MEP National NetworkTM
In 2018, representatives of the MEP National NetworkTM interacted with more than 27,000 manufacturers across the U.S. and Puerto Rico. The two most immediate concerns heard from MEP clients were cash flow and workforce shortage. Sound familiar?
Establishing a robust cybersecurity program can protect your cash flow and workforce. According to NTT Security’s 2019 Global Threat Intelligence Report, manufacturing is among the top four industry sectors targeted for cyberattacks that result in financial loss (especially through fraudulent wire transfers, faked invoices, and ransomware payouts) and intellectual property compromise.
Denver-based Colorado Timberline, for example, abruptly closed its doors in September 2018 because it was “unable to overcome the most recent ransomware attack.” About 200 employees were suddenly out of work.
And digital attacks are becoming more physical. For example, malicious software like Triton targets production equipment by disabling controls designed to protect workers from bodily harm — and even death.
How can a manufacturer balance the need for skilled machine operators, whose contribution to production (and revenue) can be calculated readily, with the need for cybersecurity practitioners with an average salary of $107,000, according to ZipRecruiter? To meet the challenge of building out cybersecurity program staff in a reasonable way, justified by ROI calculation, look to your current workforce. Building a cybersecure workforce within the manufacturing sector is the twenty-first-century corollary to twentieth-century efforts to build an occupationally safe workforce.
What seems normal today with respect to worker safety was not normal 50 years ago. In 1969, only 2,929 of 75,000 manufacturing worksites (just 4%) had been inspected for safety programs with 34 complaints filed and two companies punished. Once the Occupational Safety and Health Administration (OSHA) was signed into law in 1970, more rigorous reporting showed about 14,000 workplace deaths in 1970; the rate of serious injuries was reported as 11 out of 100 workers. By 2016, those numbers had changed significantly: Workplace deaths in 2016 were reported as 5,190 (a 63% drop) and the rate of serious injuries was reported as 2.9 per 100 workers (a 74% drop).
The remarkable improvements in workplace safety were not realized solely by building a specialized workforce of “safety operators” dedicated to preventing accidents and injuries. Rather, entire organizations assumed responsibility for safe practices. Health and safety became a team effort — cyber risk management can be also.
Responsibility for cybersecurity should not be assigned to just one employee or a few select people within your organization, nor can it be transferred in toto to a managed services company. (Hint: Read the small print in that service provider contract.) Liability, should something go amiss and protected data is exposed, is not assumed by a provider. Similarly, organizations need to leverage their entire workforce as cybersecurity practitioners: Everyone can be — and should be — on the risk management, vulnerability assessment, and incident detection identification team.
Although training and awareness play a key role in orienting workforce members to being cybersecurity-conscious, additional mechanisms like the following can help operationalize a reasonable and viable program.
Identify Security Priorities
Company leadership is necessary to identify acceptable organizational risk and guide decision-making about where to make investments in protecting cyber and other information assets.
For example, manufacturers that deliver products to more regulated industries (e.g., medical, military, aerospace) may also serve clients outside those categories. Clear guidelines about expectations are needed for specific products, projects or information assets (especially trade secrets, intellectual property, employee personal information and other proprietary information).
Likewise, employee policies, integrated into the onboarding process, should explain what acceptable use of corporate resources means — and reinforce those explanations by configuring systems to discourage risky practices. This may include requirements for multi-factor authentication, password strength (length, complexity, reuse, expiration date), remote management of mobile devices, anti-virus scans launched upon logging into network resources and firewall enforcement of blacklisted (or whitelisted) websites.
Define Organizational Boundaries
Intra- as well as inter-organizational boundaries should be clearly designated.
Corporate network design should support “least privilege” (i.e., staff can only see and have access to the information needed to fulfill job responsibilities) and isolate protected information using encryption or other barriers (e.g., restricted key distribution to locked “cyber in an office” location, biometric authentication techniques).
Physical access to protected areas — e.g., server rooms or testing areas — may be tracked (log in/log out) and limited to those who hold specified credentials.
Similar approaches should be applied to those outside the organization. Remote and on-site activities should be auditable at the individual person, machine or process level. Empower employees to feel comfortable about asking individuals from outside the company why they are requesting access to a system, document or location — and verifying the request.
Display “Acceptable Use” Reminders
Manufacturers with strong safety cultures use reminders generously. They post clear indications of where tools should be stored and where hazardous or otherwise protected materials are kept. Floors are clearly marked with bright tape or paint to show the safe distance from heat-generating or other potentially dangerous equipment. Safety glasses, closed- or steel-toe footwear and eyewash stations are just some of the ways in which acceptable use of equipment can be operationalized on a daily basis and “worst case” possibilities prevented — or at least mitigated.
In the cyber realm, once-a-year training sessions are not enough. As Wesley Simpson, COO of (ICS)2, has observed: “Your people are your assets, and you need to invest in them continually. . . . If you don’t get your people patched continually, you’re always going to have vulnerabilities.”
And there’s the rub. Individuals can create attack opportunities through inattention, lack of awareness, eagerness to please and ill-will. But they can also be part of an early warning system, alerting others to changes in system performance, data or product inconsistency and suspicious or risky behavior.
Implement Fail-safe Protective Mechanisms
Safety is built into industrial machinery and product labeling conscientiously. The risk of personal injury is broadly acknowledged.
Similarly, information systems and components should be configured to prevent or mitigate vulnerabilities. Mechanisms include AV scans, unique identifiers, software updates and patches, file encryption, firewall or IDS/IPS tuning and system log collection and review. Companies can distribute encrypted flash drives for use and require the pre-registration of personal devices before accessing corporate resources.
Making Your Workforce the First Line of Defense Against Cyber Attacks
Industrial safety records over the past 50 years show the power of workforce engagement and leadership investment to improve workplace conditions and protect important business resources: people, equipment, information and assets. People looking out for one another and people reporting on potential risks to prevent damage have the potential to make workforce the first line of defense against cyber attack!
The model for how to leverage existing manufacturing workforce to improve business resiliency and promote cybersecurity is clear; all we need to do is commit to implementing it. If you’re ready, connect with the cybersecurity experts at your local MEP Center.
Jennifer Kurtz is the Cyber Program Director at Manufacturer’s Edge, the MEP Center in Colorado, and a representative of the MEP National Network. Jennifer works with entrepreneurs in the manufacturing sector to build sustainable business practices and achieve compliance with information security standards.