42 minute read
EVENTS
CMTS connects attendees digitally and in-person
BY MARYAM FARAG
The Canadian Manufacturing Technology Show (CMTS) recently took place at The International Centre in Toronto, Ont. CMTS offered a mix of live technology on display, with keynotes, panel discussions and technical sessions. CMTS LIVE! digital experience was a new feature at CMTS 2021, which was a digital complement to the in-person event and was available during and after CMTS for 60 days.
The event featured manufacturing technologies at over 100 exhibits. The advanced manufacturing space included additive manufacturing, automation, robotics, design engineering, Industry 4.0 and IIoT. The machining and metalworking space included machine tools, tooling and work holding, metalworking, measurement and Inspection, and finishings and coatings.
Day one’s keynote “Geopolitical Risks and How to Manage Them” was presented by Courtney Rickert McCaffrey, EY Geostrategic Business Group. She explored the key political risks manufacturers face and how they can manage them in today’s volatile global environment.
Day one saw a panel presentation; “Building a Resilient Supply Chain: Enabling Speed and Agility to Protect your Customer and your Bottom Line.” Panelists outlined what a resilient supply chain looks like, how to identify risk across a global value network, and what is being done to protect customers from a wide variety of supply chain disruptions.
On day two, Mike Brownhill, Export Development Canada discussed how manufacturing companies have navigated disruptive events, sharing lessons learned over the years from companies who have survived and thrived through challenging circumstances, and how these lessons can be applied going forward. Brownhill also shared how opportunities are developing for companies focused on ESG (environmental, social, and governance) in their operations in his keynote presentation “Back to Global Business: Managing Risk & Seizing Opportunity Amongst Black Swans.”
Jayson Myers and Gillian Sheldon from NGen, outlined how manufacturers need a plan now to turn challenges into business opportunities, and how advanced technologies will play a role.
Day three’s keynote “Our Real Electric Future” was presented by Flavio Volpe, Automotive Parts Manufacturers’ Association, as he discussed electrification of the automobile, governments switch over by 2035, and the “real future - a mix of successes and failures of the tug-of-war over retiring internal combustion.” Day three’s panel “Driving Transformation: Enhancing Wellness, Safety, and Security in Manufacturing” was moderated by Erin Hartnett, TELUS Business, and panelists included Damien Johnston and Marshall Berkin, TELUS Business, Mathew Wilson, Canadian Manufacturers and Exporters, discussed how manufacturing leaders can bridge the digital divide; integrating new technologies to overcome key industry issues such as attracting and retaining talent amid a skills shortage, increasing employee engagement and productivity by prioritizing health and well-being, creating safer work environments for workers, and mitigating the potential risk and cost of a cyberattack.
On the final day, the keynote focused on “Building the Manufacturing Workforce for the Future”. Robert Cattle, Executive Director, Canadian Tooling & Machining Association (CTMA) discussed the CTMA Career Ready program, its focus and how companies and people can participate in it, Ontario’s current school systems, and how to help build the manufacturing workforce for the future.
Day four also saw a panel discussion themed “Welder Education for Today’s Workforce”, moderated by Trent Konrad, Canadian Welding Bureau, with panelists Kevin Bryenton, Ironworkers International, Ray Lemieux, UA Canada, and Scott Wideman, Volkswagen Group Canada Inc., discussed how organizations and businesses adapt to technologies, training, recruitment, retention, and overall productivity, while outlining some of the current state challenges in the welding industry today.
Annex Business Media was a part of the event, as media sponsor and exhibitor, representing its manufacturing groups brands: PLANT, Machinery and Equipment MRO, Canadian Manufacturing, Design Engineering, and Manufacturing Automation.
Panel discussions, keynotes, and technical sessions took place at the Smart Theatre/ SME Zone.
Why investing in online training is not enough to avoid a cyberthreat
To suggest cyberthreats are new would be naive.
BY SHAWN CASEMORE
Every day, there are increasing numbers of business owners and executives that I meet with who have faced at least one cyberthreat. In the past, the answer was to look at increasing the frequency of backups and creating stronger firewalls for company servers. Problem is the cyberterrorists are becoming increasingly brash and strategic in Photo: © momius / Adobe Stock their threats.
It was only a couple of years ago now that I participated in a roundtable discussion with several Canadian manufacturers. During the discussion, three out of the four company presidents had faced a cyberthreat of some kind.
Since what we’ve been doing no longer seems sufficient, I reached out and spoke with Carmine Tiano, President of Manawa Networks, to understand what today’s cybercriminals are up to, and, more importantly, what manufacturing leaders need to be cognizant of.
According to Tiano, “most people think the greatest cyber risks originate from outside their company, but that’s not entirely true. Internal threats pose the greatest risk.”
This didn’t come as a major surprise, considering the number of clients I’m working with who have me complete their now-standard “KnowBe4” training; an online, skillsbased learning platform for helping employees become more educated on cyberthreats.
But is investing in online training
for your employees enough to overcome increasingly sophisticated cyberthreats?
In my experience, working with sales teams and their leaders, online training can be a good supplement and aid to reinforce face-to-face learnings, but are typically insufficient to ensure an effective transfer of skills.
It’s akin to thinking that you can get your pilot’s licence without ever having stepped foot in an airplane.
