Meltdown in the Making: Why Foundry Cybersecurity Can’t Be Cast Aside

Several Contributors

Why is it that more foundries aren’t taking greater steps to protect their most sensitive data assets? The barriers they often cite are a lack of trained security staff and inadequate budgets. However, given the enormous costs associated with a data breach, failing to protect against today’s dynamic threat environment could prove disastrous.  

The number of cyberattacks is escalating rapidly and the emergence of new types of attacks is a business and technology reality. The current approach of simply using firewalls and anti-virus scanners is proving less effective every day, so a more holistic approach is needed. 

It is time for foundry executives, owners, and boards to understand that security is a business policy to implement and maintain and not a technology “product” to buy. Cybersecurity technology tools are just one of the many tools engaged to implement the security policies of their organization. 

Three Common Myths in the Foundry 

There are several myths about cybersecurity in the manufacturing/metalcasting industry, so let’s dispel them. 

Myth 1: We are too small to be attacked. There is a common mistaken belief that hackers target large companies because they are high value targets. The truth is, manufacturing companies are the third largest target after financial and information/communication industries. This appears to be related to the presence of legacy and outdated systems, lower barriers, and increased vulnerabilities compared to other industries. 

Myth 2: Hackers attack us from outside. While foundries can be targets of external hackers, competitors, and hostile foreign threat actors, manufacturing companies also face potential threats from errant employees, contractors and vendors. Phishing attacks––malicious emails opened and triggered accidentally by employees––can cause hackers to access internal networks. We must also guard against intentional, accidental and erroneous actions by employees and contractors who have access to internal computer resources. This is similar to what is faced by accounting and finance departments in various enterprises––there must be checks and balances, monitoring, supervision, and auditing to manage both internal and external risks. 

Myth 3: Cybersecurity/IT teams should be accountable for any data breaches. While your IT team is great for implementation and technology review and recommendations, due care and due diligence are the domains of CEOs, CFOs, and the company Board. While IT managers are responsible for cybersecurity related activities, the accountability for company’s overall security rests on the shoulders of the Board and the C-suite. 

Common Threats for Foundries 

Two industry cybersecurity reports found that manufacturing is the most attacked industry in recent years, receiving 23% of the attacks and reaching a global average of $4.24 million in data breach costs. About half of manufacturing companies experienced an attack on their cloud infrastructure in 2020-2021. The most common type of attack was phishing, but account and supply chain compromise also occur more frequently in the manufacturing sector.  

Ransomware Attacks. About 10 years ago, ransomware attacks consisted of malware infections of computer networks, resulting in encryption and locking of computer files. In the past, a single hacker would then demand a ransom and provide a key to unlock the encrypted files when the ransom was paid. If the IT team had reliable back-ups, they could ignore the attacker, lock the potential entry points, and restore their operations. While it could be inconvenient, reliable back-ups saved the day.  

Not so today. Modern day ransomware is often committed by teams of hackers that will penetrate your network, and study your system for a few months, find key areas of information, track your back-up procedures, and identify key decision makers. They will not only encrypt your key data but exfiltrate (take out your data) and threaten to publish it. And they will cut off access to your back-up files until you pay the ransom.  

Business Email Compromise. Hackers use a variety of techniques to access email accounts of C-suite level executives. They use this access to order wire-transfers and conduct other fraudulent activities. In 2021, the IC3(Internet Crime Complaint Center) received 19,954 Business Email Compromise (BEC)/ Email Account Compromise (EAC) complaints, which led to losses of nearly $2.4 billion.  
BEC/EAC is a sophisticated scam targeting both businesses and individuals performing transfers of 

funds. The scam is frequently carried out when a subject compromises legitimate business email accounts through social engineering or computer intrusion techniques to conduct unauthorized transfers of funds. Think of your email account like a secure toolroom. Hackers might sneak in by social manipulation (fake phone calls or fake employee) or brute force (breaking down the door). Once inside, they can grab valuable tools (funding) and misuse them. This scam is like taking over that toolroom and using it to steal parts or send out bogus orders. 

Intellectual Property Theft. Many manufacturing company managers do not realize they have access to the company’s intellectual property and that of their customers. It is important for them to understand that industrial espionage has transformed in this day of easy access to electronic material. Cybertheft could involve pricing quotes, blueprints, proprietary process information, and cost structures. If you are a supplier to the defense industry, enemy nation states could target your company to find our nation’s secrets.  

