July 10, 2019
By Mark Sangster, vice president and industry security strategist, eSentire
Modern manufacturing faces a trinity of issues when it comes to cybersecurity. First is the merging of manufacturing IT and OT ecosystems and the adoption of new technologies. Second is the increasingly sophisticated cyber criminals who will exploit any vulnerability. Third is the resulting board and executive level of accountability when it comes to cyber risks. To succeed in today’s digital economy, manufacturing companies need to fully understand why and how each of these areas affect security.
Digital transformation and emerging technologies
As operational (OT) and information technology (IT) systems converge and blend into one ecosystem, the job of securing these systems typically sits in two different teams who aren’t used to talking to each other. This is a cultural barrier that must be overcome. Historically, manufacturers have interacted with not one technology team, but two. And these two teams aren’t aligned.
IT teams move at a fast pace to cope with evolving technology for their administrative networks. They regularly reconfigure and refresh equipment and software to cope with new business challenges. OT teams, on the other hand, think in much longer terms. They expect their technologies, like programmable logic controllers and distributed control systems, to be in place for many years. What’s more, IT and OT don’t speak the same language. The DevOps, agile sprints and canary software releases that come up in IT meetings are worlds away from plant-floor technology discussions.
And at the same time, manufacturing firms are adopting new technologies like cloud, machine learning and analytics, and IoT/IIoT, which all come with their own cyber risks. These technologies reduce errors, increase productivity, make better production projections and more. That leads to cost savings, increased profits and competitive advantage. However, they also eradicate the “air gap” that once kept OT systems off the internet and safe from attack.
This provides new opportunities for attackers. Cyber criminals are getting more brazen as they continue to adapt to new technologies and systems. They will prey on the areas they find most lucrative, which includes law firms, healthcare organizations and manufacturers. And in particular, smaller and medium-sized manufacturers typically make easier targets than larger organizations. That’s because they often don’t realize how valuable their data and intellectual property are.
Accountability remains a core issue
In a 2018 FutureWatch report conducted by eSentire, manufacturing firms self-ranked higher than financial institutions when it came to vulnerability to cyber attacks.
Manufacturers are starting to understand that cybersecurity is a board-level issue; they need to view it as an enterprise problem, not just a technology problem. OT risk and IT risk both jeopardize the business.
To overcome this enterprise problem, manufacturers need to create cybersecurity best practices and policies. This requires top-level coordination, which in turn requires cybersecurity to be a core strategic issue, with a chain of command and clear allocation of responsibilities. That means it must start at the board level.
Risk management is a key component of cybersecurity. Manufacturers will need both IT and OT’s help in identifying cybersecurity risks and prioritizing them based on likelihood and impact. Teams can weigh vulnerabilities based on their impact to those assets that are mission-critical to the company.
In addition to overseeing internal systems, manufacturers must extend risk management and cybersecurity protections to their supply chain partners’ security issues, too. To do this, they must identify the risk associated with the supply chain and contractually obligate those supply chain elements to specific security standards. A manufacturer should behave like a privacy regulator by establishing a cybersecurity trigger, so that when an event occurs, they must report it in a certain time frame.
Dotting cyber I’s and crossing cyber T’s
Attacks on manufacturing firms don’t show any signs of slowing down and, in fact, will likely increase. There are no magic bullets, but there are several key steps that firms can take to reduce risk and improve their ability to respond and recover:
- Identify and audit critical systems and data.
- Understand your obligations, including legal, regulatory and client.
- Establish cybersecurity policies, procedures and executive reporting mechanisms. This includes mobile and BYOD rules and controls to enforce strong passwords and limit access to corporate assets.
- Conduct an annual risk assessment and security readiness exam.
- Require encryption of stored data on mobile devices, laptops, servers and so on.
- Use VPN security to protect data and user credentials in motion through a virtual private network.
- Implement back-up systems and services. Establish an incident plan and practice fire drills to hone your program.
United you stand
With so many new technologies at its disposal, the manufacturing sector has an exciting future. Possibilities abound for new processes and products, greater efficiencies and higher revenues. But along with these opportunities come the risks of an expanded threat landscape and the need for a comprehensive cybersecurity strategy. This strategy must start at the board level and align OT and IT teams to create a united front.
About the author
Mark Sangster, vice president and industry security strategist at eSentire, is a cybersecurity evangelist who has spent significant time researching and speaking to peripheral factors influencing the way that organizations integrate cybersecurity into their day-to-day operations.