When I asked Tiano his thoughts, he shared that phishing is likely the greatest threat any manufacturer faces, and although some phishing training and simulations are a great thing to do, additional controls and measures are strongly encouraged.
The most effective controls he suggests can include: • Mandatory vacation time that in turn allows others to rotate into their job, ensuring employees don’t operate in a bubble. • Helping educate employees on less common but increasingly popular cyberthreats, including vishing (voicemail fraud). • Ensuring executives are aware of the threats associated with whaling (targeting a CEO or executive). • Adding controls that ensure no one person can transfer money outside the organization without validating the recipient’s identification.
Tiano, who has been working with manufacturers to help them develop a more strategic approach to creating value through their IT infrastructure, shares that some hackers are even going so far as to pay disgruntled employees to co-conspire with them for a portion of the ransom.
Although this may seem far-fetched, it provides insights into just how far these hackers will go to make money and cause chaos.
What can you do?
When it comes to cybersecurity, as with any other risk to your business, taking a combination of both mitigating and contingent actions is key to ensuring the threat is minimized.
Some training might be a good start, but it’s not enough.
Only by introducing a combination of training, controls, and additional measures, manufacturers can protect themselves, their shareholders, and customers from outside threats.
Keep proper hard hat use top of mind
Although masks may be dominating the headlines lately for their role in public safety, you’d be hard pressed to find a more universal workplace safety symbol than the hard hat.
And with good reason, head injuries, which a hard hat can be designed to help prevent, can be among the most life-altering for workers.
But not all hard hats are created equal, and they require regular cleaning and care to effectively protect workers from injury. Employers have a responsibility to train and educate workers on the proper selection, fit, maintenance, and use of all personal protective equipment.
Here’s how to get started: Why wear a hard hat? Your workers know that hard hat use is mandatory in certain areas of the plant, but do they know why?
A deeper understanding of the hard hat’s function, such as protecting the worker from the impact of falling objects or tools and, when designed to do so, reducing the risk of shock from contact with electrical hazards, is a great motivator to make sure their hard hats are in good working condition.
You can also help drive home the importance of proper hard hat use by outlining some of the preventable injuries that occur due to improper hard hat use, such as injuries like cuts and bruises, to the more serious concussions, and traumatic brain injuries.
Photo: ©eakgrungenerd / Adobe
The right hard hat for your plant
Some workplaces require everyone to wear a hard hat. The class and type of headwear will depend on your workplace’s risk assessment of the work being performed and on your is a mild soap and warm water. They should focus on the outer shell as well as the liner to remove any perspiration or oils.
Stock
jurisdiction’s legislation.
Most legislation in Canada references CSA Standard Z94.1 Industrial protective headwear – performance, selection, care, and use. In the absence of a requirement, this standard is a good guidance document to follow.
It’s good practice to include hard hat training as part of your onboarding process and as part of ongoing training. Even the most experienced worker will benefit from a review on proper fit and care. They may also need to upgrade to the required type of hard hat for your workplace.
The right fit
Hard hats should be assembled and fit according to the manufacturer’s instructions. The hard hat is properly secured when the headband fits comfortably and is tightened so that it’s unlikely to fall off your head when you bend forward. Nor should the hat shift when you turn your head side to side. Secure any liners within the hat. Bandanas, welder’s caps, and
Classes of headwear can include: Type 1 - protection from impact and penetration at the crown (top) only Type 2 - protection from impact, penetration at the crown (top) and laterally (sides and back) Each type is also available in the following classes: Class E (20 000 V electrical rating) - provides head protection against high voltage conductors Class G (2200 V electrical rating) - provides head protection against low voltage conductors (general trades) Class C (no electrical rating)
other accessories should only be worn if they are approved by the manufacturer and do not affect the fit.
Cleaning and maintenance
Clean hard hats last longer and are more easily inspected for damage. Teach workers to avoid the use of abrasives or petroleum-based products as they will weaken the plastic. The best cleaning product When to replace
Inspect shells and suspensions daily before use. Look for cracks, dents, cuts or any other signs of damage and wear. Hard hats exposed to heat, sunlight, or chemicals may become chalky, dull, or less flexible. Instruct workers that if any of these signs appear, they must not use the hard hat and should replace it immediately. Headwear should also be replaced if it is struck by an object, even if there is no visible damage. Make it a part of your incident reporting procedure to follow up with the worker about replacement in these instances.
Check the manufacturer’s date codes on shells and suspensions to make sure they have not exceeded their maximum lifespan. For the shell, this length is generally five years, though it may be less with heavy use. Replace the suspension at least every 12 months.
Staying alert
Encourage your workers to inspect and care for their hard hats as part of your workplace’s daily routine. Include hard hat training part as part of your onboarding and ongoing training processes, so all your workers know when it’s time to replace their hats. Plus, they can look out for their co-workers whose hats may be ready for replacement or aren’t being worn properly. Send regular, company-wide reminders about hard hat maintenance.
A hard hat can save your workers from serious injury if worn correctly and properly maintained, but it is most effective when combined with a comprehensive health and safety program, within a proactive culture of identifying and addressing potential hazards.
The Canadian Centre for Occupational Health and Safety (CCOHS) promotes the total well-being — physical, psychosocial, and mental health — of workers in Canada by providing information, advice, education, and management systems and solutions that support the prevention of injury and illness.
Ransomware on the rise
With attacks increasing in frequency and severity, experts offer advice for preparing a solid defence.
