Cybersecurity for Manufacturers

OUTCOMES

KEY RECOMMENDATIONS


1. Create a public-private partnership focused on manufacturing supply chain cybersecurity.

  1. 2. Establish a federal research initiative to address both near-term and long-term cybersecurity challenges and opportunities. Fundamental research should address systems of systems engineering methodologies for cyber physical systems with designed-in cybersecurity and resilience, treating linked cyber spaces as systems design/interface risk problems.

  2. 3. Establish manufacturing industry-specific Information Sharing and Analysis Centers (ISACs), Information Sharing and Analysis Organizations (ISAOs), or similar organizations to facilitate fault-free, anonymous sharing of incidents, threats, vulnerabilities, best practices, and solutions. Existing ISACs/ISAOs provide models.

  3. 4. Establish an executive-level working group to provide a strong industry voice to advocate for and motivate industry action to strengthen cybersecurity.

  4. 5. Develop a comprehensive framework specifically for manufacturing supply chain cybersecurity, similar to existing frameworks on cybersecurity and cyber physical security.

IMPACT

Article: “Studies Say Manufacturers Increasingly Vulnerable To Cyberattack” by Craig Guillot (Chief Executive, 10/30/17)

Op-Ed: “A plan for defending US manufacturers from cyberattacks” by Sridhar Kota (The Hill, 10/20/17)

Article: “U.S. Manufacturers Are Prime Targets for Cyberattacks, Report Says” by Paul Huang (The Epoch Times, 9/25/17)

Congressional Briefing on Cyber Security for Manufacturers: In conjunction with the House Manufacturing Caucus, MForesight and CCC co-hosted a briefing on April 12, 2017 in Washington, DC which reported some of the outcomes from the workshop. Learn more about the event by reading our Report Out: Congressional Briefing on Cyber Security for Manufacturers.

DISSEMINATION



The National Association of Manufacturers hosted a webinar about the report on November 9.

Report Launch: Cybersecurity for Manufacturers

Thank you to those who joined us for the launch event of Cybersecurity for Manufacturers: Securing the Digitized and Connected Factory.

September 22, 2017

2:00 – 3:30 pm

Rayburn House Office Building, Room 2020

Washington, DC

The event included a panel discussion with experts:

Jim Davis, Vice Provost for Information Technology & Chief Academic Technology Officer, UCLA

David Vasko, Director of Advanced Technology, Rockwell Automation

Mike McGrath, Principal Consultant, McGrath Analytics LLC

Carol Hawk, Program Manager of Cyber Security for Energy Delivery Systems, Department of Energy

Donna Dodson, Chief Cybersecurity Advisor, NIST

Melinda K. Woods, Defense Production Act Title III Program Director, Office of the Secretary of Defense

Moderator: Mike Russo, Director and Corporate Lead, U.S. Government Affairs, GLOBALFOUNDRIES

ADDITIONAL RESOURCES

In September 2017, NIST released its “Cybersecurity Framework Manufacturing Profile” as a complement to the “Framework for Improving Critical Infrastructure Cybersecurity.” The Manufacturing Profile provides a roadmap for managing cybersecurity activities and reducing risk to manufacturing systems.

SPEAKER & ORGANIZERS

KEYNOTE SPEAKER

Ken Krieg runs Samford Global Strategies, a consulting practice focused on helping clients lead and manage through periods of strategic change. He is a member of the Board of Directors of BWXTechnologies, Advantac, Lenovo US, Nexen US, and the Board of Trustees of LMI, as well as the SSA Board for GlobalFoundries and the Proxy Board for DRS Technologies. He serves on several CEO advisory boards and is also a senior fellow at CSIS. He is an Executive in Residence with Renaissance Strategic Advisors and a member of the Enlightenment Capital Board of Advisors.

He previously served as the Under Secretary of Defense for Acquisition, Technology and Logistics from June 2005 to July 2007. In that role, Mr. Krieg was responsible for advising the Secretary of Defense on all matters relating to the DoD acquisition system, research and development, advanced technology, developmental test and evaluation, production, logistics, installation management, military construction, procurement, environmental security, nuclear, chemical, and biological matters.

Before his appointment to USD (AT&L), Mr. Krieg served at the Department of Defense as Special Assistant to the Secretary and Director for Program Analysis & Evaluation. In this capacity, he led an organization that provides independent advice to the Secretary of Defense on a range of areas including defense systems, programs and investment alternatives as well as providing analytic support to planning and resource allocation.

