While many manufacturing firms keep track of and even celebrate physical safety, cyber security tends to be less top of mind, and it’s difficult to determine exact reasons. Among IT experts, manufacturing is known for being less cyber secure than other business sectors. I could speculate on valid reasons why this is so. One possible reason for this is the fact that modern manufacturing has a number of very open security vectors (email, IoT network links, etc.) to exploit, establishing a potential for physical and/or financial damage.
More practically, another possible reason could be that manufacturing businesses seem to place less emphasis on “fuzzy” outcomes like IT security, than on financial outcomes, like the ROI anticipated for new capital equipment. Another potential consideration may be that manufacturing may be more heavily populated by a demographic profile of managers and technicians who are be “less cyber aware.”
These are speculative explanations, but the ramifications of cyber security are simple to identify. Most manufacturing professionals seem to feel cyber security issues are more common among other, non-manufacturing business sectors, despite the recent news coverage of the WannaCry virus infecting over 300,000 computers world-wide with a potential cost of $4 billion.
Of the 251,000 manufacturers in American, about 221,000 of them are considered “small- to medium-sized” businesses (SMBs), which by definition means that they employ fewer than 250 people. Unfortunately, firms with less than 250 employees endure more than 40% of all cyber attacks, and the manufacturing industry receives the highest incidence of malicious spam according to research from the Internet security firm Symantec. The growing reality of cyber security threats means that manufacturers need to make cyber security a part of their culture of safety, no differently than physical security.
In the last few years, businesses have unfortunately become familiar with the LOCKY ransomware virus, which infects a system via email and propagates throughout the system, resulting in the system being locked out until a cyber ransom is paid. Just this year, the worldwide WannaCry attack targeted computers running the Microsoft Windows operating system by encrypting data and then demanding ransom payments in the Bitcoin cryptocurrency. Within a single day, over 300,000 computers in 150 countries were infected by the WannaCry virus. LOCKY and WannaCry are just two well-known examples of the cyber security threats facing today’s businesses.
All businesses, and especially businesses as connected as the manufacturing sector, need to have protocols in place to guard against cyber risk. The commonality of network software programs makes all the users vulnerable to exploitation, which was demonstrated by the WannaCry virus. Other opportunists have tried similar attacks, and more threats will occur as these succeed in extracting ransom payments from unaware users. Cyber “risks” that manufacturers need to consider when evaluating potential threats include: data loss, leaking of private/confidential information, lost productivity, data restoration costs, and even physical damage.
As manufacturers embrace the opportunities of the Internet of Things (IoT), their operating standards in that new frontier must reflect more widely accepted management methods, meaning “best practices” methodologies, and move toward common industry standards for data access and data transfer. .
And, to make a pragmatic observation, a business’s cyber-security status may be taken as a measure of its competitiveness. To that extent, the cyber villains are always on the offensive, and making gains. Today, standing still in a cyber world is losing ground.
So, as IoT becomes an area of engagement, manufacturers must provide more security for the cyber-physical infrastructure of the manufacturing shop floor, as the IoT was built for convenience, not security. Recent research by Cisco —a primary center of development for these ideas and systems — noted that 70% of IoT devices contain serious security vulnerabilities. Additionally, legacy on-premises software systems are more vulnerable than SaaS cloud systems, as there are more potential attack vectors available to cyber criminals.
Some estimates put potential global losses from cyber attacks and fraud at $100 billion per year. To give that figure some perspective, the estimated costs of cyber attack per business were $20,751 in 2014. Can your business take a $21,000 preventable loss?
What is a manufacturing company to do? The best offense is a strong defense. These are a few cyber security defense measures every manufacturing firm should consider, and some practical circumstances that may resonate with you or your manufacturing SMB.
Start with your people
1. Cyber security needs to be built into the DNA of your company. Sharing the responsibility of security to the whole company rather than creating a responsibility silo for your technology team means a higher level of security awareness all around.
Scenario: An employee emails the Tech Team to check protocol before opening a suspicious email.
2. New employees should be on-boarded with best practices for staying secure when browsing the Internet, checking email, etc. A 10-minute conversation at the time of hiring could save your Tech Team untold hours, and the company thousands of dollars later.
