Posted In: Business Transactions & Corporate Counseling, Cybersecurity & Data Privacy & Cybersecurity & Data Privacy
Corporate TIPS: Manufacturing Automation Through IoT - Striking a Balance Between Productivity and Vulnerability
on February 5, 2020
Manufacturing companies have a substantial opportunity to both monitor and automate numerous intricate manufacturing processes within their plant facilities. Unlike technology of the past, industrial internet of things (IoT) technology provides complex information to plant managers regarding plant productivity, supply chain efficiency and delivery logistics. Industrial IoT involves networks of devices linked together to analyze collected data to streamline and optimize business processes. IoT is being implemented in many different industries, including, manufacturing plants, healthcare facilities, power suppliers and transportation providers.
In the past, these devices and equipment ran independently of each other. Machines did not connect into the company’s main network and operated in a vacuum. On an industrial IoT network, devices that previously ran independent of each other and the company’s network may now be linked together and ultimately joined with the rest of the business’ main network infrastructure. Data ﬂows from machines on the plant ﬂoor to the company’s systems (including Cloud-based systems, SaaS systems and onsite servers), and subsequent information exchanges may occur between many different members in a supply chain. While this type of structure has obvious practical benefits, the link to the company’s broader network creates an easier target for hackers to infiltrate a company’s core data. Now, the increased connectivity of a company’s machinery and equipment could have devastating consequences in the event of a cyberattack. Each connected point, if breached, opens a backdoor into a company’s other systems. Any device connected to a computer network represents a potential vulnerability.
States are currently grappling with the impact of IoT on privacy and cybersecurity legislation. Two states, California and Oregon, recently passed laws that went into effect January 1, 2020 attempting to address the need to protect privacy in light of the huge number of IoT devices now in use around the country.
For example, California SB 327 requires manufacturers of devices “capable of connecting to the internet, directly or indirectly, and that is assigned an Internet Protocol address or Bluetooth address” sold in the state to include “a reasonable security feature or features.” A “manufacturer” is defined as “the person who manufactures, or contracts with another person to manufacture on the person’s behalf, connected devices that are sold or offered for sale in California.” It is important to note that this definition includes not only manufacturing companies, but also any company that “contract[s] with” another to manufacture devices for them. Connected devices can include anything from plant floor equipment to appliances, video game consoles, smart phones, thermostats and speakers.
Reasonable security features must protect the device from “unauthorized access, destruction, use, modification, or disclosure.” Such features are defined as those: (a) appropriate to the nature and function of the device; (b) appropriate to the information the device may collect, contain, or transmit; and (c) designed to protect the device and any information contained therein from unauthorized access, destruction, use, modification, or disclosure. The law further states it shall be deemed a “reasonable security feature” if either of the following requirements are met: “(1) [t]he preprogrammed password is unique to each device manufactured; or
(2) [t]he device contains a security feature that requires a user to generate a new means of authentication before access is granted to the device for the first time.” Therefore, IoT devices will presumably be less susceptible to hacking or attack, because the universal manufacturer’s default password will no longer work to operate the device.
Oregon’s Bill 2395 also went into effect on January 1, 2020, with language similar to that of the California legislation stating that IoT protections should defend against “unauthorized access, destruction, use, modification or disclosure” of information. Oregon’s law is, however, more limited than California’s in that it applies only to devices that are “used primarily for personal, family, or household purposes.”
Other states, Congress, and federal agencies are actively contemplating security regulation for IoT devices. Notably, bipartisan legislation introduced in the U.S. House and Senate (IoT Cybersecurity Improvement Act of 2019) would require manufacturers who sell IoT devices to the government to adhere to certain cybersecurity standards. The current bill requires the National Institute of Standards and Technology (NIST) to make recommendations regarding the baseline for future federal IoT purchases.
How Brouse Can Help
Just as the IT department at your company provides knowledge on the vulnerability of your network and servers, and your insurance broker can provide you with advice on obtaining cybersecurity insurance to mitigate potential losses, Brouse McDowell’s cybersecurity attorneys contribute invaluable expertise on the legal responsibilities a company has to secure data in its possession and control, and its obligations when a breach regarding that data occurs. Our attorneys can review cybersecurity policies that you may already have in place and determine whether there is a gap between those policies and our recommended best practices. We can also help you assemble an incident-response plan that encompasses foreseeable data-security issues and details regarding how to respond to them. Contact us for more information.
This blog is intended to provide information generally and to identify general legal requirements. It is not intended as a form of, or as a substitute for legal advice. Such advice should always come from in-house or retained counsel. Moreover, if this Blog in any way seems to contradict advice of counsel, counsel's opinion should control over anything written herein. No attorney client relationship is created or implied by this Blog. © 2023 Brouse McDowell. All rights reserved.