Increasing computerization of production methods and greater reliance on digital data systems have made cyber security a significant concern for manufacturers. How can businesses deal with the new wave of cyber threats?

Incorporating information technology (IT) systems and infrastructure into day-to-day operations allows manufacturers to access and distribute data more efficiently, helping them make sound business decisions and improve their companies’ competitiveness. However, the advantages conferred by networked data systems and information-sharing technology also increase the risk of data theft, hacking, virus infection and other cyber-security threats.

For this reason, companies are beefing up their digital defenses to protect themselves from the latest cyber hazards.

“In past years, plants haven’t worried about cyber security because they didn’t connect to the outside world,” Automation World acknowledges. “New data systems have changed that for most plants. [S]oftware and devices share data, and where data is shared, there is always the possibility of a breach.”

The complexity and variety of cyber-security threats can be daunting, particularly due to the rapid rate at which new risks develop as well as the increasingly sophisticated methods of cyber criminals. According to the recently released Cisco 2009 Mid-Year Security Report, cyber criminals “are aggressively collaborating, selling each other their wares and developing expertise in specific tactics and technologies. Specialization makes it tougher to shut down illegal activity, because there are many players in this ecosystem.”

Loss, theft or interception of sensitive business data are some of the largest cyber threats for commercial and industrial enterprises. A study from the Ponemon Institute found that the average cost of a data breach in 2008 was $202 per customer record. The information security firm also determined that breaches lost U.S. companies an average of $6.7 million and that the expense has continued to rise, by 38 percent between 2004 and 2008.

Among the major data-breach incidents recorded in its database, the Open Security Foundation reports that 48 percent derive from businesses. Sixty-five percent of security violations are perpetrated by external sources, while 30 percent come from within the company, either accidentally or maliciously.

How can manufacturers protect their businesses from the proliferation of cyber threats?

Although there is no single comprehensive defense strategy capable of shielding every type of company, Manufacturing Business Technology recommends taking a “defense-in-depth” approach for protecting industrial assets. This method entails both physical and electronic defense layers at separate manufacturing levels coupled with effective security policies designed to meet a variety of threats.

Security policy development requires a consistent plan involving “physical and electronic procedures that define and constrain behaviors by personnel and components within the manufacturing system,” but without introducing excessive restrictions. This can mean building a resilient network infrastructure to provide information to necessary sources while limiting widespread access, or evaluating the risk potential of how data is used and deployed within the company.

Management Business Technology also suggests “computer hardening,” which relies on IT best practices to shield computers from danger. The hardening process includes replacing direct Internet access with a “barrier zone” to secure shared data and service, enforcing tougher password and terminal access settings, uninstalling any components or protocols unnecessary for performing manufacturing tasks and implementing antivirus and antispyware programs.

Similarly, “controller hardening” may be used to better protect machinery and production equipment controls from tampering. This involves the use of authentication and authorization programs to verify a user’s identity, electronic safety features to prevent configuration changes and physically restricting access to sensitive devices.

Depending on a business’s size, however, some security measures may not be practical or even necessary. Microsoft’s Small Business Center offers the following tips for small-business owners to protect themselves from cyber threats:

• Set up your defenses;
• Stay abreast of the threat;
• Encrypt everything;
• Get help from your employees;
• Don’t store credit card numbers;
• Buy a shredder — and use it;
• Mind your mobile devices;
• Run your updates;
• Research your Internet service provider; and
• Know what to do when it happens.

In addition, the Better Business Bureau recommends that managers tell their employees the following:

• Not to open e-mail from unknown sources;
• What to do when they receive suspicious e-mail (when in doubt, delete!);
• To disconnect from the Internet when not online;
• To consider the risks of file-sharing;
• How to perform data back-up procedures; and
• Actions to take if their computers become infected.

Regardless of a company’s size or the scale of threats to which it may be exposed, implementing and maintaining a thorough cyber-security policy is a crucial step in succeeding in today’s increasingly online business community.

Resources

Cyber Security — A Must for the Smart Grid
by Rob Spiegel
Automation World, August 2009

Cisco 2009 Mid-Year Security Report
Cisco Systems, 2009

Fourth Annual US Cost of Data Breach Study
by Larry Ponemon
Ponemon Institute, January 2009

Data Loss Statistics
DataLossDB (Open Source Foundation), 2009

Remarks by the President on Securing Our Nation’s Cyber Infrastructure
The White House.gov, May 29, 2009

Securing U.S. Critical Infrastructure from Cyber Attacks
LogLogic, 2009

Cyber Security for Industrial Assets
by Gregory Wilcox and Dan Knight
Manufacturing Business Technology, Aug. 7, 2009

Keep Your Small Business Safe: 10 Tips
by Christopher Elliot
Microsoft Small Business Center, 2009

Information for Businesses in the Virtual World
Council of Better Business Bureau