Managing Intellectual Property Risk with Outside Contractors

By Bill Lydon, Editor

Every time you contract a third-party service provider, you are putting your company’s intellectual property (IP) at risk. With the current cyber security landscape and the new range of services offered by vendors and system integrators, manufacturers are increasingly challenged to protect their IP. The risk of losing valuable information and intellectual property can potentially negatively impact sales and profits. 

The goal of any manufacturing company is to transform raw materials to finished products and deliver them to customers at a profit.  To accomplish this goal, manufacturers perform some generally known methods. However, the majority of manufacturers perform some unique methods, processes, and procedures that make them competitive in the marketplace. Competition, by definition, is a differential advantage. You are differentiated from competitors by your unique methods, processes, and procedures that have been developed and refined over a number of years. A large contributor to the company’s competitive advantage is unique trade secrets and methods programmed into automation controllers and systems.  

Trade secrets include formulas, algorithms, process, design, instrumentation, and methods that are generally not known or reasonably independently duplicated. Trade secret laws vary from country to country. In the United States, trade secret law is primarily handled at the state level under the Uniform Trade Secrets Act, which is adopted by most states.

The federal law - the Economic Espionage Act of 1996 - makes the theft or misappropriation of a trade secret a federal crime. The law contains two provisions: 1) criminalizing the theft of trade secrets to benefit foreign powers, and 2) theft for commercial or economic purposes. Contrary to patents, trade secrets are protected without registration and can be protected for an unlimited period of time. There are some important conditions for information to be considered a protected trade secret. While these conditions vary from country to country, these general standards exist:

• The information must be secret (i.e. it is not generally known among, or readily accessible to, circles that normally deal with the kind of information in question).
• It must have commercial value because it is a secret.
• It must have been subject to reasonable steps by the rightful holder of the information to keep it secret.

The last item requires active protection that is particularly important, and by failing to take steps to protect these items, you put trade secrets at risk. The most important task is to protect them. Many automation formulas, algorithms, processes, programs, instrumentation techniques, and methods are subtle and have been developed over a number of years. Guarding the knowledge and know-how that are programmed into automation and control is important to maintain legal standing and competiveness. 

The protection of unique manufacturing processes is many times taken for granted.

Cyber Security Services

Services are offered by vendors to help manufacturers manage cyber security. This poses an interesting dilemma. This service offering is attractive to manufacturers because it can be difficult for them to acquire and maintain the in-house expertise to properly deploy industrial automation cyber security. The dilemma is that working with outside contractors potentially increases cyber security risks. This risk has been cited as a major issue by the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) and others. The contractual terms and conditions that address cyber security are important when purchasing products and services. Qualifying vendors is also very important to ensure you are working with a professional organization. The United States General Services Administration (GSA) is working to improve acquisitions of cyber protected products and services. GSA has published a document titles, “Improving Cybersecurity and Resilience through Acquisition.”

I have asked major suppliers and insurance companies if they offer ways to provide service buyers with financial protection similar to construction project bonding, errors and omissions, business interruption insurance, etc. To date, the answer has been, “No.” Until there are clearer certifications or guarantees, the service buyer is solely responsible for cyber breaches and losses.

Systems Integrators

Systems integrators (SIs) are another source of potential loss of valuable intellectual property, knowledge, and knowhow. Many SIs specialize in particular industries, and they are likely working with competing manufacturers. Possibly the best way to protect from loss of formulas, algorithms, process, design, instrumentation, and methods is to partition work given to systems integrators so they are not working on the things unique to the competiveness of your company.

Remote Services

Technology enables the use of remote services to monitor machine health and access to remote experts to solve problems. While these services are valuable, they also increase the risk of intellectual property loss and cyber security breaches.

Solutions

A big positive change in the automation industry is the adoption of open standards, open communications, and commercial off-the-shelf (COTS) technology. The solutions for protecting your intellectual property are technical, contractual, and finding trusted vendors. My suggestion is to push your supplier hard on how they will guarantee and indemnify your operations when you engage their services.

Related Articles

• Outsourcing Automation Design & Engineering – Short-Sighted Strategy?
• Challenges of Automation Support Models & Managed Services
• Is the Automation Industry Enabling Cyber-Attacks?
• Industrial Cyber Security Compliance & Enforcement

Did you Enjoy this Article?

Check out our free e-newsletters
to read more great articles.

Subscribe Now