Summary: In this issue of Factory Trends, our Team explore the trends in Cybersecurity in Operational Technology, inspired by a recent visit to a manufacturer and a timely article by Dennis Smeca in the Industry Week newsletter, highlighting the pressing cybersecurity concerns manufacturers face today. As the digital and physical worlds converge, the security of manufacturing processes and designs becomes paramount. While some AI systems, like Dafo, offer a robust, non-cloud-dependent option ensuring heightened security, and incorporating the Secure Development Lifecycle SDL into its development processes, the broader factory environment demands a comprehensive approach to cybersecurity.
This encompasses not only secure networks but also thorough education on the risks associated with internet-connected devices. We explore how, in an era where “free” often means “you are the product,” even nations with significant cybersecurity investments, like China, are not immune to hacking incidents. Join us as we navigate through the strategies to safeguard proprietary data and enhance operational technology security, underlining the importance of local data storage, meticulous evaluation of cloud services, and the critical role of educating personnel on cybersecurity threats and best practices.
Cybersecurity in OT
Cybersecurity is fundamentally about exploiting system vulnerabilities. Over the years, it has become increasingly sophisticated, now with AI encompassing not-so-transparent training models, strategies, and adversarial tactics. In light of the growing cyber threats facing the manufacturing sector across industries, how can we effectively integrate cybersecurity measures into their Operational Technology (OT) and assembly lines?
First Things First: IT vs. OT
First things first, because everyone is familiar with the IT concept, but what is OT, and what are the differences?
Operational Technology (OT) and Information Technology (IT) serve distinct purposes within an organization. OT focuses on controlling industrial operations, emphasizing efficiency, safety, and reliability of physical processes. It’s primarily used in manufacturing, power generation, and transportation systems. IT, in contrast, manages data, communications, and computational tasks, supporting business operations like finance, HR, and customer management. IT prioritizes data integrity, confidentiality, and accessibility. The key differences lie in their objectives, applications, and the nature of the systems they manage—OT controls physical processes, while IT oversees information systems.
The Spy Who Logged In With My Password
Industrial espionage isn’t just for the movies. In today’s world, James Bond could easily be disguised as your average Joe with a smartphone. Industrial espionage poses a significant threat to any industry, given the ubiquitous nature of cameras in devices ranging from watches and pens to glasses and, not least, the humble cell phone. With a camera, ample memory, and high-capacity connectivity, these devices can transmit confidential company information within seconds.
Installing cameras equipped with computer vision at strategic locations can help identify in real-time when someone is in a position to take a photograph or appears to be behaving suspiciously. Industrial secrets can be accessed in various ways, including through a laptop, a company computer, and undoubtedly via a USB drive. Although such threats can be somewhat mitigated by controlling and monitoring who accesses the premises, the challenge of safeguarding information used for the company’s operational tasks remains. For instance, technical plans and general documentation of assembly processes are crucial.
In response, companies have turned to cloud services for their convenience and security features. Cloud storage solutions like Microsoft One Drive, Google Drive, or Dropbox offer encrypted and secure storage options. These systems are designed to be accessed with dual-level authentication on new devices, adding an extra layer of security to prevent unauthorized access even if the password is compromised. However, if there are still concerns about the security of these systems, keeping files locally might be the best option.
The objective is to be resilient. In scenarios with low probability but high consequences, ensuring the survivability of high-value assets through controls like offline backups becomes critically important, especially when decryption is not feasible.
AI’s Double-Edged Sword
Yet, it’s essential to be aware of indirect threats to our information’s confidentiality. Tools like CHATGPT, GEMINI, BING, and others that analyze our texts are commonly used across businesses, even tools like Grammarly to improve writing. This practice could potentially open up a security loophole, as the information typed could be used to retrain AI models. Imagine drafting a patent for a new type of WiFi technology designed to reduce interference from walls using CHATGPT to polish the writing. Days later, someone else seeks advice on designing a device to enhance WiFi signals through walls and receives a response from CHATGPT containing the information you provided. This scenario emphasises the importance of keeping confidential information off systems used to feed AI engines.