An explanation about password security, acceptable downloads, and accessing sensitive data should all be included during the on-boarding program.
Scenario: A newer employee gets a pop-up on the computer that needs to be downloaded. Should the employee hit “yes” to download?
3. Make sure your team regularly updates passwords. Creating an expiration schedule will discourage reliance on stored passwords. Would you be surprised to hear nearly half of online account holders haven’t changed passwords in five years?
Scenario: Your standard new employee password is …
[email protected] How many of your staff still use that?
4. A common security breach can occur when a laptop is stolen. Make sure your people do not have sensitive information saved on their laptops. If they do have sensitive data, consider having company laptop hard drives encrypted.
Scenario: A company “road warrior” goes to lunch. He returns to his car to find his vehicle window broken and laptop gone. What happens to the client data on that laptop?
5. What is your protocol for ensuring your tech staff could handle social engineering and manipulation?
Scenario: An off-site or traveling staff member calls in to reset a “lost” password. Would your tech staff reset the password without additional verification?
6. If your business conducts electronic financial transactions, make sure your employees never email account numbers, credit card information, or other sensitive financial documents.
Scenario: Your event registration team receives an e-mail request for event registration, including credit card information. What is the protocol for storage of that credit card information?
Keep systems up-to-date
1. When was the last time you ran a penetration or port check of your network security systems? Making sure your firewall is up-to-date and unbreached goes a long way to maintaining a secure cyber environment.
Scenario: The Tech Team opened an RDP port on the company firewall as a temporary connection for a remote worker, a month ago. A port check on your network would reveal that the port is still open.
2. Every desktop and every laptop should have anti-virus software installed and in use.
Scenario: No anti-virus or anti-malware software is installed on the intern’s computer. The intern opens an infected email, and malware infects the network your admin team uses. Could updated anti-virus software have helped?
3. Make sure your IT team has downloaded the most recent software updates for systems used within the company. In addition to improving software efficiency and adding features, software updates often contain built-in fixes to potential security vulnerabilities.
Scenario: What if software vulnerability allows a virus to infect a company computer? The WannaCry “attack” on a Microsoft vulnerability is a recent example.
4. Back-up data regularly, preferably storing it separately from the main data storage. Back-ups are a good defense against ransomware.
Scenario: The company data is “hacked” by ransomware. But, because your Tech Team has a back up schedule, they restore the backup rather than pay to unlock data encrypted by the ransomware.
Keep the paths cleared
1. Using a UNC path instead of a mapped drive closes one access point for potential Trojan horses, aka infected email attachments.
Scenario: An employee opens a PDF invoice, except it’s a Trojan horse. Will the virus start working through all the files on your F drive?
2. Using restricted permissions – only users/groups that need to view or modify the data - reduces the risk of shared drive malware proliferation.
Scenario: The Trojan horse unleashed by the file clerk’s PDF open has now reached the CFO’s files. How could the principle of least privilege (POLP) have helped?
3. Make sure all financial data, accounts, and records are kept secure and segregated from the rest of your business’s shared drives.
Scenario: Payment information is corrupted or encrypted during an attack. How many systems – payroll, AP, etc. – does this affect?
Know who has access to your hardware
1. What is the off-site access to vulnerable data?
Scenario: While using a hotel Internet connection, a road warrior logs into your production data, except it was an unsecured connection! What vulnerabilities were exposed?
2. What is your protocol for “checking out” sensitive or timely data?
Scenario: A client needs an open link to information that evolves. Embedding a time-limited URL ensures that your customers have the most recent data, as the URL can’t be re-used indefinitely.
Make sure your servers are in a physically secure location. Has your protocol for server access been updated in the last 18 months?
Scenario: Your company needs to be SOX-compliant, but you have open access to the server room.
These steps are in no way meant to be to replace the input and expertise of your IT department, merely to be a starting off point or refresher for a process review for your team. Staying cyber safe takes an organization-wide commitment coupled with a dynamic and forward-looking strategy. Now is the time for all manufacturers to invest (time and/or resources) in be cyber secure now and for the future.