Protecting Ceramic Manufacturing's Crown Jewels
Ceramic and glass manufacturers create trade secrets and intellectual assets every day. How can these assets be protected?
The media consistently details stories regarding theft of information, trade secrets and innovation involving many different types of companies and industries. Yet protecting these “crown jewels” is often thought to involve only things like patents associated with the legal world. In reality, manufacturers create trade secrets and intellectual assets every day as they design, build, and install new equipment and technologies. In manufacturing, these “crown jewels” include things like drawings, programmable logic controller (PLC) code, designs, and manufacturing processes and data.
It is the defined and documented learning, troubleshooting data, and process setups that are ultimately the intellectual assets that result in the technology, process, and product advantage that a company holds in the marketplace. All of these factors must be protected because valuable trade secrets can be stolen and transferred to competitors in a simple email, while more aggressive cyberattacks can infiltrate corporate networks and provide outsiders with access to confidential data.
Yet many manufacturers are not prepared to protect these valuable assets. According to PwC’s “Global State of Information Security Survey:”
• 70% of organizations expressed concern about their inability to protect intellectual property or confidential customer data
• As many as 71% of data security compromises go undetected by companies1
Manufacturers must also ensure the security of their operational technologies, which comprise the technologies on the shop floor that control the various manufacturing systems such as robots, controls systems and HVAC. Why are these important? If hackers were to infiltrate a company’s manufacturing systems, their production process could be manipulated and their process data stolen—or worse, shut down.
Kim Zetter recently reported a story for WIRED about the vulnerability of operational technologies. Zetter points out that hackers struck a steel mill in Germany and manipulated/disrupted manufacturing control systems (e.g., PLC and SCADA) to such a degree that a furnace could not be properly shut down, resulting in massive equipment damage. She describes how the attack happened, writing, “The attackers gained access to the steel mill through the plant’s business network, then successively worked their way into production networks to access systems controlling plant equipment. The attackers infiltrated the corporate network using a spear-phishing attack—sending targeted email that appears to come from a trusted source in order to trick the recipient into opening a malicious attachment or visiting a malicious website where malware is downloaded to their computer. Once the attackers got a foothold on one system, they were able to explore the company’s networks, eventually compromising a ‘multitude’ of systems, including industrial components on the production network.”2
This event should cause everyone who works in glass and ceramics, as well as other process industries, to shudder. So what can manufacturers do to start implementing protection?
Establish Information Protection Policies
Just as most companies have a quality policy, having an information security policy is critical. A manufacturing organization without an information security policy is an organization without a strategy for control of its critical innovation assets. Some of the benefits of having a documented, formal policy include:
• Fosters effective decision making
• Provides “What should I do?” and “How to” instructions for staff
• Protects employees from acting in a manner that might endanger their employment and company health
• Helps staff initiate actions and take responsibility without constant reference to management
• Increases the accountability of leadership and employees
The creation of information security policies is good evidence of proactive and forward-thinking management. As such, policies and referenced procedures provide the foundation for communicating to employees the requirements and guidelines for securing the work and innovation they create daily. The policy can also provide a document that could ultimately be used by the organization when conducting a compliance audit (i.e., Are we doing what we said we would do?).
Work Closely with Company IT Resources
Information technology (IT) departments are an important resource for manufacturers regarding tools for controls and management of systems. IT resources include providing the latest information on technology that can be implemented to secure computers, PLC systems, USB storage devices, smart phones and data storage options.
Initiate Phishing Awareness
Symantec, a company that helps organizations and consumers secure and manage their information-driven world, provides the following phishing definition: “Phishing is essentially an online con game and phishers are nothing more than tech-savvy con artists and identity thieves. They use SPAM, malicious websites, email messages and instant messages to trick people into divulging sensitive information, such as bank and credit card accounts.”3
All of us typically get emails from unknown sources. From an information security perspective, opening these emails are a risk. Companies need to initiate awareness programs to educate employees regarding potentially malicious emails.
Understand Social Media Risks
Though it may seem benign, social media is a risk for cybersecurity threats. Numerous studies show that many employees access their social media accounts at work. The risk is that malware can easily be disguised in posted links, which could then infiltrate the company IT network. In addition, social media also poses information loss risks when employees share and post data about their work or company travel, not realizing that this can be sensitive data.4
BYOD means “bring your own device.” With the growth in mobile devices, many employees tend to use their personal devices (e.g., smartphones and tablets) for work. Unless a company has policies in place for controlling the use of such devices, there is the potential for company information to get loaded onto devices that are not company owned.
The result is that critical company data could end up stored in locations that are out of the company’s control. Examples include copies of drawings that were converted to PDF and copies of presentations an employee might email to themselves via personal email accounts so they can work on them at home. This is especially a point of risk for small- to medium-sized companies.
Engineers Should Be Sensitive to Potential Future Patents
At times, patents are thought to be only intellectual assets that come out of research and development. Yet, as manufacturing engineers design and develop processes and tools, these innovations could potentially be patentable. For this to happen, engineers must be sensitive to new innovation that provides a competitive advantage to the company. Once this is done, engineering leadership can work with the appropriate legal resources to determine viability of patentability.
One Final Thought
Glass and ceramic manufacturing leaders and engineers, as well as everyone in the company, must understand the importance protecting important information. These assets are the lifeblood for a company’s future. It is estimated that the annual cost to the global economy from cybercrime is more than $400 billion.5 Glass and ceramic manufacturers must be vigilant in gaining knowledge in this critical area for the long-term viability of their enterprises.
For additional information, contact the author at firstname.lastname@example.org.
1. “Global State of Information Security Survey®: 2015 Results by Industry,” PwC, www.pwc.com/gx/en/consulting-services/information-security-survey/index.jhtml#.
2. Zetter, Kim, “A Cyberattack Has Caused Confirmed Physical Damage for the Second Time Ever,” WIRED, January 8, 2015, www.wired.com/2015/01/german-steel-mill-hack-destruction/.
3. “Phishing,” Symantec Corp., http://us.norton.com/security_response/phishing.jsp.
4. White, S.K., “How Your Employees Put Your Organization at Risk,” CIO, May 28, 2015, www.cio.com/article/2927598/security0/how-your-employees-put-your-organization-at-risk.html.
5. “Net Losses: Estimating the Global Cost of Cybercrime,” Center for Strategic and International Studies, June 2014, www.mcafee.com/us/resources/reports/rp-economic-impact-cybercrime2.pdf.