Even Small Manufacturers Need Robust Cybersecurity
December 9, 2013
Once upon a time, manufacturers didn’t worry very much about the security of their machinery and processes beyond simply locking the doors. Today, of course, more and more equipment is networked to enable information sharing. While this offers benefits, it also leaves industrial machinery and systems vulnerable to cyberthreats such as viruses, malware, hackers, data theft, industrial espionage, and even malicious and remote manipulation of machinery designed to cause overheating, malfunction, and potential explosions.
Many manufacturers assume that criminals will pass them by since they are relatively “small fry.” This is not the case: As more attractive targets beef up their cybersecurity, hackers are on the lookout for smaller, less protected targets. There are steps manufacturers can take, however, to reduce cyberthreats.
Upgrade your legacy systems. No, it’s not going to be cheap. But many companies’ legacy systems simply don’t have robust enough security capabilities to defend against modern-day threats. This is particularly critical if legacy systems are connected to the network.
Buy from licensed dealers. It’s a little known problem today, but many companies have been duped into purchasing counterfeit machinery, which are easy targets for cyberattacks (and may even have pre-planned malware built in before installation for an attack).
Conduct a network security risk assessment. This process will include identifying all company assets, determining their vulnerabilities, and creating risk-mitigation processes to protect them.
Use network segmentation.This is a way to ensure that if one element of operations is breached, it can be isolated and the damage minimized. Network segregation refers to dividing a network into smaller segments, sometimes called “sub networks.” Through diligent administration and customizable permissions, companies can ensure that employees and others with access to the networks can reach only the areas they need to.
Validate through Internet Protocol security (IPsec).This application often is considered a best practice for security, for good reason. Its job is to authenticate, and it encrypts each Internet protocol (IP) “packet” to ensure that data traffic via virtual private networks (VPN) between hosts, such as computer users and servers, and security gateways, such as firewalls and routers, belongs there.
Beef up on-site security. While many companies gird their IT systems or their industrial control systems against cyberattacks, they fail to realize that a lot of damage can be done by a single disgruntled employee or someone posing as a legitimate visitor. It’s critical to lock doors, install cameras, issue swipe-passes, use photo IDs, and even conduct background checks on employees who will have any access at all to manufacturing facilities, IT systems, or industrial control systems.
Educate employees. This is a common scenario: An employee receives an official-sounding phone call from someone purporting to be an equipment supplier or a licensed dealer. The caller asks the employee to provide an IP address or read off a model number or serial number. Wanting to be helpful, the employee does so, inadvertently offering thieves some of the information they need to mount an attack. Employees should understand that phone calls and e-mails from anyone seeking information about the company’s IT systems, equipment, or industrial control systems should never be taken at face value. They should refer inquiries to someone who is designated to be a clearinghouse for such requests.
Consider a third-party audit. While your IT department may be smart, not all members are probably experts in industrial control system security. A once-a-year audit by professionals can help a manufacturer ensure the integrity of its cybersecurity processes and practices. This step is particularly critical when manufacturing systems can be controlled by mobile devices, such as smartphones and tablet computers, which are prone to getting lost or stolen.
The important message is: Never assume your organization won’t be of interest to cybercriminals. Even if you don’t store confidential information or have high-value patents, many hackers toy with company networks simply for practice or even for fun.