BY ALANNA FAIREY
full scope of the situation.
Article originally published in Canadian Security magazine, used by permission.
To read entire article, go to plant.ca/features/ransomware-on-the-rise/
Ransomware attacks have been on the rise over the last several years, targeting businesses as well as critical infrastructure systems.
“Threat actors are attacking 24/7 –– this is a full-fledged business for them,” said Jason Conley, Digital Forensics Examiner, Envista Forensics Ltd. “If an organization doesn’t have, for example, two-factor authentication or other security controls, eventually [threat actors] are going to get in.”
Fabian Franco, Senior Manager of Digital Forensics and Incident Response (DFIR), Threat Hunting and SOC, OpenText, said that supply chain industries and corporations that have not invested a lot of money into their cybersecurity practice and infrastructure are starting to see that it’s like “shooting fish in a barrel” for threat actors to infiltrate.
“It’s easy pickings to go out there and find a vulnerability that may be exposed to the internet and for them to take advantage of it,” said Franco. “Part of that security posture is making sure you’re patching your systems.”
With ransomware attacks on the rise, there has been more of a concerted effort to take threats like this more seriously.
“We’ve been seeing a growing concern, which is actually surrounding what’s called the supply chain,” said Jaycee Roth, Associate Managing Director, Cyber Risk, Kroll. “The idea here is understanding and knowing how your network connects to or touches other organizations, and how that information is shared or protected with other organizations.”
The implications of a ransomware attack may extend beyond the immediately-affected targets.
“It goes beyond just that organization,” said Franco. “That’s where there needs to be that investment where a company may spend a couple $100,000 up front, instead of having to spend millions on the back end and affecting the entire community outside of their one little ecosystem.”
According to Conley, while IT teams may be excellent in their ability to fix or build technology, they may not be trained in cybersecurity, which is something businesses should consider investing more heavily in.
“Cybersecurity is a field unto itself, with various specialized training, and if an organization doesn’t invest in somebody like that inside their department, they need to retain somebody at least to come give them a health check,” said Conley. “It’s as damaging as a fire, and businesses need to treat it with that level of severity because I’ve seen ransomware remediation periods go from 14-21 days before businesses get back up and operational again.”
Customized Material Handling Solutions.
Article originally published in and provided by Canadian Security magazine.
Our skilled team of Mechanical Designers will ensure your system is manufactured to the highest standards. Our In-House Manufacturing Team produce and deliver a quality product that meets or exceeds your expectations.
To pay or not to pay
A company’s decision to pay the ransomware demands is not a simple question, according to the experts. Calling it a “sensitive topic” amongst the U.S. government, Conley also notes that the RCMP has been vocal about deterring victims from paying the ransom.
However, he also says that “when it comes to a business decision, the CEOs are often looking at one, and I’ve seen some businesses where they would have been destroyed had they not purchased a decryption key. For others, it’s a matter of return on investment.”
Reiterating that paying the ransom is not a black and white question, Franco explains that there are a number of different reasons why a company may choose to pay a ransom and to look at the
Talk to one of Rolmaster’s Sales Professionals today. CALL 1-800-461-6806
www.rolmasterconveyors.ca 121 Avenue Road, Cambridge, ON info@rolmasterconveyors.ca
Protect productivity through cybersecurity
Cyberattacks are anticipated to increase both in damage and volume across industrial critical infrastructure. BY REHANA BEGG
Back in May, two cyberattacks caught global media attention; a brazen ransomware and extortion attack took down the biggest pipeline in the U.S. and a cyberattack forced the largest meat producer to shutter globally.
What stood out about these incidents was that they happened within days of each other, and, in each case, the knock-on effects rippled across global supply chains.
The first attack affected Colonial Pipeline, the largest pipeline system that can carry three million barrels of fuel per day between Texas and New York. The ransomware attack carried out by ransomware gang DarkSide was characterized as a digital extortion attempt and disrupted fuel supply to much of the U.S. East Coast for several days.
The attack affected only IT systems, including the billing system, but Colonial made the call to shut down its operations as a precautionary measure. All told, Colonial paid the $4.4 million ransom in exchange for restoring its billing system’s function, in spite of having backups. The damage had been done; the incident triggered a spike in gasoline prices and set off panic across North America.
The second was a cyberattack on JBS S.A., the largest meat processing
12
MONTHS
In the past 12 months, almost one in five (17 per cent) organizations have been the victim of a successful ransomware attack company (by sales) in the world. The Brazilian company was forced to suspend U.S., Canadian and Australian computer systems. Its fed-beef and regional beef plants were shuttered, with all other meatpacking facilities experiencing some level of disruption to operations. JBS reported in a media statement that the company paid the equivalent of $11 million in ransom to Russian cybercriminal group REvil in response to the criminal hack. Meanwhile, shutdowns upended agricultural markets worldwide and raised concerns about food security.
From ransomware, phishing, data leakages, to hacking and insider threats, cybercrime is intensifying globally and can lead to catastrophic events. Locally, the numbers paint a sobering picture: The average total cost of a data breach for Canadian companies was US$4.50 million, according to a 2020 IBM report. It took an average of 212 days to detect a data breach in 2021 and 75 days to catch the attackers. In other words, 287 days would pass before the problem is addressed.
