On The Floor: Let’s Talk Security — Everybody Else Is

Circuit board with a bank vault door on it tht is slightly ajar

By Jane Alexander, Managing Editor

The topic is a hot one. Reports of cyber threats and actual attacks across various business sectors fill the 24-hr. news cycle, day in and day out. The potential impact on industrial operations is well known—and frightening. But how deep into the issue are those in the maintenance and reliability (M&R) trenches? Do you and your teams play a role in combating such threats? For a reality check of sorts, we asked our Maintenance Technology reader panelists the following questions:

1. How issues of cyber security or threats of cyber attack are approached within their operations (or if consultants or suppliers, those of their clients/customers), and, among other things, how policies and procedures are communicated and enforced.
2. How their sites’ M&R personnel/departments/functions (or those of their clients/customers) figured into or supported the operation’s cyber-warfare policies and efforts, and if they weren’t why not.
3. Had their sites (or those of clients/customers) received specific cyber threats or experienced actual cyber attacks and, if so, what steps were taken in the aftermath.

Edited here for brevity and clarity,  the answers we received were eye opening. While most of this month’s respondents don’t appear to be intimately involved with matters of cyber security, the varying levels of site/company interest and preparedness they cite is somewhat surprising.

Industry Consultant, Northeast…
From what I’ve seen most of the reactions have ranged from absolutely ignoring the potential [of cyber attacks] to a moderate increase in attention to the possibility. But one company I’m aware of has been hyper about it [cyber security] for as long as I’ve known them. I don’t believe the majority [of companies] think anything will ever happen to them. I’m not sure which approach will be more effective in the long run.

Plant Engineer, Institutional Facilities, Midwest…
Our computer techs take care of this [cyber security] and only allow certain types of emails to be received. If we find any emails that were let through, and we aren’t sure if they are spam/viruses, we’re to delete them. Another thing: We can’t add any upgrades and things like that since we can’t log in. To add anything new, one of our [computer] techs has to do it for us.

Industry Consultant, North America…
My company provides M&RE [maintenance and reliability engineering] services for a government agency, and we are constantly reminded of the threat of a cyber attack. There is a very strong IT [information technology] group in place [at the agency] to combat the threat, and the training has changed over time to address current issues. M&R [through our services] doesn’t provide support to the effort, as it is 100% driven by the customer. My company simply tracks compliance with training requirements.

Across the [client] agency, there have been several attacks, some successful, most not. Every time there is an incident, it is published to reinforce the fact that we need to be vigilant.

Maintenance Leader, Discrete Manufacturing, Midwest…
I’m not really sure what type of security our company has. I am sure it goes beyond our IT [information technology] people, though. I do know that I have seen announcements about using the [name of and references to the] company on social media sites. Regarding this, there is language in our contract about social media: mainly what’s acceptable and what’s not.

Engineer, Process Manufacturing, South…
[Cyber security is] taken very seriously [with] password changes almost once a quarter on all programs, and dual verifications [required] on most. All of this [increased level of security] has been added in the past five years. The only M&R [maintenance and reliability department] involvement is on the hardware side.

There has not been a specific threat [at my plant] that I am aware of.

Maintenance Supervisor, Process Industries, Canada…
Our system is remotely controlled. It [cyber security] is taken seriously, and we do have restrictions on what we can access on the Web. This is an ongoing topic that gets more detailed as we move forward. The M&R department maintains the network, but any policies or software are done at the corporate level without much input from us.

As far as I am aware, we have not had any threats.

Sr. Maintenance Engineer, Process Industries, Midwest…
At my company, we have a centralized corporate IT [information technology] department that develops and maintains cyber security protocol and hardware. All of our operating facilities operate under the same set of rules and regulations (the “plan”), and have the same security measures in place. Even if the “plan” isn’t perfect, we know that all of the sites are covered the same. Typically, the maintenance team is not involved in developing or maintaining the “plan” beyond being a point of contact for the local IT service technician (employed by us) when they are onsite to install, repair, or implement the “plan.” It [cyber security] is taken very seriously, and [our organization] is constantly adapting to new developments and potential threats. Mass changes can be—and are—deployed to all sites at once to lessen gaps in security.

M&R Team Member, Process Industries, North America…
The IT department is a group that meets to discuss upgrades to the systems and new technologies out there. As for specifics, I’m just not in that loop. My perception from talking to the IT guys is that we are corporately managing all of our mill sites with the right people and processes. Policy changes are communicated on a corporate-wide basis, and sign-off sheets are usually required to be filled out and returned to HR [the human-resource department] for confirmation that the policy changes have been read. The M&R department is not directly responsible for the cyber warfare policies [in our company]. That’s left to IT, as it is most capable of handling this aspect.

Our site(s) have not, to my knowledge, received any specific cyber threats.

Maintenance Engineer, Discrete Manufacturing, Midwest…
Our corporate IT [information technology] department gives reminders and alerts regarding cyber security or software threats to the network. They also are responsible for the continued upkeep of anti-virus software or software-specific upgrades. Our company [also] has control of the M&R personnel’s computers and limits who and what can be installed as far as programs, software, and data stored on M&R department computers.

So far, no perceived or actual cyber-security issues have been found at our facility by the site or corporate IT department.

Engineering Group Leader, Process Industries, Midwest…
We are not concerned with cyber security at this time. MT

About the MT Reader Panel

The Maintenance Technology Reader Panel includes approximately 100 working industrial-maintenance practitioners and consultants who have volunteered to answer monthly questions prepared by our editorial staff. Panelist identities are not revealed and their responses are not necessarily projectable. Note that our panel welcomes new members. To be considered, email your name and contact information to jalexander@maintenancetechnology.com with “Reader Panel” in the subject line. All panelists are automatically included in an annual cash-prize drawing after one year of active participation.