Last month’s prize for the most clichéd phrases in the cement news nearly went to UK technology firm Hanhaa and its ‘internet of packaging.’ At first glance the phrase seems like a hackneyed marketing play on the ‘internet of things,’ where objects outside of normal computers start to get networked, allowing for ‘added value.’ Silly wording maybe, but the intent is serious. Tracking is a vital part of logistics for industries like cement. The investors in Hanhaa, BillerudKorsnäs, may be on to something. Indeed, in 10 years time we may be kicking ourselves that we didn’t see it.
One drawback with networking everything though is that all sorts of items start to become vulnerable to computer hacking. The famous industrial example in recent years was the so-called Stuxnet virus, an alleged attempt by US and Israeli intelligence services to physically damage parts of the Iranian nuclear industry. It was intended to damage centrifuges by looking for Programmable Logic Controllers (PLC) made by Siemens in very particular circumstances. A good overview on Stuxnet can be gained by watching Alex Gibney’s documentary ‘Zero Days.’
The problem for cement plants is that they also use PLCs for process control in common with other heavy industry. Effectively, whoever built Stuxnet has shown criminals how to attack any industrial plants that uses PLCs. Unsurprisingly, given the drip-drip of bad publicity, Siemens made a point of saying that it had gained a cybersecurity certification from TÜV SÜD, a German inspection and certification organisation, for some of its related products in late 2016.
Actual examples of cement plants being attacked are hard to find. Low-level cyber intrusions are likely to be treated akin to, say, individuals trespassing on a plant grounds and more serious incidents are probably kept quiet. ThyssenKrupp’s Industrial Solutions division, that builds cement plants amongst other things, reported that it had data stolen in an online attack from somewhere in Southeast Asia in 2016. Data espionage is one thing. Physical damage to an industrial plant is quite another. Previous to this, an unnamed German steel plant was reported to have been damaged by a systematically planned attack in 2014. Another way hackers can mess up your day is via extortion attempts or so-called ransonware attacks where systems are shut down until a ransom is paid. Recent examples of this in the wider public sphere include attempts to extort the San Francisco Municipal Railway in November 2016 and the St Louis Public Library system in January 2017. Despite shutting down their systems neither organisation paid up.
From our perspective, the Global Cement website runs using a common content management system (CMS) that runs on commonly used server software. Due to this we constantly receive low-level hacking and exploit attempts from automated scripts attempting to find weaknesses in the setup. New exploits are found, hacking attempts occur, software is updated and the cycle continues. However, the key difference between the Global Cement website and a cement producer is the turnover. A cement plant operates in millions or hundreds of millions. In this way, for hackers the return on investment of hacking an industrial plant is far higher. even if it is using limited-run proprietary software and equipment. And even if critical parts of a plant’s system are security hardened, hackers may be able to find a way in via less secure areas and then work their way across. Staff smartphones accessing a local wifi network, contractors using insecure USB drives, and hackers using social engineering techniques such as confidence tricks to gain system logins by phone are just some methods that could grant intruders digital access.
A report by Ponemon placed the average annualised cost of cyber crime to the industrial sector worldwide at US$8.05m. Although the authors point out sample size issues with their calculation, industry is the fifth most affected sector in terms of losses after finance, utilities, technology and services. Networking innovations in industry such as the ‘internet of packaging’ are potential game changers as added value from the network effect and suchlike becomes factored in. The risk though is that these kind of innovations also offer opportunities to criminals and anarchists. It’s likely only a matter of time until a serious hacking attack at a cement plant becomes public knowledge.
If any readers have anything to add to this topic please email us at This email address is being protected from spambots. You need JavaScript enabled to view it.
