Ninety-two percent of manufacturers cited cyber security concerns this year. This represents a 44 percent increase compared to the first Manufacturing Risk Factor report in 2013.
Over the past decade, the adoption of the Internet of Things, the cloud and automation have made processes easier for manufacturers. The industry is now witnessing improved quality, increased efficiency and higher standards.
Unfortunately, though, this new technology opened up a whole new set of problems — by leaving manufacturing organizations increasingly vulnerable to cyber security threats.
Here’s what you need to know.
National Cyber Security Awareness Month
Every October, we celebrate National Cyber Security Awareness Month and the importance of staying safe online. Since its inception under leadership from the U.S. Department of Homeland Security and the National Cyber Security Alliance, NCSAM has grown exponentially, reaching consumers, small and medium-sized businesses, corporations, educational institutions and young people across the nation. This year marks the 13th year of NCSAM.
Many federal agencies have come together to help raise awareness about cyber security. These groups engage with public and private sector partners through events and initiatives, providing them with tools and resources needed to stay safe online and increase the resiliency of the nation in the event of a cyber incident.
Cyber security: What manufacturers need to know
The US Department of Homeland Security recently identified the manufacturing sector as the leading target of infrastructure cyber-attacks. Here’s what manufacturers need to know to stay secure.
Internetworking: Proceed with caution.
Over the past decade, one of manufacturing’s biggest trends has been the adoption of the Internet of Things. Manufacturers are now the creators, users, servicers and installers of the IoT — but aren’t always cautious when internetworking (or the practice of connecting between networks).
“We deploy firewalls and encryption thinking that if they are enough to keep us safe on IT networks, they must be sufficient for our OT networks,” Andrew Ginter, vice president of industrial security at Waterfall Security Solutions, says. “The problem is that every message might be an attack, whether plain text or encrypted, and the consequences of attacks on manufacturing networks are unacceptable.”
One way to cautiously internetwork is by using unidirectional security gateway technology. These gateways permit information flow in one direction and physically block anything traveling in the other direction.
Identify data assets.
It may seem like a no brainer, but many companies fail to identify their security secrets — and how can they protect something that they haven’t identified?
“Start with your most critical IP — the stuff you know hackers are after,” Salo Fajer, chief technology officer, Digital Guardian, says. “For example, manufacturers would do well to start protecting engineering and R&D documents such as design files.”
Once identified, Faja recommends labeling it as confidential to offer employees a visual cue to treat the document with care. Beyond that, manufacturing managers should also consider more sophisticated approaches — such as digital rights management, encryption and policy-driven data protection.
Consult third-party security.
In order to fully understand and prepare for cyber attacks, manufacturing managers have to think like a hacker. In doing so, they should consult a third-party penetration test organization. These experts are skilled in identifying security vulnerabilities, correcting identified issues and evaluating these changes.
When working with a penetration organization, manufacturing managers should consider the following types of penetration tests:
- Infrastructure security. The most classic form of penetration testing, this method checks the servers, routers and switches in a network infrastructure for a wide range of vulnerabilities that could compromise the security of a network.
- Wifi security. Wifi security assessments test for more than basic infiltration. They should also address the potential of unencrypted guests gaining the ability to intercept trusted traffic.
- Desktop security. While often overlooked, desktop programs (such as Adobe Reader, Microsoft Word and Java) are some of the most commonly attacked applications in the world. A comprehensive desktop check should scan all applications for malicious attachments.
Prepare employees for defense.
Non-technical hacks can also be a threat to a company. For example, an attacker may show up to an office posed as a friendly IT technician and gain access to private information. Employees — no matter if they fall into Gen X, Gen Y or Gen Z — are an important line of defense for cyber threats.
A successful training program requires support from the top. While it may seem like a hefty price, it is definitely worth it in the long run. In fact, increased investment in employee training can reduce the risk of a cyber attack 45 to 70 percent.
Managers can administer an initial cyber-security test to understand employees’ knowledge level. To ensure effectiveness, they should then follow up with everyone on their results and work with their IT department (or an outside agency) to educate their employees on:
- Password best practices. Managers should encourage all employees to create diverse passwords and require them to change their passwords once per month. This will give an organization added layer of security.
- Email behavior. Employees must understand that they should never open suspicious links from email, messages, blog posts or social media — even if they think they trust the source.
- A clean machine. Since outside programs can open security vulnerabilities on a network, every company should clearly define and enforce a policy for what employees can install and keep on their work computers.
- Staying aware. As part of this initiative, managers should be working to create an overall culture of cyber security safety. In doing so, they should make sure employees feel comfortable alerting the IT department if they notice anything suspicious.