He joined the Department of Defense in July 2001 to serve as the Executive Secretary of the Senior Executive Council (SEC). The SEC, comprised of the Secretary, Deputy Secretary, Service Secretaries and Under Secretary (AT&L), was responsible for leading initiatives to improve the management and organization of the Department of Defense.

Prior to joining the Department of Defense, Mr. Krieg worked for International Paper, most recently as Vice President and General Manager of the Office and Consumer Papers Division. He had responsibility for the company’s $1.4 billion retail, commercial office and consumer papers businesses. During his 11 years with IP, Mr. Krieg held roles as special assistant to the Chairman and CEO and in marketing, sales and business management and was actively involved in the merger of three major paper companies into International Paper.

Before moving to industry, Mr. Krieg worked in a number of defense and foreign policy assignments in Washington, DC, including positions at the White House, on the National Security Council Staff, and in Office of the Secretary of Defense.

Mr. Krieg received his BA degree in history from Davidson College and his Masters in Public Policy from the Kennedy School of Government at Harvard University.

FEATURED SPEAKER

André J. Gudger served in the Obama administration as the Deputy Assistant Secretary of Defense (DASD) for Manufacturing and Industrial Base Policy (MIBP) and the Director of the Office of Small Business Programs at the Department of Defense (DoD). In his role at MIBP, Mr. Gudger was responsible for ensuring a robust, secure, resilient, and innovative industrial base to meet DoD’s needs. Mr. Gudger supported the Office of the Secretary of Defense by providing detailed analyses and in-depth understanding of the complex industrial supply chain essential to our national defense, and recommending or taking appropriate actions to maintain the health, integrity and technical superiority of that supply chain. Additionally, Mr. Gudger was the DoD lead for President Obama’s National Network of Manufacturing Innovation.

Prior to this role, Mr. Gudger served as the Director of the Office of Small Business Programs in the Department of Defense. In this role, Mr. Gudger served as the principle advisor to the Secretary of Defense on all small business matters, overseeing more than $120 billion of annual awards to small business.

Mr. Gudger received his Bachelors of Science degree from the University of Maryland-Baltimore County and performed his Master’s in Business Administration studies at the University of North Carolina Chapel Hill, Chinese University of Hong Kong, Erasmus University in Rotterdam, Tec de Monterrey in Mexico, FundacaoVargus University in Brazil, and Gdansk University in Poland.

ORGANIZERS

Michael Russo – Executive Committee Chair, MForesight

Sridhar Kota – Executive Director, MForesight

Jim Davis – UCLA and MForesight Leadership Council

Ann Drobnis – Director, CCC

Kevin Fu – University of Michigan and CCC Council

Greg Hager – Johns Hopkins and CCC Council

Overview/Motivation

MForesight, in collaboration with the Computing Community Consortium (CCC), hosted a visioning workshop on emergent theme of Cyber Security for Manufacturers.

Cyber-attacks pose a growing threat not only to national security but also to U.S. economic competitiveness. Manufacturing firms are vulnerable to threats including sabotage of operations, alteration of data and product designs, and theft of intellectual property. The sector presents special security challenges because of the unique nature of interconnected supply chains, industrial control systems (ICSs), and operational technology (OT), which consist of networked machines, sensors, data, and software.

The cyber security experts and leaders from the private sector, federal government, and academic community in attendance will have the opportunity to contribute their knowledge and expertise to clarify manufacturing-specific cyber security challenges, identify emerging technology solutions, and define action items. The primary goal of the workshop is to provide actionable insights and recommendations that, if implemented, will benefit manufacturers of all sizes. All information shared will be considered information for public consumption and will not be attributed to specific individuals or organizations.

Day 1 will break down four key challenge areas into specific, addressable needs. Gaps will be identified and solutions and action items will be developed to address these gaps. The four key challenge areas are:

System Level Security: The focus of this breakout is the system level interaction of the IT and OT realms. The integration of multiple layers and types of software and the security challenges that happen at the gaps between those layers will be explored. System-level resilience will be addressed, as well as, monitoring, patching, and assessing OT assets.

Integrity of Manufactured Goods: This breakout will focus on the integrity of manufactured goods, with an emphasis on protection and validation of design data across all platforms. Tampering and theft of designs and manufacturing parameters will be covered, along with the respective protection and verification of the data.

Machine to Machine Security: The focus of this breakout is the communication of manufacturing equipment with 1. Its own internal elements, 2. Other manufacturing equipment, and 3. Its direct controlling software. Key issues here are protecting, verifying, and detecting issues with the “lowest level” manufacturing equipment data. Legacy systems will be a key focal point in this discussion.

