Was Stuxnet built to attack Iran's nuclear programme? Virus is part of cyberwar, admit officials.
The headlines have been full of it. But the real impact of the discovery of the Stuxnet computer virus in factory control systems is much worse than these conspiracy theory nightmares. Stuxnet, which has attacked Siemens Windows-based automation control systems, is costing manufacturing industry real money money lost in machine downtime, money lost in wasted materials, and money lost to paying overtime to the IT department.
Stuxnet may not as yet have brought any food processing plants to their knees Siemens reckons that only 15 of its control systems have been infected by Stuxnet worldwide. And in none of these cases has the infection caused an adverse impact, it says.
But the process of cleaning up your factory's automation and control systems once infected can close lines for hours, leaving customers frantic and leaving unused or partially processed ingredients to go off.
Five years ago 13 Daimler Chrysler car plants in the US were shut down by the Zotob computer worm, a forerunner of Stuxnet. It got into the company's industrial control systems via someone's infected laptop. And as it copied itself onto every control system in every plant, it overloaded the factory network, shutting down lines at an estimated cost of $14M.
The only difference between Zotob and Stuxnet is that Stuxnet is a more current version, says a David Robinson, UK and Ireland head of Norman Data Defense. "So potentially, Stuxnet is liable to have the same ramifications."
Stuxnet should be very worrying to food and beverage manufacturers, says Robinson, because for the first time a piece of malware has been identified that has specific actions that target a well-known industrial control system. It was first discovered in July, and was believed to have got into a manufacturer's Siemens WinCC control system via an operator's USB memory stick that was already infected.
Robinson says no one is quite sure what Stuxnet is trying to do. But there is talk about it being able to affect utilities electricity, water, nuclear. It could even be government sponsored, it has been said.
So although Stuxnet has not caused any damage yet, the alarm bells are ringing because it highlights the vulnerability of factory process control systems to lax IT security, says Robinson. "Most factories simply cross their fingers and hope that they don't get caught." Also, he says, there is a common misconception that if your supplier or customer is connected to your systems and they are using a firewall, then they are safe.
"Yes, they are safer from unauthorised access to the data, but it does nothing about the content of that data. So if you have Tesco dialling into to see what stocks you have on your shelves, and you are infected, then if Tesco pulls off some data, it can get infected too."
Robinson's advice is to make factory control system security a core company strategy. "In your office IT systems, for example, you wouldn't allow any of your employees to plug in their laptop or a USB stick if they didn't have security measures on them like patches or an anti-virus scanner." The same security concerns should be applied to factory control systems, he says. "Your factory systems are just as much at risk."
Simon Ellam, UK business manager for distributed control systems at Siemens in the UK agrees. "Siemens, like other industrial control systems manufacturers, has moved to Windows as the preferred software platform. Windows has been fantastic. It has brought down the cost of operating systems dramatically. But a hole in the Windows technology has allowed this virus to proliferate.
So Stuxnet may yet have a positive role by forcing food companies to drag their factory IT security practices into the 21st century. But what of the actual industrial control systems themselves? Which century are they in?
Ellam reckons that about 70% of the market in industrial process control at Siemens is in migrating legacy systems, in other words last century's systems. The idea is to enable old stand-alone systems to 'talk' to each other and to make shopfloor process data available in real time to the company's management control systems.
Ellam sees this as part of a growing trend among customers to take a more joined-up, 21st century approach to industrial control systems. The food industry, he says, is at last beginning to adopt factory communication standards such as Profibus and Ethernet that have been around in the car industry for years. His advice is: don't think manufacturer specific, think open standards and standardisation.
But Sean Robinson, global industry manager for food and beverage at GE Fanuc Intelligent Platforms in the US believes that the continuing rises in the cost of packaging materials and ingredients wheat, corn, protein, coffee, cocoa is forcing food companies to take a hard look at the cost of their manufacturing and the data they get from their control systems. "For years, the strategy-owners in most companies thought of manufacturing as that dirty black box out of which product came periodically. The factory was largely ignored as a place where the company should invest because for every £1 that you paid for a product on the retailer's shelf, 80p went on marketing and overhead. Maybe 20p was the actual cost of product manufacture. But with the recent rises in raw materials, suddenly that 20p, that 20% cost of manufacture, is worthy of attention.
"So we are seeing companies putting in more powerful control systems, tying them to more complex tracking and management and analysis systems in order to expose a richer set of data that more than one set of stakeholders can use. It is about leveraging information in the control and automation layer down at the machine so that it can serve multiple stakeholders," says Robinson.
"In the last two years we have spoken to 840 customers and a significant chunk of them have said things like: 'I came here from Ford; I came here from Land Rover; I came here from Toyota. My job is to take the continuous improvement tools and techniques that I used to apply in my old industry and figure out how they play in a cook, batch, fill, pack, ship model as opposed to an assemble and ship model'."
The food industry, says Robinson, has finally realised that it has to learn from other industries and use these kinds of tools and technology. "Now we just have to hope they don't put motor oil in the pancakes!"
Mark Daniels heads up architecture and software in the UK and Ireland for Rockwell Automation. He also sees food manufacturers beginning to take a hard look at their manufacturing costs, in particular the so-called standard operating costs such as water, air, gas, electricity, steam. "Rather than considering them as fixed costs within the business, they are starting to look at them as variable costs for the items they produce.
But to do that you have to have the right control system strategy in place and the software tools to turn machine data into actionable information, says Daniels. He says he knows of six or seven companies that are making pilot investments in Rockwell's control system technology to be able to see how efficiently their lines are running. "The idea behind it is to understand more about where those costs are and more importantly, where potential savings are in the infrastructure. This is not massive capital investment. We are talking about investments typically as small as £80-£100,000. And we are seeing pay-backs of 12 months in some areas."
But sometimes you can't always get a transducer, a control system, to measure exactly what you want, says Daniels. "But what you do know is that the best batch you made was when variables X, Y, and Z were certain values. So by building some optimisation tools into the control system, some fuzzy logic, you can capture a number of these inputs and use an expert algorithm to make guesstimates of what you are trying to measure."
This 'soft sensor' technology makes it much easier to run the process at the optimum values and make adjustments when it is out of control, says Daniels. "Soft sensor technology uses a number of different data points to produce a measured value which isn't actually real but which has meaning in the process. That enables you to get 'data' that you couldn't previously get to feed back into your process and improve things."
It is a new technology to the food industry, says Daniels, but one area where it is being used is in milk powder applications.
"You are drying the milk powder to a certain level you want to take out a certain amount of moisture," he says. "But you can't really measure how dry the milk powder is. However, what you can do is measure other variables in the process. If this sensor is X and that sensor is Y and that sensor is Z, then in theory the dryness of the milk powder should be about right. The soft sensor uses those variables.
"We are starting to embed that technology into the control system itself so that it is easier for customers to use it." FM
- GE Fanuc Intelligent Platforms - 01327 322561
- Norman Data Defense - 01908 847 413
- Rockwell Automation - 0870 242 5004
- Siemens Automation - 01276 696000