The war in Ukraine has sparked new debates about the cyber security of America’s industrial base. Few people are more qualified to weigh in on the subject than Josh Steinman, Senior Cyber Policymaker under the Trump administration and now head of Galvanick, a startup revolutionizing the security of industrial control systems. This topic is highly relevant to our clients and us at Pivot International. As a global manufacturer, product development, and supply chain firm with extensive investment in the latest digital technologies, we are committed to delivering the highest possible levels of data security for our clients. We do this with a business model built on integrative coordination and oversight, which ensures seamless alignment across our tri-continental facilities.
In this piece, we’ll provide an executive summary of some of Steinman’s latest thinking to help American companies in the industrial sector better grasp the evolving cybersecurity landscape and what it may mean for their businesses and the broader industrial base.
Hollywood vs. Reality
When discussing cybersecurity, it’s important to separate the Hollywood version of cyber attacks from real life. Prior to the war in Ukraine, many people had movie-like conceptions of what a cyber attack would look like, picturing DEFCON 1 scenarios like a total blackout of the nation’s power grids and missile defense system. But in reality, cyber warfare looks much more like the cyber attacks currently bombarding Ukraine’s industrial infrastructure. It’s worth noting that long before the armed conflict, Russia had been attacking Ukrainian power grids for years. In 2015, a hit on these grids that Wired magazine called “cunning and unprecedented” was unsuccessful since the majority of Ukrainian grids remained analog and relied on manual operation. Ukraine has since digitized many more of its grids, increasing its vulnerability to successful attacks.
The Risk-to-Benefit Costs of Digitization are Concerningly Unclear
Over the last three decades, many public and private US entities invested extensively in digitization. (Converting previously manual processes to digitally automated ones.) As it pertains to America’s fully digitized power grids, Steinman opines that government officials, policymakers, private enterprises, and everyday citizens must sufficiently wrestle with the serious risks accompanying full-scale digitization. Steinman asserts that our thinking has been clouded by models such as McKinsey’s 5 nines of uptime optimization culture. (“5 nines uptime” refers to the practice of keeping a system fully operational 99.999% of the time — an average of fewer than 6 minutes of downtime per year.) These models, Steinman says, fuel economic growth in the short term but — in the bigger picture — leave the US alarmingly exposed by trading predictable downtimes for unpredictable downtimes.
Steinman contends that by looking at digitization from an overly narrow perspective that is more concerned with short-term ROI than long-term hazards, we are laying the groundwork for Black Swan events that can have catastrophic effects on industrial assets and the broader society. Scenarios of this type are not without precedent. Globalization is a prime example of how the decisions driven by financialization and financial optimization have had strategic, long-term impacts on US populations, destroying once prosperous cities and bifurcating the middle class. But unlike traditional outsourcing, the quest for full-scale digitization poses more serious risks than any seen before.
Effective Policy Changes are Unlikely
The efforts of leaders who are cognizant of the security risks of digitization and seek to lead policy changes that better protect America’s industrial base are largely unsuccessful. This is due partly to the financial incentives discussed above. Still, Steinman says the more significant challenge is that we are trying to solve digital-age challenges using industrial-era structures that characterize the workings of Washington. In other words, while government agencies are well-equipped to solve what the managerial literature refers to as technical challenges, they are structurally incapable of successfully tackling higher-order adaptive challenges for which technical solutions are no match. (Cyber challenges fall into the latter category.)
Defending America’s Industrial Base
Given the long view, cyber security is barely out of its infancy. To date, no umbrella technology has pulled together disparate data streams of industrial infrastructure and then correlated them to identify suspicious cyber activity. Instead, most of the great cyber security companies that already exist deal only with single data streams. For example, these companies can alert clients about a firewall hit by an IP address previously associated with a Russian GRU. But what they can’t do is register a threat of this type and triangulate it with activity in a company’s work orders, change management system, and actual endpoints. If there were, companies and other entities could immediately recognize suspicious activity and better mobilize to protect industrial infrastructures. Steinman believes that multi-data stream monitoring and analytics represent the future of cyber security. This, he says, is America’s best defense for protecting its industrial base, and it’s where he’s putting all his energy.
How Companies in the Industrial Sector Can Protect Themselves
While Steinman plans to lead the charge toward protecting America’s industrial base from cyber-attacks, manufacturers need to redouble their efforts to defend themselves using these four data security best practices:
- Be wary of phishing — bad actors’ preferred form of cyber attack. This means looking for emails or popups requesting credit card numbers or security credentials. (Use apps to protect yourself since they are far less vulnerable to compromise.)
- Align users, tech stacks, and facilities under integrative IT infrastructure.
- Ensure the policy measure are uniformly enforced. Integrative IT will only matter if policy measures fall through the cracks.
- Judiciously invest in digital transformation with a focus on cloud-native proxy-based architecture. Inspect every user across all traffic to reduce threats in SSL traffic. Quarantine suspicious activity to prevent malware installation and store it for further analysis.
Looking for Trusted Manufacturing Partner?
With over 50 years of proven experience, and 320,000 square feet of scalable manufacturing capability across three continents (including three domestic options in the American Midwest), we are a trusted production partner to companies worldwide. If you’d like to learn more about our services, how we protect your data, and how we can help you launch a successful product, contact us today!