Foundries are an essential and important part of the nation’s infrastructure. As suppliers and customers, we can negatively impact the supply chain of the nation. If you are a U.S. defense contractor, please study the requirements at https://cmmcab.org

In addition, many foundries store the personal information of their employees and contractors, and in some cases, credit card information of their customers. Hackers can and will target this information to sell on the cybersecurity illegal markets or use it for nefarious purposes. 

Your Organizational Framework for Cybersecurity 

There are several technology tools available to the IT manager to find vulnerabilities in information technologies and ways to remediate and mitigate potential threats to the business. But again, the ultimate security of the enterprise depends on the board and senior executives of the foundry. They are essentially accountable to maintain and preserve the security of their organizations and to plan appropriate corrective actions in the event of security incidents.  

Remember, criminal hackers and other nefarious actors are actively seeking out vulnerabilities in smaller manufacturing companies, including foundries, which typically do not have large cybersecurity budgets. NIST’s Manufacturing Extension Partnership (MEP) has many cybersecurity resources available for manufacturers, including industry-specific guidance, solutions, and training that is practical, actionable, and cost-effective.  

The main approach involves a continuous review of cyber activities based on a step-by-step approach to identify the key assets, threats, and vulnerabilities––and then protecting key assets through detection of malicious activity and responding and recovering from security incidents.  

Following are specific key considerations to help build a better strategy. 

Key Asset List. One important aspect of cyber security is that you must consider all technology and equipment as vulnerable and in need of protection, especially legacy hardware and software. While a certain device may be considered “sacrificial” or not business critical, it may be a vulnerability that allows unwanted access to mission-critical data or technology. For example, a well-known cyber-attack on a top-10 American retailer occurred when the control module of an autonomous air conditioning system was compromised and enabled hackers to eventually gain access to the company’s critical retail and credit card information. While this company might have believed there was not much risk in giving outside administration access to the AC unit, it introduced a vulnerability to the entire network and all important and protected business data. Companies must balance the benefits of IoT with the loss of control and added vulnerability to their internal and secure networks.  

Due Diligence. There are many opportunities for outsourcing your company’s cyber security needs. Depending on the size, experience, and acumen of your IT team, network monitoring and updating, patching servers and workstations, and firewall administration can all be contracted with a company that specializes in cybersecurity. Areas like user training and penetration testing are two areas that would benefit from outside expertise.  

Cybersecurity due diligence has several important aspects that must be considered, including review of the governance, processes, and controls in place and agreed upon by management at your company. The goal is to monitor and identify threats and protect against possible cyber risks and vulnerabilities. A standard list of cybersecurity factors that has been widely accepted and discussed are the 5 Cs:  Change, Compliance, Cost, Continuity, and Coverage. Using these factors can help manufacturing companies with an unestablished or poor cybersecurity policy create one that is comprehensive and effective.  

Business Continuity Plans. Most foundries have good business continuity plans––care should be taken to incorporate cybersecurity into their existing plans.  

A crucial factor to consider: Never assume your business continuity plan as final––instead, it is work in progress. You should make time to evaluate it regularly, update it often, and make sure everyone in the business is aware of their roles. Over the last couple of years, we’ve seen a shift in backup/restore methodologies. Just having a procedure for reliable backup and restore is no longer sufficient. A company must consider factors like recovery time objective (RTO) and recovery point objective (RPO), which are standard industry measures of potential data and time lost during an outage. Additionally, you want to make sure that hackers are not able to access your back-ups, in the unlikely event they infect your network with encryption malware.  

Cybersecurity Talent. Role-based training is important for everyone in the organization, especially senior managers. Consider training IT and financial personnel for cybersecurity roles––great certification programs and university programs are available.  

IT Budgets. The goal is not necessarily to acquire the most modern and technologically advanced solutions, which may end up being expensive but not effective. Several time-tested technologies are available that are reasonably priced and effective. Create reasonable budgets and measure effectiveness of investments in various cyber technologies and education programs. 

Stay Current. Several government and other resources are available so manufacturing companies can keep track of the latest threats to the manufacturing industry along with resources. (See sidebar on page XX).) Foundries need to do a better job of cooperating and coordinating their efforts with federal, state, and local authorities, as well as their industry groups. We, as an industry, already do that well with our metalcasting technologies and practices. 

The company’s board of directors and senior management must be involved in and support their company’s cybersecurity strategy, as well as continue to be updated on all activity and defense efforts. Cybersecurity is everyone’s business. We suggest a risk-based approach to the management of cyberthreats and existing vulnerabilities––integrate cybersecurity as part of your company's business and manufacturing activities. This includes areas of awareness training, budget, and communication policies. This matter will continue to be important for foundries, and ongoing research and cooperation is suggested between foundries, government organizations, and manufacturing associations.