An oft-overlooked consideration in any industrial operation is cybersecurity. Let's face it: Cybersecurity does not directly contribute to bottom-line cost savings and does not make the manufacturing process more efficient. However, even a fairly simple cyberattack can bring production to a grinding halt, tank your stock prices, or - worse - damage equipment and put lives at risk. Cybersecurity must be taken seriously. Here are a few steps organizations of any size can take to help shore up their cyber readiness without breaking the bank:
Take inventory. Before we can affect proactive change in cybersecurity within an organization, we must understand what we have and where the greatest risk lies. This includes technical tasks, such as mapping out the network and devices in the organization, as well as identifying which systems and processes have the greatest impact to production if disrupted. This information should be used to inform plans for strengthening cybersecurity posture, responding to cybersecurity events and recovering from incidents.
Andrew "AJ" Jarrett, Program Manager, TEEX- Cyber Readiness Center
Industrial control systems and operational technology (OT) each present a unique challenge in manufacturing and industrial sectors, as these systems have a great deal of limitations in terms of their ability to be secured. There are a litany of methods to protect OT environments, including expensive monitoring software and hardware. One of the simplest ways to protect OT infrastructure is to segment OT networks from the rest of the network. Place security appliances in between to block and alert, and implement a demilitarized zone network between OT networks and the corporate networks to allow engineers and operators controlled access to the OT environment.
It is also critical that organizations set expectations for vendors and supply chain security. A common tactic of modern, sophisticated attackers is to target vendors further down the supply chain to ultimately gain a foothold with the intended target further up. Many regulatory requirements such as the Defense Federal Acquisition Regulation Supplement include a "flow down" requirement for prime manufacturers to verify the security of their suppliers for just this reason.
- Find a framework. Although no standard is perfect, one of the easiest ways to measure cybersecurity posture and compare an organization's cyber maturity over time is to map those efforts to a cybersecurity framework. Some companies may find that the framework has been provided due to regulatory requirements such as the National Institute of Standards and Technology Special Publication 800-171 for defense contractors or the Payment Card Industry Data Security Standard for card transactions. Others may find it more practical to pick one of the common cybersecurity standards that most easily applies to them. One simple solution is the Center for Internet Security (CIS) version 7 cybersecurity controls. Use the CIS' questionnaire to map your organization's cyber maturity and locate the biggest gaps.
- Don't forget the humans. When you think of cybersecurity, you may think of expensive equipment and software tools for stopping hackers. But one of the biggest targets exploited by would-be attackers is the organization's personnel. We're not just talking about phishing emails, either. Sophisticated hacker groups use social engineering to trick employees into downloading software, granting access, or simply changing a value in a database to steal money and secrets.
- Governance should be a two-way conversation. IT and security teams do not exist in a vacuum. Organizations with extremely effective cybersecurity bring all stakeholders together when implementing new cybersecurity efforts. Leaders from various nontechnical and nonsecurity business units should be involved in the planning process and have a say in how new solutions are implemented to reduce negative impacts on the organization. This is a tricky battle, but good leaders in IT and cybersecurity find ways to integrate security efforts into company culture.
At the end of the day, organizations must continue to operate efficiently and turn a profit, or all the security in the world will do no good.
For more information, visit https://cyberready.org or call (979) 458-6724.