Protecting Proprietary Data in the AI Era: Strategies for Manufacturers
The total global volume of data is estimated to reach the astronomical amount of 175 zettabytes by 2025, one zettabyte is equivalent to a trillion gigabytes. IDC: Expect 175 zettabytes of data worldwide by 2025 | Network World
While sceptics still exist, the reality is that manufacturers are part of a supply chain, and the integration of AI into manufacturing processes is a present reality. The latest KPMG Generative AI Survey reveals that over 75% of executives report AI technologies are either currently deployed or under development within their organizations.
Indeed, just last week the tech giant Nvidia exceeded expectations and sales forecasts, reaching more than $22 billion, thanks to the AI demand and their control of around 80% of the market.
This exponential growth in AI adoption underscores the need for robust critical data security measures, especially when sensitive and proprietary information increasingly resides in cloud environments, and when we talk about data, this includes processes.
Cloud storage systems and AI-inclusive tools, from remotely trained computer vision models to online platforms for design and documentation, carry significant risks. The allure of cloud storage migration costs and the promise of efficiency and innovation from AI must be balanced with the imperative to protect the intellectual property of manufacturing processes. The reduction in data storage costs to nearly zero can have unintended consequences, potentially allowing this information to be used in training AI models that competitors could access, as some AI tools, in turn, use third-party tools in their architecture, and it is here where security is most vulnerable.
Have you heard about adverse tactics?
With the rise of automation and AI, more sophisticated cyberattacks like adversarial tactics appear. These are distortions intentionally produced to cause the AI systems to behave anomalously. One of the common tactics is known as AI Deception. These techniques are used to trick AI models through manipulated inputs.
An example is an attacker who managed to make DHL’s chatbot generate a poem against the company. Another example is similar to the ones used for Digital Artwork Protection. Filters used to protect digital artworks from being ‘copied’ by AI or used for database training are similarly employed to alter street signs and ‘trick’ autonomous vehicles, like Tesla’s self-driving system. Logistics and AMR can also be vulnerable. In factories, Autonomous Mobile Robots (AMRs) used for internal logistics can be compromised. The camera input can be altered by someone sending a signal to the AMR in the logistics area.
Data is most vulnerable during transmission. Security strategies must prevent data loss, distortion, or unauthorized dissemination. The importance of selecting secure hardware to ensure that computer vision systems do not activate cameras and transmit data outside the company’s network or track activity without consent.
Data Storage: A Strategic Imperative?
Mark Twain said, ‘There are two times in a man’s life when he should not speculate: when he can’t afford it and when he can’. Given the security concerns, when processes are critical, a strategic shift towards local data storage emerges as a prudent measure, albeit initially expensive and complex. Maintaining sensitive plans, designs, and proprietary information on the premises reduces the risk of unauthorized access and misuse in the cloud. This approach not only protects information against traditional cyber threats but also from being inadvertently used to train AI models by cloud service providers.
Reevaluating Confidentiality in the Cloud
Manufacturers must critically evaluate the confidentiality terms offered by cloud services and tools, including widely used platforms like Microsoft Office and Google Docs, as well as seemingly innocuous tools like grammar checkers. The default push towards cloud storage strips organizations of control over their data, raising alarms about who, or more precisely, what, might access this information. The concern shifts from human to machine, ensuring proprietary data does not become fodder for AI engines eager to learn from a wealth of unprotected information. At this point, manufacturers must categorize risks.
If you have an X account and follow Elon Musk, you likely read about Elon’s complaints regarding having to create a Microsoft account to use his new laptop, a situation that was only bypassed when he disconnected the WiFi. Why does this tech-savvy individual not want to create a Microsoft account? Maybe because ever since the company partnered with OpenAI, all the information could be used to train ChatGPT. Indeed, Microsoft just invested another $13 billion in the creator of ChatGPT and recently revealed its engagement in additional AI ventures, including a $2.1 billion investment in the French startup Mistral AI, whose technology will be accessible to users of Microsoft Azure.