In the past 12 months, almost one in five (17 per cent) organizations have been the victim of a successful
ransomware attack, according to the 2021 CIRA Cybersecurity Survey. Of that group, a majority (69 per cent) said their organization paid the ransom demands, while 59 per cent reported that data was exfiltrated.
As hackers increasingly target critical infrastructure, Canadian manufacturers find need to prioritizing cybersecurity to protect not only their own data but also their customers’ data across supply chains.
Industrial Critical Infrastructure
The Canadian landscape has seen a proliferation in both the amount of money sought and the number of ransomware attacks, said Cara Wolf, Founder and CEO of Calgary-based Ammolite Analytx, which builds customized next-generation AI-powered cybersecurity tools.
“We’ve seen a major increase in supply chain attacks, we’ve seen an increase in attacks on sensors, attacks on plants and industrial critical infrastructure,” said Wolf. “It is anticipated that we will continue to see the rise as nation-state sponsored attacks are funded by hostile nations, and state-sponsored attacks are financed by criminal gangs and hostile nations as well.”
As money continues to flow into this area, it becomes critically important to look at the manufacturing sector and industrial sector in particular, where people’s lives are the palpable vulnerability, said Wolf.
Consider a methane plant. “If the plant has automation [and sensor technologies] that show methane levels are safe and you have humans in that environment saying that methane levels are safe, when in fact the sensors can be hacked and tricked into giving false readings, people will get sick and die,” said Wolf. “Without automation that is secure by design, plants will face an uphill battle with cyber threats. There are trillions and trillions of sensors out there, and they come from all kinds of countries with all kinds of backgrounds and they could have spyware installed or they could have backdoors installed.”
Wolf further explained that threat actors can exploit vulnerable connected equipment by injecting malicious code that can sit atop communications that move back and forth between equipment in the field and headquarters. “Changing just one pixel can turn the output from one thing to another,” said Wolf. “AI can be tricked.”
The methane plant example is extreme, but it highlights specific cyber struggles that manufacturers face, and raises critical questions they should ask now: How do manufacturers know that their infrastructure is secure? How do they know that sensors embedded in their equipment don’t have spyware installed or backdoors to the plant’s network capabilities? How do they know that they can trust their hardware and software? How do they know that the equipment displays “honest” readings?
Since cyberthreats evolve constantly, there are no bulletproof solutions. New guidance and best practices unfold as consistently as new technologies – and cyberthreats – come online. What follows are a few sage takeaways and insights that, according to Wolf, will help blunt cyberattacks:
Build or buy local: Sourcing from countries that are known to have bad surveillance practices place manufacturers at risk, warned Wolf. Instead, she recommended Canadians buy locally whenever possible, or from countries that are allies, such as the U.S., U.K., Australia, New Zealand and Israel. Alternately, Wolf suggested manufacturers look at an investment program to create and build their own tools.
“The cost of design and development has come way, way down, so take a look at that versus buying off the shelf, cheap from another country that may have spyware and surveillance tools installed in their technology,” she said.
FLOW RACKS WITH PLACON ® ROLLER CONVEYORS
RETHINK MFG.
WITH CREFORM FLOW RACKS
Creform® flow racks. A simple, yet effective way to ensure that manufacturing runs at peak performance. Built for ergonomics, efficiency and FIFO inventory management, each incorporates flow lanes and levels to present containers and parts at assembly stations, machine loading points and for other material handling applications. When used in combination with workstations, carts and AGVs, Creform flow racks are an integral part of the systems approach to industrial material handling.
Create other economical, flexible, reliable structures and AGVs.
WORKSTATIONS CARTS CARTS AGVs
Go beyond the traditional
wheelhouse: The COVID-19 pandemic will go down as the top story of 2020, but will also be marked by residual effects. Among these ramifications is the “cyber pandemic,” which include negative security impacts such as unemployment fraud and election security, as well as such trends as new work arrangements triggered by remote capabilities for nonessential workers and the process of automating routine tasks to free up time for work that adds more value.
A positive side effect from the onslaught of remote work was the push to ensure organizations remained secure. Manufacturers were incentivised to secure their networks, make sure that devices were secure and that employees were not downloading work to their personal devices.
“Unless workers are on a manufacturing floor or in a hospital or giving personal services where they need to be face-to-face, a digital worker can successfully work remotely,” said Wolf.
In addition, a great deal of security awareness training was needed to educate employees on how and when to detect phishing attacks, said Wolf.
“The pandemic brought security to the forefront where it should have always been, and it forced investment where it should have always happened,” she said.
Check your security posture:
Invest in cybersecurity policies, cybersecurity awareness training and proper vendor tools, recommended Wolf. Having a good security posture requires manufacturers to know where they are, to ask what’s working or not working and where they need to go.
“COVID really pushed that forward and said, ‘It’s not a matter of if you’re going to be hacked, it’s a matter of when.’ We’ve seen 171 per cent increase in the amount of ransomware attacks… If we don’t mobilize and train and upskill, we’re just sitting ducks. Our manufacturing facilities can be putting lives at risk. It’s not just digital assets of our databases of personal and employee information but it’s actually the risk of securing physical assets in the field and abroad.” she said.
Separate security from the IT
function: IT and security don’t belong together, so separate these functions, advised Wolf. In addition, security needs to have its own governance and its own authority.
“Whether you have it internally or externally, companies should hire third party experts; these experts are your trusted advisors. Bring them in to take a good, hard, objective look at your security program and to provide insights on your vulnerabilities and ways to mitigate risk,” she said.
