I’ve written about cybersecurity for a variety of industries––helping companies protect themselves is what I do. Foundries are not exempt from attacks and have a lot to lose if cyber thieves succeed in penetrating your digital systems.

Of course you know, castings are everywhere, and they’re vital to our world. They’re in our cars and trucks, airplanes, and locomotives. They’re in appliances large and small. Just about every product with a motor likely has a casting of one type or another. Castings are the basic building blocks of modern manufacturing. But before I address the serious cyber threats to your business, I’d like to tell you my own story why metalcasting is particularly special to me.

When Your Dad Owns a Foundry

As a child, I spent many a day working in my dad’s foundry. Midwest Metalcasters was a boutique foundry located in Chicago, my hometown where I grew up. Midwest Metalcasters specialized in all sorts of parts, large and small. Aluminum, brass, steel, and other exotic alloys. One-off artist sculptures, submarine impellers, and more commonly the simple parts inside other machines where castings were the most economical choice.

I went to Albert G. Lane Technical High School, where, in the early 1990s, the mostly college- prep-oriented school still offered technical training, and as an upperclassman you could learn a trade like metal casting, wood working, or print press operating and spend the afternoons at a local company apprenticing.

Lane Tech had a foundry, and even though I told my school advisor I already knew all about casting and wanted to take auto shop instead, somehow they still signed me up for the class. In our third week, we were instructed  to make an aluminum Lane Tech emblem, about 6x6 inches. We cast a couple in class and they turned out pretty shabby!

So, I took my best version to my dad’s shop after school and used it to make a really good pattern, then molded it and poured a high chromium aluminum alloy. After a lot of grinding and polishing, the Lane emblem gleamed like a chrome bumper. Later that week, I handed it to the teacher, and he gasped and said “Where the heck did you get this!?” I told him what I did, and he said, “Make me two more of these and you get an A––and you don’t have to come back to class ever again.” I spent the rest of the semester in the weight room working out. That emblem is on display in the school hallway to this day.

Pardon My Detour

Of course, the castings we are concerned with here don’t reside in school trophy cases. They are essential components of our most valuable technology and manufacturing capabilities and are a lucrative cybercrime target for bad actors across the world. 

Castings are utilized in every one of the U.S. government’s Critical Infrastructure sectors. If you run a foundry with government contracts or that executes programs that are part of protected intellectual property, you are particularly attractive to cyber criminals. I could tell you “spycraft tales” of foreign agents on manufacturing tours with sticky shoes looking to “walk off” with metal shavings in order to reverse engineer the metal alloys. 

Today, efforts to steal IP are more about acquiring data and information. Every manufacturer, without exception, can be a legitimate target and susceptible to cybersecurity attacks. 

Additionally, phishing and ransomware attacks remain at epidemic levels, and supply chain attacks are also very, very common in the manufacturing sector. If your foundry has a computer system that is connected to the internet/the cloud, or if your manufacturing processes rely on Operational Technology (OT), you are susceptible to these types of threats. 

The Double Whammy

Given that commercial foundries and mills play such an important role in these Critical infrastructure (CIs) sectors, we must pay close attention to a “double whammy” supply chain effect. I’ll explain.

Most products made in service of CIs depend on the manufacturing sector, and that manufacturing sector depends on castings. For example, you can’t have a functioning gasoline engine without a cast engine block. And you can’t even get started completing that assembly of gaskets, hoses, spark plugs, and valves without starting with the block first. The government group known as the Cybersecurity and Infrastructure Security Agency (CISA) frames it this way: “The Critical Manufacturing Sector is crucial to the economic prosperity and continuity of the United States. A direct attack on or disruption of certain elements of the manufacturing industry could disrupt essential functions at the national level and across multiple critical infrastructure sectors.”  

As part of this nested supply chain, foundry executives need to understand the nature of cybersecurity threats both upstream from suppliers to the foundry (ingots, crucibles, sand, oil, etc.) as well as downstream as supply other critical segments like those in the CI sectors of transportation, energy, utilities, and others. Cybersecurity breaches within the total supply chain are the costliest and the most difficult to identify, causing operational interruption in the foundry as well as to our downstream customers. This potential domino effect to our critical infrastructure is frightening to think about, not to mention an enormous cost to organizations in terms of time, supply, reputation damage, as well as the total bottom line. 

Every foundry executive who’s losing sleep at night about these doomsday scenarios should also know that they need not be totally defenseless and completely vulnerable to cyber-attacks. There are three very important areas that can be addressed to help effectively fight the war on cybercrime by focusing on people (security training), process (policy guardrails), and basic cyber technology (multi-factor authentication, as one of many examples).  

Prioritize the People

While technical tools are very important to cyber programs, it all comes down to a people-first approach. Your workforce is your greatest asset and needs to be appropriately trained, supported, and empowered to ensure you are as safe as you can be against cyber threats. Achieving the right level of protection is all about operating a robust cybersecurity program.

A successful cyber program always begins with risk management. It is critically important to identify, understand, and evaluate all risk inputs in order to create a successful mitigation plan. A cyber risk analysis and subsequent plan is a living document that is constantly being updated and evaluated based on changing conditions both inside and outside of the manufacturing organization. 

After determining your company’s cyber risk profile, a successful cybersecurity program will inevitably include a variety of other important domains, such as dedicated executive cyber governance, effectively managing vendors, providing for incident response, implementing effective security controls, authoring durable policies and plans, training your workforce, and measuring your cyber readiness now and over time. Building and operating an effective cybersecurity program is a continuous endeavor, and foundries must remain vigilant every day. 

In summary, there are many basic activities to undertake, tools to implement, and plans to author that can, over time, result in an affordable and properly-built and maintained cybersecurity program. Foundries need not be more vulnerable to cyber-attacks than any other well-known industry that spends a lot of time, effort, and resources securing their assets, such as banking. In other words, it’s completely possible to keep your foundry running cyber-safely, and in the aggregate, working to ensure the United States manufacturing ecosystem remains robust and a powerhouse of the larger American economy. And maybe along the way, we cast a shiny emblem or two just for fun.

Go Lane Tech!