The industrial internet of things (IIoT) promises to bring significant efficiencies to factories, helping to optimize processes and lower production costs. Machine tools outfitted with the right sensors can evaluate their own states of health and signal when they need maintenance. Different pieces of equipment can talk to each other and to employees.

As with many good things, the IIoT has a downside: connected devices, whether they are smartphones, laptops or CNC tools, are vulnerable to hacking attempts. Successful hackers can hijack machine control, steal corporate information and plant malicious software, to name a few consequences of inadequate security. Even if a company’s IT department provides excellent security for visible devices, IIoT devices often remain forgotten and unprotected. For example, enterprising hackers gained access to a casino’s database through a fish tank thermometer.

As with the vulnerable fish tank thermometer, potential IIoT threats come from different places with different intents. Ideally, every connected device would be identified and protected before they are turned on. In an imperfect world, backtracking to pinpoint unprotected devices and lax security practices will enable plant security staff to plug these holes.

Hijacking a CNC

Factories have had CNC tools for decades. Since these machines have been part of the landscape for so long, a connected machine could be easily overlooked as a potential security problem. A hacker need not use this machine to access any other connected device in order to cause trouble. Reprogramming a tool could result in the production of faulty parts or software theft. A hacker could also lock out legitimate users.

Securing a CNC machine is not rocket science. Install a robust firewall, implement more sophisticated user authentication tools and apply operating system and software updates as appropriate.

Data theft

Hackers can steal code from a machine tool. They can also use their illegitimate access to access all manner of corporate information: financials, product design, planning and personnel records. A common technique is to capture corporate data and export it to another server. Vectra, owners of Cognito security software, calls this activity data smuggling. In such cases, the hacker uses an IIoT device as a gateway to valuable corporate records.

Hackers that are cruising around a corporate network leave signs of their activity. By regularly and carefully monitoring network activity, cybersecurity staff can notice these signs and investigate further.

Inadequate passwords

Despite heightened awareness of the need for computer security, and unbreakable passwords, the most favorite password of 2018 was 123456, unchanged from 2017. The second favorite, also unchanged, was “password.” Using overly simplistic and popular passwords and failing to change the password assigned to a device at the factory are common practices that leave connected devices vulnerable. Another issue is the failure to encrypt passwords.

Lack of commitment to cybersecurity

A 2018 report revealed that 29% of organizations actively monitor connected device risks despite the overwhelming agreement that such monitoring is important (97%). The same report pointed out that C-suite executives often do not understand the nature of the risk. This lack of understanding can translate to a lack of commitment to cybersecurity and often a lack of the funding necessary to implement it. On the shop floor, when multiple employees use the same machinery the chances for security lapses increase. All a hacker needs is one person that fails to follow security guidelines — that leaves the door open — to gain access to the factory network and devices.

Building commitment requires raising awareness of the potentially disastrous effects of lax cybersecurity. Colleagues at different levels need to learn that cyber threats are real — in small shops as well as large corporations — and that security is not a luxury but a necessity. Resources suitable for different audiences are readily available; IEEE’s impartial white paper on best practices is one good place to start.