Stop looking at security as a cost
centre: Cyber insurance is a smart precaution. Cyber security will not pay out when proper investment and steps have not been taken in the first place, warned Wolf.
“Yes, it does cost money, yes manufacturers do need to invest, but they need to mitigate their risk and they need to balance that against the cost of lives, the cost of data breaches and the cost of the damage of a ransomware attack,” Wolf said. “And, further, if their supply chain becomes a victim of a supply chain attack, what kind of damage will it do to customers and their clients that are often larger enterprises? So, it’s about risk mitigation, more than cost.”
Hire a CISO: As cyberthreats become more sophisticated, having a CISO (chief information security officer) or CSO (chief security officer) in the C-suite is an emerging priority, noted Wolf. These roles report directly to the CEO, but have governing authority to keep the organization safe, are able to make change and give directions. In addition, having third party experts perform an external analysis will add another level of security.
171
PER CENT
We’ve seen 171 per cent increase in the amount of ransomware attacks.
Canada, which lags in terms of size and functionality in its digital landscape, has its share of cyber vulnerabilities. Recent data prepared by Statista showed that 23 per cent of Canadian organizations surveyed had experienced a cyberattack and that 31 per cent of Canadian organizations estimated a loss between US$1K to US$50K because of cyberattacks. Five per cent reported estimated losses between US$5 million and US$100 million.
Security Advice in a Nutshell
Wolf said an important first step is to get security awareness training. Then, bring in outside experts to develop a plan that will bring the plant up to standard and to help implement it. Finally, use the most efficient and effective tools available. Above all else, Wolf emphasized that plant managers should rest assured that it’s not their job – either as a plant manager, foreman, millwright or anyone working on the floor – to be the security expert.
“It’s their job to become security aware, to fall into compliance and to mitigate the risk in the job, but it’s not their job to become a security expert,” she said.
Rehana Begg is a Toronto-based freelance writer and editor. Reach her at rehanabegg@ rogers.com.
Production in the GTA’s backyard
Windsor is known as an automotive production centre for Stellantis, with its proximity to the company’s Canadian home base, and North American HQ in Michigan. However, another plant, closer to the GTA, is home to production of Dodge Challenger, Dodge Charger and Chrysler 300. BY MARIO CYWINSKI
In the GTA’s backyard is Brampton Assembly Plant and Brampton Satellite Stamping Plant, with 2.95 million square feet of floor space and 3,163 employees. The assembly plant was built in 1986 by American Motors Corporation and acquired by Chrysler Corporation the following year. While the stamping plant was opened in 1991.
Over the years, the plant has undergone many retools and been home to production for a variety of vehicles. Some of those have included: Chrysler Concord, LHS, and 300M; Dodge Intrepid and Magnum; and Eagle Vision.
The current crop of vehicles produced at the plant began in 2004 (for 300), 2005 (for Charger), and 2009 (for Challenger). SRT models of the Charger and Challenger are also made at the plant (since 2011). Two of the world’s fastest and most powerful vehicles are made here; the Challenger SRT Hellcat (since 2014) and Challenger SRT Demon (since 2017), both have over 700 horsepower and 650 foot/pounds of torque from a 6.2 litre supercharged HEMI V-8 engine.
On the other end of the Challenger’s range is the all-wheel-drive GT model, which is mated to a 3.6L V-6 motor (which Stellantis uses in different configurations on several products). It is good for 303 hp and 268 ft/lbs of torque. For the Canadian weather, this trim, with the AWD system, works best if you are looking to drive it in the winter.
Switching gears, the award-winning plant, was given World Class Manufacturing (WCM) bronze plant status in 2015. The WCM methodology is one that puts focus on getting rid of waste, improving productivity, and increasing safety and quality, systematically.
“The key to successfully implementing WCM is the engagement of the workforce,” said Brian Harlow, Vice-President – Manufacturing, FCA North America, at the time. “By achieving bronze, the Brampton employees have demonstrated their commitment to making improvements in their operations, which translate into providing quality vehicles for our customers.”
Brampton Assembly was also the first Canadian automotive assembly plant to achieve ISO 50001: 2011 Energy Management standards certification and was given a Canadian Industry Program for Energy Conservation (CIPEC) Leadership Award in 2014.
Finally, the 230,000 sq/ft stamping plant is a look at the innovations that exist within plants, as it has automatic guided vehicles that move blanks to the presses, of which there are five automatic transfer presses (with 90 die sets), along one line. In all, 3,600 storage containers are available that are part of an automatic sheet metal storage and retrieval system.
While the industry is moving to smaller crossover utility vehicles, and electrification, Stellantis for now is continuing to build its muscle cars right here in Canada. The future may see the plant be retooled, but no firm announcements have been made.
Photot: Mario Cywinski
Mario Cywinski is the Editor of Plant magazine, Machinery and Equipment MRO magazine and Food and Beverage magazine, a member of the Automobile Journalists Association of Canada, and a judge for Canadian Truck King Challenge.
Watch out for curiosity that could destroy your business
As you have increased your digital presence, unfortunately, so has the criminal element wanting to invade and capture your digital data. BY RICHARD KUNST
Cyber awareness is more important than ever. It truly is not a matter of “if” you will be breached, but rather “when”. As a result of COVID-19, most businesses have pivoted their digital presence or have created a digital presence, and ultimately increased your their vulnerability and risk to be breached.