Supply Chain to Factory Security: The focus of this breakout is what is sometimes called “through the perimeter” security. This is security of a manufacturing organization when working with suppliers, customers, service providers, and other outside entities. The focus will be on the future of manufacturing, where interconnectivity will be more prevalent, and data and access will shared on a deeper level.

Day 2 will address cyber intelligence with the aim to investigate manufacturing-specific challenges in collecting, analyzing, and distributing threats, indicators, and adversaries. The appropriate security posture for manufacturers as well as the mechanics of performing the intelligence operations will be discussed. The role of academia, manufacturers, and different agencies in the government will also be covered. Breakout groups will cover the following three topics:

Intelligence Gathering: This breakout focuses on collecting, centralizing, and prioritizing threats and indicators, sourced both from manufacturers and academia. This includes the mechanics of how to best perform this, the privacy barriers, and the structure of public-private partnerships that can best accelerate manufacturing specific intelligence gathering.

Intelligence and Adversary Assessment: This breakout focuses on assessment of an adversary’s capabilities, intentions and activities, and using that assessment to inform manufacturers’ overall security posture. The discussion will not focus on the mechanics of the information transfer, but rather on the type of information and the role government defense and intelligence agencies can perform to assist manufacturers in defining their security priorities and overall posture.

Intelligence Sharing: This breakout focuses on sharing cyber threats, indicators, priorities and strategies. This will be discussed for manufacturer-to-manufacturer, government-to-manufacturer, and academia-to-manufacturer channels of information.

Event contact: [email protected]

CCC’s Event Page

Workshop Agenda

A VISIONING WORKSHOP ON

CYBER SECURITY FOR MANUFACTURERS

MARCH 14-15, 2017 WESTIN ARLINGTON GATEWAY

801 NORTH GLEBE ROAD, ARLINGTON, VA, 22203

TUESDAY, MARCH 14, 2017

07:30 AM

Breakfast

08:00 AM

Check-in Begins

08:30 AM

Keynote: Kenneth Krieg, Former Under Secretary of Defense for Acquisition, Technology and Logistics

09:00 AM

Introductions

09:30 AM
Expected Outcomes

09:45 AM

Key Challenges

10:00 AM

BREAK

10:15 AM

Breakout 1

Break down key challenges into specific needs and prioritize. Output a list of group’s top priority needs to be addressed.

A. System level security and cyber-resilience

B. Integrity of manufacturing goods from design to the factory floor

C. Machine-to-machine security, especially legacy systems

D. Securely connecting the factory to the supply chain

11:15 AM

Group Outputs and Discussion

12:00 PM

Lunch and Networking

01:30 PM

Priority R&D and Implementation Gaps to Address

01:45 PM

Breakout 2

Explore potential solutions to fill gaps. Recommend and prioritize action items to realize solutions. Output key recommendations to be presented in discussion.

02:45 PM

BREAK

03:00 PM

Breakout 3

Repeat Breakout 2 for a different gap.

04:00 PM

Recommendations and Discussion

05:30 PM

Cocktail Reception

WEDNESDAY, MARCH 15, 2017

07:30 AM

Breakfast

08:30 AM

Today’s Objectives

08:40 AM

Key Challenges

09:00 AM

Breakout 4

Define specific needs associated with the challenge. Begin to recommend and prioritize action items to realize solutions.

Challenges:

A. Intelligence gathering: privacy, security, and efficiency

B. Intelligence and adversary assessment

C. Intelligence sharing in the supply chain

10:00 AM

BREAK

10:15 AM

Breakout 4 Continued

Finalize prioritization of action items and prepare recommendations to be presented in discussion.

11:00 AM

Recommendations, Discussion and Next Steps

11:55 AM

Closing Remarks and Evaluations

12:00 PM

Box Lunch and Networking

Contributors

Sean Atkinson, Global IT Compliance Manager – GLOBALFOUNDRIES

Kristen Baldwin, Acting Deputy Assistant Secretary of Defense for Systems Engineering – Department of Defense

Matt Blaze, Associate Professor of Computer and Information Science (CIS) – University of Pennsylvania

Glenn Bleiler, IT Director of Science, Manufacturing, Engineering Technology & Emerging Innovations – Corning

Benjamin Collar, Head of Cyber Security for the Americas – Siemens

David Corman, Program Director of Division of Computer and Network Systems(CISE/CNS) – National Science Foundation

Eric Cosman, Principal Consultant – OIT Concepts LLC

Darren Curtis – Office of Cooperative Threat Reduction, Department of State

Jim Davis, Vice Provost for Innovation – UCLA

Trish DiGiacomo, Director, Lab, Manufacturing and Distribution Security & Risk Management – Johnson & Johnson

John Everett, Program Manager – DARPA Information Innovation Office

Kim Finnigan, Government Relations, Regulatory Affiars & Strategic Initiatives – GLOBALFOUNDRIES

Robert Frazier, Chief Security Architect – Lockheed Martin

Kevin Fu, Associate Professor – University of Michigan

Sam Fuller, CTO emeritus – Analog Devices

Steve Gleason, Cyber Security Director – Micro Craft Inc.

