I often find it useful to reflect on circumstances from a historical perspective to provide context and a sort of benchmark for current issues. The value and control of IP is an issue that can benefit from some reflection as we deal with the new threats of cyber crime.
I started my CPG engineering career about the time that four-function calculators were becoming affordable. We didn’t have computers on the factory floor, but we did have a security culture. Our engineering documentation was kept in a bank vault in the plant’s engineering office with our product documentation in a similar vault at headquarters. Both were backed up with microfilm stored in a cave in another part of the country. Only a few select people were allowed into that vault, and all copies leaving it were transferred from hand-to-hand between parties known to one another. The most confidential of information (such as process flows that would today routinely be built into HMI screens) was available only over the signature of an executive, who would not approve that for everyone.
As a young engineer, I was told on multiple occasions that I was too young, too new, or too inexperienced to have this information. This was really about taking time (years) to build trust. If one was granted permission to take a truly confidential drawing, it was forbidden to make additional copies and the copy that you were entrusted with was tracked until being returned and destroyed. Periodic inquiries were made as to the document’s whereabouts.
Control rooms were also part of our security culture. They were off limits to outsiders, sometimes even to the outside engineers who built and supplied the equipment in them. In one, a complex teletype-like machine caused us lots of headaches. When the service technician arrived, he stayed in the lobby and the machine was taken to him. After some adjustments, it would be returned to use, and if not working correctly, the process repeated itself. Service techs were allowed into some parts of the plant, but never without a full-time escort. Pathways to and from the worksite were carefully planned and approved in advance, and sometimes it was necessary to erect temporary walls along the way. We reserved the right to inspect briefcases and toolboxes in and out, so no documentation was going to leave.
Compare this with today’s online P&IDs, formulations in PLCs, service techs walking in and out of plants with laptops and jump drives, employees taking confidential files home or accessing them from their home PC, and so on. Then, throw in the fact that hackers from any part of the world can breach our plant security perimeter without our even knowing it! In those by-gone days, did we place too much value on our intellectual property, or do we today place too little on it? Has manufacturing become so simplified and commonplace that we no longer need to protect our designs, processes, and formulations? If we really think about it, I believe we will come to the conclusion that we need to protect our IP today as much, if not more, than we did before the digital age. But it is hard work, and maybe it is just easier and cheaper to pretend that it doesn’t matter. It was easy for managers to control flow of people in and out of a vault, but it is complicated for managers, who may not have any real technical training, to control flow of data across their networks. The old adage goes that we manage what we understand.
I think we need a digital security culture that compares to our older security models. Can we do it?