In my book, “Visual Thinking,” I discuss that the most important thing to protect from computer hackers is very expensive or difficult-to-replace major equipment. Some examples would be large pumps in municipal water systems, plant refrigeration systems, oil refineries, electric power equipment and boilers. Most hackers are motivated by money so in the past they have targeted their ransomware attacks at things like disrupting a company’s truck scheduling, freezing hospitals’ records, locking up the records of a city or blocking systems that enabled a company to conduct day-to-day business.
I’m concerned about future hacks aimed at deliberately damaging equipment. It is not “will” you get hacked; it is “when” you will get hacked. Many pieces of equipment in large meat plants are controlled by Programmable Logic Controllers (PLCs). The only way to make them hacker proof is total isolation from the internet. There are some situations when the PLC may need a diagnostic hookup to the internet. That should only be done with a cable that is immediately disconnected after the diagnostic procedure is completed. There must be no Wi-Fi or cell phone access to PLCs.
Old-school defense
Electro-mechanical shut-off devices are hacker proof because they are not electronic. If a critical piece of equipment gets too hot, turns too fast, or rises to a dangerously high pressure, it will automatically be turned off and disconnected from electric power. A device based on a thermometer, an rpm meter or a pressure gauge will shut down the equipment before it is severely damaged. No matter what the hacker tells the computer system to do, your vital piece of equipment will be protected. Companies that have been hacked have indicated that they never thought about the possibility of hackers attacking equipment.
Plant engineers need to look at all their mechanical equipment that have computerized controls. They should think about what would happen if somebody tried to command this equipment to run in a manner that would be either hazardous or cause severe damage. Simple mechanical controls that are hacker proof could prevent this. For example, to prevent excessive amounts of chemicals from being dropped into the water supply, a small valve could be used that would limit the maximum flow. Everybody learned from COVID-19 that supply chains are fragile. Equipment, such as a large pump, is very expensive to replace. An even bigger problem is that it may have a six-month or longer delivery time.
Managers need to be on the lookout for unauthorized hookups of computers to systems that control industrial equipment. Recently I visited a factory and saw a computer perched on a chair out in the factory. I asked why it was there, and I was told that they added the computer to control a piece of equipment that could not be controlled from the control room. It was a standard computer that would have a built-in Wi-Fi system. I asked if the Wi-Fi was turned off. Nobody knew. Its Wi-Fi capability should have been destroyed. Vital equipment must be protected so that a hacker cannot command a piece of equipment to damage itself. It is time for managers to make certain that major equipment is protected from hackers. It is only a matter of time – you will be hacked.