Andre Gudger – Eccalon

Carl Gunter, Professor – University of Illinois

Greg Hager, Mandell Bellmore Professor of Computer Science – Johns Hopkins University

Vasant Honavar, Professor – Penn State University

Ken Hoyme, Director of Product Security – Boston Scientific

Mimi Hsu – Lockheed Martin

Rob Ivester, Deputy Director of the Advanced Manufacturing Office (AMO) – Office of Energy Efficiency and Renewable Energy (EERE), Department of Energy

Daniel Janisch, Engineering Director – Corning

Larry John, Principal Analyst – ANSER

Anupam Joshi, Director, UMBC Center for Cybersecurity Professor; Chair, Computer Science and Electrical Engineering – University of Maryland, Baltimore County

Kate Klemic, Research Scientist – Virginia Tech Applied Research Corporation

Bruce Kramer, Senior Advisor – National Science FoundationKenneth Krieg, Principal – Samford Global Strategies

Lee Lane, Chief Product Security Officer – Rockwell Automation

John Main, Program Manager, Defense Sciences Office – DARPA

Brynne MCCord, Senior Program Manager, OSD Manufacturing Technology – Engility

Thomas McDermott, Executive Director – Digital Manufacturing and Design Innovation Institute (DMDII)Michael McGrath, Principal Consultant – McGrath Analytics LLC

Beth Mynatt, Professor – Georgia TechRichard Naylor, Senior Cyber Advisor & Deputy Director CounterIntelligence – Defense Security Service, Department of Defense

Amanda Needham, Manger of Program Design – Digital Manufacturing and Design Innovation Institute (DMDII)

Sandeep Neema, Program Manager – DARPA Information Innovation Office

Andrew Nord – Office of Cooperative Threat Reduction, Department of State

Adam Porter, Executive Director – Fraunhofer USAGreg Purdy, Research Assistant Professor – Virginia Tech Applied Research Corporation

Sudarsan Rachuri, Program Manager of CESMII – Department of Energy

Adele Ratcliff, Director of the DOD Manufacturing Technology (ManTech) Program – Manufacturing and Industrial Base Policy (MIBP), Department of Defense

Melinda Reed, Deputy Director for Program Protection – Office of the Deputy Assistant Secretary of Defense for Systems Engineering, Department of Defense

Ben Richardson, Deputy Director, Industrial Base Protection & Exploitation – Office of the Under Secretary of Defense for Intelligence, Department of Defense

Dan Rozinski, Manufacturing Technology Fellow – Dow Chemical

John Russell, Manufacturing Technology Fellow – National Science FoundationMike Russo, Senior Manager U.S. Government Relations & Regulatory Affairs – GLOBALFOUNDRIES

Brian Schott, CTO – Nimbis ServicesVyas Sekar, Assistant Professor, CyLab – Carnegie Mellon University

Scott Tousley, Deputy Director, Cyber Security R&D – Department of Homeland Security, Science & Technology

Charles Wessner, Research Professor of Practice – Georgetown University

Dan Wolf, President/CEO – Cyber Pack Ventures, Inc.Melinda Woods, Defense Production Act Title III Program Director – Office of the Secretary of Defense, Department of Defense

Fen Zhao, Program Coordinator for the Secure and Trustworthy Cyberspace Program – National Science Foundation

John Zurcher, Program Manager of Federal Critical Infrastructure Assessments – Industrial Control Systems Cyber Emergency Response Team (ICS-CERT)

MForesight’s work was supported by the National Science Foundation from 2015 to 2020 under Grant No. 1552534 to the University of Michigan (Dr. Sridhar Kota).

Please note that any opinions, findings, and conclusions or recommendations expressed on this website do not necessarily reflect the views of the National Science Foundation or the University of Michigan.

(734) 678-0135

2250 G. G. Brown, 2340 Hayward Street, University of Michigan

© COPYRIGHT 2015 - 2024 MFORESIGHT.