two, hospitals, local governments, and perhaps most infamously, the Colonial Pipeline, which carries large amounts of fuel to customers from Houston to New York, have fallen victim to ransomware attacks.

    “They’re ruthless,” McQuiggan said. “They may seem friendly in the communication and their capabilities, but they have taken advantage of the organization … and they will want to make as much money as they possibly can.” 

    Ransomware attackers don’t just go after big infrastructure — they can use malware to infect personal computers, HMIs, operator consoles and other computers with popular operating systems, Morella explained.

    Often, cybercriminals gain access to companies’ networks through what McQuiggan calls “the human aspect” — using a social engineering approach that relies on a person clicking on a link in an email. Other times, cybercriminals gain access to a network when computers that haven’t been appropriately updated connect to the internet.

    Cybercriminals could be inside a company’s computer network for 80 to 200 days before revealing themselves, McQuiggan said. In that time, they go through the servers and collect data that might be worth stealing; then, they encrypt the data, making it inaccessible to the company.

    “With ransomware, once they’ve got your data out and they’ve encrypted your files, they leave you a nice little note on your desktop that says, ‘Hi, we’ve made your data unavailable because of your poor security practices.’ ”

    For manufacturers, that might mean production is shut down.

    “Your systems are compromised in some way, either they are locked up with ransomware so they just don’t work, or they may be compromised in a way that you can’t trust the integrity of the data,” Cusimano said. “That actually can be worse because your machines are running, but you’re not confident in the values. Take an example of an operation with health and safety consequences where you may have machine guards and things in place. If that data gets tampered with, your machine safety controls don’t work. Now, your consequences are potentially health and safety.”

    Plastics processors should consider how a cyberintruder could affect the quality of the goods they produce, Wrozek said.

    “Depending on the customers of the plastic manufacturers, I would be concerned about the integrity of the manufacturing process and end product,” Wrozek said. “Could an attacker degrade the quality of the product to waste time and material or even jeopardize the customer’s product or brand?”

    Protecting yourself

    Industry 4.0, which involves the installation of sensors on plastics processing equipment and frequently uploading information to the cloud, has the potential for introducing threats. But processors can take countermeasures.

    “The big thing we always tell people with Industry 4.0 and IIoT [Industrial Internet of Things] is just make sure security is not an afterthought,” Cusimano said. “You need to design security in when you’re designing your IIoT and digital transformation programs because you are bringing the internet in much closer, much deeper into your facilities right down to sensors or edge gateways. That’s not necessarily a bad thing. You just need to make sure that pathway is secure.”

    He and others offered a number of recommendations, including policies regarding safe practices, regular assessments of security and systems that separate OT and IT networks.

    An ongoing cybersecurity program is essential, meaning it’s not a “one-and-done” effort, Cusimano said. A company needs to develop policies and procedures, educate employees to follow good cyber hygiene and put together a governance oversight body to ensure that personnel are being trained and following policies.

    Companies need to rely not only on usernames and passwords to protect their networks from remote access, but additional measures such as multifactor authentication and firewalls, McQuiggan said. 

    “You want to make sure you have a strong security culture within that organization to help prevent and make folks aware with regards to social engineering attacks, keeping security top of mind when it comes to your computer, your electronic devices, your systems that you have within your organization,” McQuiggan said.

    He recommends companies provide security awareness training and conduct or hire a third party to conduct phishing assessments and to change employee behaviors where needed.

    Once an IIoT system is installed, a plastics processor or other manufacturer, possibly with assistance from a third party, should test its security before it goes live into production. Testing should ensure the system was implemented properly and without any known security vulnerabilities, according to Cusimano.

    He and Poulin both emphasized the importance of protecting OT systems, and keeping the OT and IT networks separate.

    “In an IT system, a lot of times, if you break in, you can steal data; you can ransom, all the things that we’ve heard of lately,” Poulin said. “But if you break into a piece of industrial equipment, you can actually kill people. It interacts with the physical world.”

    To protect data networks, some people recommend air gapping, which involves isolating a computer or network and preventing it from establishing an external connection to other computers or network devices. Others advocate keeping IT and OT networks completely separated from each other. However, that can create problems because people wanting to get data from one network to the other are likely to engage in bad practices like carrying USB sticks or transferring files from one network to the other, Cusimano said.

    To keep them safe, OT and IT networks should have a firewall between them, or network protection “so that if your IT business systems, your back office, your business networks get compromised because somebody clicked on an email or whatever, it can’t move into your operational side,” he said. “That IT-OT boundary and network segmentation is critical.”

    In addition to using firewalls to separate networks, larger companies might create a buffer zone, typically called a demilitarized zone or DMZ, between the two networks.

