NEW EVENT! Cutting-edge Trends for Life Sciences at PACK EXPO Southeast
Discover all the latest packaging solutions for life sciences products at the all-new PACK EXPO Southeast in Atlanta, GA, March 10-12, 2025

Plant floor cyber security—is it on your agenda?

What is the cyber landscape for Consumer Packaged Goods companies? How great is the risk of getting hacked? Maybe it’s time we took a closer look at cyber security.

Cyber security
Cyber security

Plant floor cyber security is among today’s most serious threats facing our individual manufacturing enterprises and our collective national security. Yet the potential of the Internet to radically and constructively transform our businesses is undeniable. The key will be to strike appropriate balances between security and productivity and between risk and revenue streams. The decisions to be made in this regard are C-suite decisions, to be overseen by boards of directors. As engineers and managers, if we are to be recognized in the C-suite of our company, it had best be as part of the solution and not as the cause of the problem. We cannot allow the hype over the industrial Internet of things (IIoT) to lure us into positions of vulnerability. We must be certain that plant floor cyber security has been adequately addressed, before we do anything that may expose our operations.

This two-part article is not intended as a how-to guide, but rather a why-should guide. This month we will dig deeply into why should a reader of Packaging World—whether a packager, an equipment supplier, or a material supplier—be actively engaged in cyber security discussions at the highest levels of their company? Why should educators, professional organizations, lobbyists and others who work with these industries be part of the discussion? Next month we will suggest some of the areas that should be considered, some strategies that could be employed, and some resources that can be drawn upon in the process of turning discussions into action.

The cyber landscape for CPGs
Consumer Packaged Goods manufacturers (CPGs) in particular, and hybrid manufacturers in general, are being largely overlooked in cyber security oversight. Major sections of the process industries, as part of our critical energy infrastructure, are required by law to address cyber security. Discrete manufacturers, especially those involved in manufacturing parts for small arms and major weapons systems, are being coached and prodded by the Departments of Defense and Homeland Security to close cyber security loop holes. The 19th annual ARC Industry Forum held this past February included a day of standing-room-only workshops on cyber security conducted by The Automation Federation and Department of Homeland Security (DHS), and the topic was on the agenda throughout the remaining 21/2 day conference with speakers from DHS, the FBI, NIST, Chevron, Shell, MIT, 3M, major utility providers, and a variety of technology providers. But scanning the attendee list shows that the conference was significantly under-represented by packagers, small process operators, and process and packaging machinery builders.

Hybrid manufacturers and their packaging and processing equipment suppliers are being left largely to their own devices to recognize and address the plant floor cyber threat. My research suggests that only the largest among them are actually taking adequate steps to address the problem. Best practices would include those whose boards have directed steps be taken to secure the shop floor, provided funding to do so, and set their internal audit departments about the task of testing and reporting on progress. To execute these directives, one CPG company has established an engineering function with the term “security” in its charter and name, and one has been working jointly with the nuclear industry to develop world-class protections and processes.

At PACK EXPO Las Vegas 2003, the OMAC Packaging Workgroup sponsored a paper on the topic of plant floor network security. That paper presented one leading CPG company’s plan for securing its plant control networks while allowing for remote access by employees and vendors. Twelve years later, most manufacturers have yet to achieve the levels of security described at that time. But given today’s threats, those levels are no longer adequate. The fundamental difference between then and now is that 10 years ago, we were still focusing on protecting our shop floors from the mistakes or oversights of our own well-meaning but perhaps uninformed employees and trusted vendors. We did not wish to risk the safety of our products, machines or workforce to some accidental intrusion across our networks that might cause our systems to temporarily go out of control. Fast forward now past the Stuxnet, Target, and Home Depot breaches; the state actors who have breached Sony and the White House; those who use cyber intrusion as a means of terrorism or war; and the 3 billion Internet users around the world, some of whom may simply choose to allay their boredom by trying to disrupt one of the world’s branded icons—and we find ourselves looking at “network security” in a whole new light.