They are sophisticated
Destroy the myth that these cyber-hackers are sitting in some remote little isolated area and playing games. These are very sophisticated organizations with multiple employees armed with fancy cyber programs to attack the fortress surrounding your data protection, looking for any little crack of opportunity to invade and take control and exploit your data. Remember, these cyber-hackers are focused on making money, just like any other organization.
As manufacturing companies continue to evolve with Manufacturing 4.0 using blockchain, suddenly, your machines can become vulnerable and even your I.P.
They are already invading company HVAC systems, so if your machine programs are resident and linked through your data system, then you are vulnerable. Yes, people. We are living in the Wild West of the internet and you just cannot have enough eyes and ears to monitor every nuance.
They are sneaky
The most common invasion step is the use of phishing e-mails, and here is where curiosity can be very costly. You need to constantly remind your team not to open any suspicious e-mails or even links that appear to come from a trusted sender, because once you have clicked, there is no turning back; you are infected.
We are hearing cases where cyber-hackers are copying a legit e-mail address and omitting a character, so as a recipient you may never suspect until it is too late. You may not be the intended target, but rather they will send this modified e-mail to one of your trusted e-mail connections requesting innocent information from them, and bang, they have been hacked, thanks to you. And once they found out, you can be sure the victim will be coming to you for recourse.
Many of the cyber-hackers are purchasing domain names similar to yours. You may own a .com or .ca, but they will purchase the .org or .net as an example to replicate you and your offerings, but sucking in innocent victims, so always check. protected, having done all of the necessary trainings and warnings. You even have partitioned your data within your server. Most likely you have modified your data back-up protocols of daily, weekly and monthly. It is important that you always have one form of data back-up disconnected from your system, but even this may not be enough.
We are hearing about cyber-hackers installing time bombs into systems that only activate after a couple of months, effectively corrupting your entire data back-up protocols. Even having a random computer connected to your system that had been ignored after a breach can come back as a predator.
Once they get you, chances are they will be back
seconds at a specific site to seek vulnerabilities and opportunities to penetrate. While if you are larger organization, or an organization with a ton of valuable and saleable intellectual property, their team will spend a ton of time and resources to get inside. Why? they are a for-profit organization and they have determined you can most likely pay the ransom, and in many cases, do not want to share to the world you have been hacked.
But once you have been hacked and paid a ransom, there is absolutely no guarantee they will stop the demands. Most likely the invasions will continue and the ransom demands will escalate.
How to increase your defence
Step 1: Assess physical security and workplace habits
A single cursory site visit can reveal an astonishing amount about an organization’s cyber posture. Even without sitting down at a computer monitor, our team can evaluate a wide range of security factors and gauge many of potential vulnerabilities, including:
Ease of access / quality of physical security: How easy is accessing common working areas and infrastructure? Are doors locked and functioning properly? Are employees consistently greeting, logging, and supervising guests or contractors while on-premises? Do team members frequently share swipe passes? Is tailgating a common practice?
Security education, awareness, and training (SEAT): Do employees consistently lock workstations when away from their desks? Do employees consistently share or discuss sensitive information in common areas? Are sensitive information and/or systems visible to visitors in common areas?
Network security and access: Is guest wireless access adequately firewalled and/or segmented from sensitive networks? Are there adequate restrictions and multifactor authentication requirements to access sensitively wired/wireless networks? How forthcoming are employees with passwords? Are employees accessing or disseminating information on unsecured guest networks? (e.g., smartphones, tablets, etc.)
Step 2: Test existing controls to understand efficacy and resilience
Leveraging both the information gathered in step one and the typical attack techniques used by cyber criminals, the team will then penetration test (i.e., attempt to breach) the organization’s information technology (IT) and operations technology (OT) systems. Some common areas we typically look to gain access to include:
Known vulnerabilities /
patches: Have the organization and its employees been vigilant in updating software and firmware to take advantage of the latest security features? These so-called zero-day vulnerabilities are a common point of access for many breaches.
Build / hardening stan-
dards: Has the organization taken adequate steps to configure firewalls, servers, switches, and routers according to the most recent standards? Has it changed default passwords, adequately encrypted stored passwords, and sufficiently restricted access privileges? Are disused or outdated hardware and software still connected to the network?
Encryption standards:Does all information that flows in, out, and through the network meet industry encryption standards? Do any gaps and/or shortcuts in encryption allow malicious actors to harvest information or access the network?
Social engineering: How effective are team members at identifying and reporting malicious emails? How many (if any) log-in credentials were harvested from a simulated phishing attack? Are current education and warning measures adequate to prevent a social engineering breach?
Step 3: Map potential spread and infrastructure vulnerabilities
Properly segmented IT and OT systems are essential for slowing and ideally preventing a breach from spreading to other high-value systems. Once the team accesses the client’s network, they attempt to spread the simulated attack and compromise as many systems as possible. Organizations that work on the assumption that they will inevitably be the victim of an attack keep critical systems independent from one another to minimize the potential damage of a breach. This can also buy critical hours to action an incident response plan, contain the attack, and ultimately recover the systems. Embrace cyber security and privacy as a core business objective. Today’s organizations are embracing more digital tools and collecting more sensitive data than ever before. At the same time, cyber criminals are continuing to evolve their tactics to take advantage of human and platform vulnerabilities, and global uncertainty in a changing world.
