Protecting measurement integrity and process control from nation-state threats.
Author – Bill Moore, CEO and Founder, Xona
For decades, quality assurance in manufacturing was defined by precision, consistency, and adherence to standards. Whether in aerospace, medical devices, or automotive, the goal was to ensure every part met exacting tolerances and every process delivered repeatable results. In recent years, however, a new and largely unrecognized factor has emerged that can jeopardize those outcomes: cybersecurity.
Nation-state adversaries are increasingly targeting operational technology in manufacturing environments, and their objectives are not limited to halting production. In some cases, the intent is more subtle and potentially more damaging; corrupting quality data, altering inspection processes, or introducing variability that can escape detection until products are in the field. For industries where product quality is not just a matter of reputation but also of safety, this is a development that demands urgent attention.
Quality and Cybersecurity: Now Intertwined
Traditionally, quality professionals focused on metrology, process capability, and statistical process control. Cybersecurity was considered an IT matter, with little perceived connection to measurement accuracy or process reliability. That separation no longer exists.
Modern quality systems, from coordinate measuring machines (CMMs) to machine vision inspection lines are connected to plant networks, often linked to cloud analytics or vendor support portals. This connectivity brings tremendous efficiency gains, but it also creates a pathway for malicious actors. If those systems are compromised, the integrity of measurements, inspection results, and even calibration settings can be at risk.
The stakes are higher than many currently realize. A single undetected parameter change in a calibration program can cascade into thousands of defective parts passing inspection. Additionally, manipulated data could trigger false rejects, leading to costly scrap, rework, and production delays. In either case, the quality function becomes the unwitting delivery mechanism for a cyber-induced manufacturing defect.
Why Manufacturing Quality Is a Target
Nation-state actors have strategic reasons for targeting manufacturing. Disrupting production in critical industries can undermine economic stability, create supply chain ripple effects, and erode trust in products. In sectors like aerospace or defense, even small deviations from specifications can have outsized consequences.
For example, altering inspection thresholds in a precision machining process might not stop or slow production, but it could degrade performance or safety over time. The change might not be visible to operators and engineers until failures occur in the field, far from the factory floor and after significant quantities have shipped.
The manufacturing sectors most attractive to adversaries such as aerospace, fabricated metals, machinery, and medical devices are also the ones where quality control is highly automated and data-driven. The more these processes rely on connected systems, the more cybersecurity must be a strategic priority.
Example Scenario 1: Compromised Calibration
Consider a plant producing high-precision turbine components. The CMM used for final inspection is maintained by a third-party vendor who periodically connects remotely to perform calibration updates. During one of these scheduled sessions, the vendor’s own laptop used to access multiple customer sites is unknowingly compromised. Once connected, the attacker leverages that live session to move laterally into the CMM’s control system. Without triggering immediate alarms, they alter calibration settings by fractions of a millimeter and then withdraw undetected.
From that moment on, every measurement is subtly skewed. Parts that would have failed inspection are now accepted, shipped, and eventually installed in critical assemblies. The defect only surfaces months later when performance degradation or failure occurs in the field, at which point tracing the issue back to its root cause becomes costly and difficult.
Example Scenario 2: Manipulated SPC Data
In another case, a manufacturer of medical devices relies on a networked statistical process control (SPC) system to monitor tolerances in real time. Engineers use these metrics to adjust tooling before defects occur. A cyber intrusion modifies the SPC data feed, masking drift until it passes the acceptable range. Operators, seeing no alerts, continue production. The result is a batch of devices that appear to meet specifications but fail in clinical use.
These scenarios are hypothetical but based on real vulnerabilities observed in manufacturing environments. They illustrate that the line between a cyber incident and a quality failure is now razor thin.
How Connectivity Creates Quality Risks
The push to smart manufacturing has brought more integration between quality systems, production equipment, and enterprise networks. Machine vision systems share data with MES platforms. CMMs upload results to centralized databases. Cloud-based analytics support predictive maintenance and continuous improvement.
While these advances enable faster problem-solving and process optimization, they also expand the attack surface from a cybersecurity perspective. Many inspection and metrology devices were not designed with strong security controls. They may run on outdated operating systems, use default credentials, or lack encryption for data in transit. Remote access for maintenance, often via overly permissive VPN connections, adds another point of exposure, especially when access permissions are broad or poorly monitored.
Hybrid environments present particular challenges. On the same shop floor, it is common to find a state-of-the-art vision inspection system operating next to a decades-old standalone measurement device that was retrofitted with a network interface. Securing such a mix requires visibility, segmentation, and access controls tailored to the operational context.
The Shift Toward Treating Access as a Quality Control Point
A growing number of manufacturers are beginning to recognize that secure access is not just an IT responsibility; it is also a quality assurance imperative. The ability to verify who is connecting to inspection systems, under what conditions, and with what level of oversight is as important as calibrating the equipment itself.
This shift is driving several trends across the industry. Quality and cybersecurity teams are collaborating more closely to identify and mitigate weaknesses in inspection and measurement processes. Access controls are increasingly being integrated into quality management systems, ensuring that only authorized personnel can make changes to inspection parameters or calibration settings. Organizations are also adopting real-time monitoring, logging, and even recording for remote sessions involving quality equipment, which provides the traceability needed for compliance audits and effective root-cause analysis.
Why the Status Quo Is Not Sustainable
Leaving remote access unmanaged or overly permissive creates a hidden risk that can remain invisible until it becomes a quality issue. In an era where adversaries are patient and capable, relying on default settings, vendor-managed access without oversight, or outdated security models is no longer acceptable.
Regulatory requirements are also evolving. Standards such as ISO 9001, IATF 16949, and AS9100 have long required documented control over inspection and test equipment, including calibration, verification, and maintenance. These clauses ensure that measurements are valid, reliable, and traceable. What is beginning to change is the expectation that “control” also includes protecting these systems from cyber threats. Auditors and regulators are increasingly looking for evidence that inspection equipment and quality data are safeguarded not only from physical damage or misuse, but also from unauthorized digital access or tampering.
Looking Ahead: Future Pressures on Quality and Security
The next wave of quality technology including AI-driven defect detection, IoT-enabled calibration devices, and fully autonomous inspection cells will offer significant new capabilities. It will also introduce more potential pathways for compromise. As more quality data flows through interconnected systems, the opportunity for adversaries to manipulate, delay, or corrupt that information will grow.
In this environment, the traditional separation between quality control and cybersecurity will continue to erode. The quality function will be judged not only on its ability to ensure that products meet specifications, but also on its ability to prove that the data supporting those conclusions is accurate, unaltered, and trustworthy.
Conclusion: Quality Depends on Cybersecurity
The convergence of smart manufacturing and advanced quality systems has created powerful new capabilities for ensuring product excellence. It has also created a new set of risks that cannot be ignored. Protecting measurement integrity and process control from cyber threats, particularly those posed by well-resourced nation-state actors is no longer optional.
In modern manufacturing, quality and security are inseparable. A strong quality program must now include strong cybersecurity for the systems that support it. The organizations that recognize this connection and act on it will be best positioned to deliver not only superior products and compliance, but also the resilience needed to thrive in an increasingly contested digital landscape.
Read the original article here: When Cybersecurity Becomes a Quality Issue