There has been no more important time in history for CPGs to interact with power, water, wastewater, oil & gas, chemical, nuclear, and defense industries to share best practices; but unfortunately, CPGs seem to have leaned out their manufacturing technical staffs to the point that there are few left to do this, and the industry has largely stopped sponsoring the kind of multi-vendor and multi-sector events that historically provided developmental and informal benchmarking opportunities for engineers and managers. One exception may beThe Automation Conference(TAC), sponsored by the publishers of this magazine and growing in popularity among a variety of segments. I am convinced that the web does not adequately replace face-to-face opportunities to interact across disciplines, sectors, and levels of experience to help people understand that they don’t know what they don’t know.

In February of this year, President Obama signed an Executive Order entitled “Promoting Private Sector Cybersecurity Information Sharing.” Companies don’t like to share the fact that they are being targeted, and they certainly don’t want to talk about having been breached. They don’t want to share how they are protected, because knowing a target’s defenses can be a key to defeating them. And in a world where sharing the tiniest bit of information with the public can open you up for patent trolls to come knocking, such as occurred when CPGs were drawn into the well-known Solaia law suits a decade ago, maintaining total silence seems the least risky action. But is it? I can say that the president’s executive order did not make my research for this article any easier.

Why worry about shop floor systems?
A white paper published by the National Defense Industrial Association (NDIA) cites a number of reports and statistics about the persistence of cyber attacks on manufacturers, including this statement from McAfee’s2012 Threat Predictions: “Attackers tend to go after systems that can be successfully compromised, and industrial control systems have shown themselves to be a target-rich environment. The NDIA report cites three categories of concern for manufacturers; 1) Theft of confidential technical data 2) Alteration of data affecting process and product integrity and 3) Impairment or denial of process control, reducing manufacturing availability. These 3 make up the C-I-A concerns of plant floor cybersecurity.

In testimony before a Senate committee, a National Association of Manufacturers (NAM) spokesperson said, “As holders of the world’s leading intellectual property, including designs, patents, and trade secrets, manufacturers are consistently targeted by cyber thieves.” Cyber attacks have been documented to have blown up a pipeline and to have disabled a steel mill, preventing the blast furnace from being shut down. Over 500 breaches were recorded by Verizon against manufacturers in 2014, probably far fewer than actually occurred.

As our factories have transitioned from analog to digital, as our controllers have become self-documenting, as our process flows have become available at-line, and as our operator interfaces have become fully graphic, perhaps the most complete sets of product specifications and formulations actually reside within our shop floor control systems. While the information in the corporate product data management (PDM) system contains the master specifications, those specs and the real-life specifications about how the product is really made reside on the shop floor, in digital format, that can be transferred on to a USB drive, someone’s smart phone, or a message over the Internet. The same can be said for equipment suppliers’ intellectual property that resides in their machines, often IP beyond that which is actually being used for a particular application. Security experts have pointed out that there is no point in a criminal attacking the PDM system when the same information is available in much softer targets, where confidentiality may be breached. This scenario represents the C in the C-I-A concerns.

One individual I spoke with in preparing this article linked cyber security with the Food Safety Modernization Act (FSMA) and Food Safety Defense Plans. Processors must ensure the safety of their foods, requiring security of the facilities and supply chains, which must include cyber security. Someone bent on adulterating an ingredient or a finished product no longer need be physically present to do so. What about hacking the HVAC or refrigeration systems to cause spoilage over a weekend? Or perhaps that network needn’t be hacked at all, because an employee of the company monitoring your utilities needs a little extra income and lives in a culture that finds no issue with accepting a bribe. Since many factory floor cyber security plans ignore device networks, could someone easily gain access to yours to change the calibration of a sterilization loop or a canning process? One temperature transmitter may supply data to both the process control and the quality control system, and by recalibrating it for an hour every week, a factory might turn out a couple pallets of unsafe material every week without anyone ever taking notice. These examples point out loss of integrity, the I in C-I-A.

INTRODUCING! The Latest Trends for Life Sciences at PACK EXPO Southeast
The exciting new PACK EXPO Southeast 2025 unites all vertical markets in one dynamic hub, generating more innovative answers to packaging challenges for life sciences products. Don’t miss this extraordinary opportunity for your business!
Read More
INTRODUCING! The Latest Trends for Life Sciences at PACK EXPO Southeast