There is little that organizations can do to prevent becoming the target of an attack. But every organization can take meaningful steps to improve their preparedness and minimize the short- and long-term damage of a breach, including: • Regularly assess key vulnerabilities and cyber risk exposures • Ensure compliance with all industry and regulatory requirements is up-to-date • Build cyber and privacy risk assessments into all strategic and tactical planning • Provide frequent cyber security training for all employees • Implement and update security and privacy governance programs • Create and regularly practice an incident response plan
Ultimately, always check before you click. Curiosity may have killed the cat, but do not let your curiosity kill your business.
Richard Kunst is an author, speaker and seasoned lean practitioner based in Toronto, who leads a holistic practice to coach, mentor and provide management solutions to help companies implement or accelerate their excellence journeys. You can reach him at www.kunstsolutions.com.
MURPHY MEANS MORE
More VALUE
No One Gives You More!
Feature for feature: Murphy packs-in more for your money. Get it done right the first time.
N.R. MURPHY LTD.
DUST COLLECTORS
430 Franklin Blvd., Cambridge, ON N1R 8G6 E-mail: 4nodust@nrmurphy.com
(519) 621-6210
Checking in with industry experts for an overview of current risk level and best new technological approaches in cybersecurity. BY TREENA HEIN
At this point, all manufacturers, small and large, should already be paying serious attention to cybersecurity.
Cyber-attacks on manufacturers have been numerous in the last few years and included companies from many sectors. A short sampling includes OXO International (kitchen tools), JBS (meat processing), Visser Precision (space and defense), Norsk Hydro (aluminum), Renault-Nissan (vehicles), Mondelez (food and beverage), and Merck (pharmaceuticals).
Manufacturing was not the primary focus of attackers in the beginning. Even two years ago, according to cybersecurity firm Bitlyft, the manufacturing sector was number eight in the top ten most-targeted sectors. Manufacturers were not top choice as they generally didn’t have many internet access points compared to companies in other sectors, such as banking. Therefore, they collectively didn’t take much action.
But because there was money to be had through ransomware attacks – and there still is – more manufacturers started being targeted around 2017. They were ripe for the picking, as explained in a recent Deloitte cybersecurity report, not least because the focus of manufacturing technology “has traditionally been on performance and safety, not security, leading to major security gaps in production systems.”
At the same time, Industry 4.0 had started to emerge, with explosive growth in the amount of internet connectivity in manufacturing plants. And then the pandemic hit. With some employees having to work remotely for at least a short period of time in
CYBER ATTACKS
As Deloitte says, cyber-attacks are motivated by money,revenge, and competitive advantage. 2020, a rush to increase automation to deal with absent workers and physical distancing, and other factors, the IT systems in plants were pushed to new limits.
All these elements have caused manufacturing to move sharply up in sector ranking for volume of cyber-attacks. Bitlyft now puts manufacturing in second place, behind finance/insurance.
Today’s reality, explains Michael Lester, Director of Cybersecurity Strategy, Governance and Architecture at Emerson Automation Solutions, is that “manufacturers are under pressure from their boards to ensure the right level of cybersecurity is achieved to protect their manufacturing environments and processes from the increasing level of cyberattacks we are experiencing globally.”
Attack overview
As Deloitte says, cyber-attacks are motivated by money, revenge and competitive advantage.
Attacks against manufacturers, as with any organization, can range from external email phishing and internal malicious employee attacks/leaks to external attacks that seek to sabotage equipment or access intellectual property. Ransomware (a type of malware) is probably the biggest threat, where access to a company’s IT system or data
is denied until the company pays the ransom.
And although it’s hard to get data on dollar amounts involved in ransomware attacks as that is not always made public, it’s safe to say ransoms are large already and will only grow larger.
To bring their cybersecurity to the appropriate level, manufacturers first need to map their business and manufacturing systems. This, Lester explains, will help provide understanding and ownership of each process and achieve business continuity and resiliency objectives around cyberattacks.
A thorough threat analysis should also be conducted. It’s best practice to review the MITRE ATT&CK matrices, said Lester, “specifically the recently-developed MITRE ICS ATT&CK Matrix, which is based on a global knowledge base of adversary tactics and techniques used in real-world attacks.”
Securing automated plant systems
As part of their assessment of current security environment, manufacturers must understand that they’re at particular risk through their operational technology (OT) systems that run various automated processes. Many of these current systems are running with both outdated hardware and outdated software.
Indeed, because the manufacturing sector is seeing an increased volume of cyber-attacks, particularly involving malware and other increasingly-sophisticated threats, “we have seen a significant increase in attention on better securing OT environments,” said Paul Griswold, Cybersecurity Chief Product Officer, Honeywell.
Dr. Apala Ray, Global Cybersecurity Manager (process industries division), ABB and Bart de Wijs, Cybersecurity Lead, ABB notes that because OT systems play an important role in companies’ digitization journeys, with hyper-automation occurring through the use of ‘smart’ systems, there’s a strong need “to secure manufacturing plants from OT-related threats. There are inherent challenges expected from OT systems during these smart/digitization transformation journeys, and organizations must address them carefully.”