Educating Personnel on Cybersecurity
Staying ahead of cyber threats is paramount, but where can we find secure and official practical advice? The National Cyber Security Centre (NCSC) provides support, offering a Cyber Essentials certification to steel defences against common cyber challenges. This program, alongside guidance documents and best practice advice, equips organizations with the tools to protect sensitive data, ensure secure remote working, and effectively respond to incidents. By diving into the practical guidance offered through the Cyber Essentials program and exploring resources available on the website, manufacturers can elevate their cybersecurity posture, for example, through training and awareness programs, webinars, workshops, and online courses tailored to enhance employee knowledge on cybersecurity risks.
5 Strategic Recommendations for Manufacturers
- Prioritize Local Storage for Sensitive Data: Consider local storage solutions and offline tools for highly sensitive information to minimize exposure to cloud-based risks.
- Carefully Evaluate Cloud Service Providers: Engage with cloud services that offer robust security features and transparent policies regarding data use, especially about AI training.
- Enhance Data Encryption: Encrypt data both in transit and at rest, whether stored locally or in the cloud, to protect against unauthorized access.
- Implement Rigorous Access Controls: Ensure that only authorized personnel can access sensitive data, employing strong authentication methods to protect digital assets.
- Stay Informed and Proactive: Continuously monitor advancements in AI and cloud computing to adapt data security strategies in real-time, protecting against emerging threats.
Navigating the complexities of data security in the AI era falls on manufacturers to adopt a proactive stance, securing proprietary information against the dual threats of cyber-attacks and inadvertently driven data exploitation by AI. By embracing local data storage and demanding greater transparency from cloud services, manufacturers can strengthen their defences, ensuring their innovations remain their own.
As Gabriel and I discussed this topic, and even more so as I penned these final lines, I pondered the potential backlash this article might invite. Being developers of an AI tool that also offers a hybrid option, when the customer wants to train the models in the cloud to reduce costs, this article might seem unfavourable at first glance. However, the truth is that education is the most potent tool we possess. As mentioned earlier, we are part of a supply chain, and a chain is only as strong as its weakest link.
Nowadays, certain equipment, be it robots or computers, can be rented—a concept referred to as robots as a service or equipment as a service. Even if you erase the information before returning these devices, if the provider is so inclined, they can recover the deleted data to glean insights and train their models. Let’s continue to engage, learn, and adapt, ensuring that our innovations and operational integrity remain shielded against the ever-evolving cyber threats. Until our next issue, where we will unravel more trends shaping the factories, stay secure and forward-thinking.
Until next time, manufacturing innovators!
Daniela Gonzalez, Generalist committed to advancing sustainable technology for a safer, more efficient world.
Gabriel Giani, AI Specialist and Code Captain.
+ Plus
- If you’re an artist and want to know how to protect your art, you can find more information about the Glaze Project and access the tool developed by the University of Chicago to protect digital artworks from AI mimicry via their official website here: Glaze Project.
- Cybersecurity Concerns for Manufacturers: The article discusses the main challenges and trends that manufacturers will face in 2024: Cybersecurity Concerns for Manufacturers in 2024
- KPMG Generative AI Survey Report: Industrial Manufacturing: KPMG conducted two surveys of US executives across industries, focusing on generative artificial intelligence (AI). In the manufacturing sector, 26% of respondents report that AI-based technology has been deployed, and 50% say it’s under development. These figures align with other industries, indicating that manufacturing has indeed embraced AI: KPMG Generative AI Survey Report: Industrial Manufacturing
- Read about the Elon Musk complaints here: Elon Musk bought a new PC laptop and ran into some tech issues, so he complained to Microsoft CEO Satya Nadella (msn.com)
- Learn More about Staff awareness and training NCSC CAF guidance – NCSC.GOV.UK