    “It’s kind of a network that sits between the IT and the OT,” Cusimano said. “Think of it basically as an extra trip through the firewall — once to get to this DMZ, and then once through the firewall again to get back out to wherever you’re going. You’ll typically see that in much larger organizations. There are varying degrees, but the basic idea of at least getting some separation between IT and OT is critical,” he said. 

    In addition, plastics processors should make sure their vendors are taking steps to protect their customers’ data.

    “One of the most important things when you’re implementing Industry 4.0 or IIoT is reviewing the contracts and making sure that security is included in the contracts,” Morella said. “Many of these systems, when you purchase them, come as an entire package. They may even have a cloud that’s supported by the vendor and you’re using their interface and you’re connecting to their cloud-based systems. If you don’t review the security requirements of those contracts carefully, you can lock yourself into something that’s very unfavorable.”

    Like Cusimano, Morella said cybersecurity is an ongoing process.

    “The ongoing management of the systems is important as well,” Morella added. “You don’t want to ignore these devices and not patch them or not update them or keep their security profiles up to date. You want to make sure you treat them just like your other automation devices when it comes to security.”

    To pay or not to pay

    Despite precautions, it’s still possible a company could fall victim to ransomware. With such crimes becoming prevalent, companies need to consider how they would react to an attack.

    “Of course, good malware defenses [are important],” Cusimano said, “such as some kind of an EDR [endpoint detection and response] system, anti-malware application controls, safe listing applications, a good patch-management program to make sure you are applying the latest security controls, strong backup and recovery so that you at least have the potential of recovering from backups, and testing those backups and periodically restoring from backups to make sure they are good. Then, last but not least, is a strong incident-response program, expecting that you are going to have an incident and being prepared so that you’re not trying to develop your response on the fly.”

    Paying ransoms is “generally very frowned upon,” Cusimano said. However, some companies do it as a last resort.

    Instead, Cusimano recommends companies follow their incident response plan if they have one. If they don’t, then they probably will need to bring in a third party to help them recover. In addition, the U.S. Department of Homeland Security offers some free services, he said.

    The Cybersecurity & Infrastructure Security Agency, part of the DHS, operates its Shields Up program, which offers advice and security risk updates to private businesses on cybersecurity risks. The website includes cyberthreat updates, guidance for organizations, recommendations for corporate leaders and CEOs, ransomware response tips, and steps companies and individuals can take to protect themselves from online threats.

    Surviving cybercrime

    The costs of preventing and preparing for possible attacks aren’t as high as the consequences of suffering them.

    Companies that fall victim to cyberattacks need to understand how their defenses failed.

    “There’s another portion of that, which we call root-cause analysis, or understanding how the compromise happened,” Morella said. “There are cases where somebody has recovered from a ransomware attack or even paid to have their systems unencrypted, and then they’re hit with another attack days or a week later because they never fixed what was the initial compromise in the first place. It’s a matter of recovering, but it’s also a matter of securing your system when you bring it back up.”

    After an attack, companies typically ask themselves why they didn’t plan ahead, McQuiggan said. By then, had they just invested 10 percent of the money they’ll spend on recovery on a security program, they would have already reaped the rewards.

    Experts agree that waiting to get attacked is no strategy. To McQuiggan, it’s like leaving the front door open and just waiting for your home to be looted.

    “You may go years and years and years of leaving your front door unlocked and nobody breaks into your house and steals stuff, but when it happens, there’s a lot more frustration,” he said.

    Bruce Geiselman, senior staff reporter

    [email protected]

    Contact information:

    BitSight Technologies Inc., Boston, 617-245-0469, www.bitsight.com

    Deloitte, New York, 212-492-4000, www.deloitte.com

    Forrester Research Inc., Cambridge, Mass., 617-613-5730, www.forrester.com  

    KnowBe4 USA, Clearwater, Fla., 855-566-9234, www.knowbe4.com

    Moxa Americas, Brea, Calif., 714-528-6777, www.moxa.com/en/

    About the Author

    Bruce Geiselman

    Senior Staff Reporter Bruce Geiselman covers extrusion, blow molding, additive manufacturing, automation and end markets including automotive and packaging. He also writes features, including In Other Words and Problem Solved, for Plastics Machinery & Manufacturing, Plastics Recycling and The Journal of Blow Molding. He has extensive experience in daily and magazine journalism.

    Courtesy SPE Automotive Division
    Robert Speirs III
    Enercon
    Mike McConnell
    Rocheleau Tool & Die
    img_2019_1
    B&R Automation
    The Codian SR SCARA robots from B&R Automation are flexible and easy to program.
    163643936 © Blanscape | Dreamstime.com
    dreamstime_m_163643936