They explain that historically, a plant’s legacy automation, protection and control systems were based on specialized equipment with little connectivity, where today’s systems “are distributed and highly interconnected, and they are also increasingly connected to ‘cloud’ platforms” as well. To secure a plant’s OT infrastructures, an analysis to gain total visibility is a crucial first step. Then, say Ray and de Wijs, basic security controls can be put in place (but also properly maintained and monitored).
Hold onto your hat, because the next bit is somewhat technical. As Ray and de Wijs explain, “with regards to increased connectivity and associated risks from that, we see an increase of use of security controls defined in security level SL3 and SL4 of standard IEC62443-4-2.” Lester agrees. “We will see continued increases of capabilities built into manufacturing systems and components that include a secure-by-design approach in alignment with industry standards such as the ISA/ IEC 62443 family of standards,” he said, “to enable higher levels of cybersecurity and factory protection or compliance.”
This standard, developed by the ISA99 committee of the International Society of Automation (ISA) and adopted by the International Electrotechnical Commission, provides a flexible framework to address and mitigate current and future security vulnerabilities in industrial automation and control systems (IACSs). That is, the standard (also known as Security for Industrial Automation and Control Systems: Technical Security Requirements for IACS Components) addresses IACS components such as embedded devices, network components, host components and software applications.
Defence strategy
Once a manufacturer has worked with a reliable vendor to complete a threat analysis and assessment of current cybersecurity environment, the next step is to develop an in-depth defence strategy. Lester says it must address weaknesses and mitigates risk in every operation that could be impacted by direct or indirect attacks and should also include a risk-based prioritization of any gaps.
Griswold explains further that a specific OT security assessment done by a reliable vendor will help identify gaps in security controls, missing patches and other security issues. “Based on the results of the assessment, remediation actions are implemented to provide a more secure baseline,” he said. “From here, advanced technologies – such as continuous asset discovery, threat monitoring and asset discovery – can then be implemented.”
The overall defence strategy should also include planning for worst-case scenarios. Lester explains that for a manufacturing plant, this means having a clear backup plan for the failure of computer systems, plus having hard copies of orders, labels and contacts. While this may not be possible in every scenario at all times, it may enable plants to fully or partially operate even in the event of a cyberattack.
Lester adds that once the defense-in-depth strategy is in place, “it should be tested and reviewed methodically, purposefully and regularly to ensure it is effective and does not jeopardize ongoing operations or introduce other risks.” Roles, responsibilities and employee training should be updated.
And although it sounds like something that’s a no-brainer and needs no mention, strict measures need to be in place to guide every employee who interacts with a
Looking for a fabricator for a complex project?
Whether it’s a heat exchanger, stack, pressure vessel, filter, or other custom process equipment, Alps Welding can turn your design into reality.Looking for a fabricator for a complex project?
Heat exchangers, stacks, pressure vessels, or other equipment, Alps turns your design into reality.
We have experience working with steel, stainless, and other alloys, including titanium.
We have experience in a wide range of materials, with a segregated stainless and alloy fabrication shop.
With over 150 welding procedures, and 45 years of experience meeting the demanding specifications of the energy, mining, chemical, and cleantech industries, make Alps Welding your first call when looking for a fabricator for critical equipment.
With over 45 years of experience working for the energy, chemical, food and cleantech industries, make Alps Welding your first call when you need fabrication of critical equipment.
400 New Huntington Road Woodbridge, Ontario 905-850-2780 www.alpswelding.com
computer. Each interaction is a potential risk, and every employee needs to follow strong, fundamental security practices in their daily work, for example when creating and storing passwords, storing information and sharing information, whether in the building or from a remote location.
Future direction
In terms of where cybersecurity is going, Lester believes that manufacturers are going to need to consider using multiple technologies (but also always focus on people and processes in addition to technology).
Looking forward, he also foresees that “manufacturing and industrial-specific technologies will include more secure communications and capabilities that are robust and meet the requirements and specifications with the devices and systems being used to maintain safety, control and monitoring. Some cybersecurity technologies are specifically designed for use in manufacturing and industrial environments like The Dragos Platform to achieve inventory, visibility, detection, and response capabilities in operations that engage both the OT and the IT functions in an organization. These should have priority when reviewing how to achieve higher levels of manufacturing and plant security.”
He adds that some existing technologies that are more prevalent in the Enterprise IT environments are also being used in manufacturing, but may have limitations or need to have significant configuration to work appropriately and prevent unintentional safety or control impact.
Along the same vein, Griswold explains that securing OT requires purpose-built solutions, as IT tools are often not designed for effective and safe use in OT. “While most security tools and processes originated on the IT side of the house, IT/OT convergence is driving demands for integration between IT and OT security,” he said. “In the next three to five years, we expect to see the emergence of solutions that bridge the gap between IT and OT, contextualizing OT cybersecurity events in a manner that can be understood and responded to by IT cybersecurity personnel.”
He adds that “additionally, due to a severe shortage of OT-specific cybersecurity skills, we expect many companies to opt for managed security services to provide cybersecurity programs for their manufacturing environments.”
Treena Hein is a freelance business writer based in Pembroke, Ont. E-mail her at treenahein@outlook.com.
WHEN OIL FREE AIR IS THE ONLY OPTION
Count on Sullair for reliable oil free compressors that meet your highest standards for air quality, purity and performance. We also offer air dryers, filters and other products to meet your specific air treatment needs.
Learn more at Sullair.com/oilfree
