Manufacturing leaders know they need to secure their operations. What isn’t always obvious: the first and best steps to take to achieve a secure state. Smart Manufacturing queried cybersecurity leaders to learn their recommended best practices and pet peeves, as well as get roadmap to a more secure manufacturing environment.
First, manufacturers must know what they have, said Brian Haugli, founder and CEO of SideChannel and co-author of “Cybersecurity Risk Management,” a book that explores of the fundamentals of cybersecurity risk planning and management. According to Haugli, factory leaders must comprehensively assess their current state, including all devices, data, and processes that need to be protected, as well as the software and systems in place to protect them. This practice also is in line with the National Institute of Standards and Technology (NIST) at the U.S. Department of Commerce. The NIST Cybersecurity Framework helps businesses of all sizes better understand, manage, and reduce their cybersecurity risk and protect their networks and data.
As a best practice, Haugli said, manufacturers need to conduct their assessments to discover and document:
“This is the biggest thing overlooked. You can’t start fixing things until you know what you have,” Haugli explained. “I find a lot of clients have bought solutions they don’t have turned on because they don’t know they have them. I’ve had clients say they’ve rolled out endpoint monitoring. I ask them, ‘Do you know what (endpoints) you have?’ And they say, ‘No.’”
After you know your current state, figure out your target state. The difference, Haugli said, is your roadmap to get to that target state. Each organization will have its own priorities based on the cybersecurity practices in place and what’s missing, he added.
Mindful setting of priorities is important, Haugli said. Some cybersecurity practices work better when layered on top of other practices, for example multi-factor authentication (MFA) before data loss prevention (DLP). MFA is cited as one of the most critical security features for protecting corporate data because it makes it harder for cybercriminals to impersonate workers. With MFA, a stolen password isn’t enough on its own to gain access to information, which thwarts the efforts of those entities looking for low-hanging fruit.
The basics of a cybersecurity program include antivirus protection, whitelisting, firewalls, segmentation, backups, hardening of end points, and turning on logging, said Chuck Tommey, digital connectivity executive at Siemens.
A critical requirement for success: Every layer of management up to the board level needs to know who is responsible for OT cybersecurity, Tommey explained.
“We’re finding that organizations have been spending millions and millions of dollars on cybersecurity over the past 30 years and the boards feel really good about their cyber posture,” Tommey added. “Then we ask, ‘How is it going in your factory?’ They say, ‘We have all these charts showing we’re addressing vulnerabilities within X days.’ The charts are all green, not much yellow.”
But then you ask for examples of specific plants and there are none,” Tommey continued. “Almost no money is being spent on the OT side of the firewall. The boards are waking up (now) to understanding that the money they have been spending and the metrics they have been getting for the last 10 to 15 years have very little to do with production aspects. That’s very scary and that’s going to drive their behavior to get the OT side more secure. Now that they understand they have additional risk, they’re going to turn to that.”
After an asset and security assessment, focus on users and identify which ones have admin privileges, Haugli advised. In some companies, for example, former administrators still have access long after they’ve left. Or someone was granted what should have been temporary access that never expired.
“I see it all the time,” Haugli said. “A former administrator who still had access doing bad things after leaving the company.”
Bad actors aren’t always to blame. “Sometimes good people do stupid things,” Haugli said. “I saw that with a major identity provider on one of the apps we run. Their whole system went down because they pushed bad code into production. That wasn’t nefarious. That was a mistake. But should have person even have had permission to do that? Microsoft will tell you that 80 percent of the incidents they see stem from misuse of admin privileges.”
One way to limit such inadvertent misuse is, similar to good accounting procedures, to require two people to sign off on critical changes, Haugli said.
Establishing cybersecurity procedures and securing connections work only as well as the people involved.
“One of the low-hanging fruit is training,” said Laura Élan, senior director of cybersecurity, MxD. “We can put a lot of technical controls in our environment and you should have the technical controls. You also have to have the awareness of those controls so that humans and the processes they interact with do not compromise security. Training is not one-and-done. Training supports creating a culture within the environment so each individual understands their contribution to security.”
“Every cybersecurity practitioner has pet peeves, and USB ports are one of mine,” Élan said. “USB ports are so ubiquitous. We put them on everything—manufacturing equipment such as CNC machines and 3D printers. It’s a great technology. It’s plug and play. USB ports and thumb drives have made it easy to transmit information and files.”
Along with that convenience comes risk. “They also are really great opportunities for bad actors, or even benign actors, to introduce security threats,” she said.
When USB ports are left open on a factory floor, as they often are, a bad actor could plug in a USB drive to introduce malware that could affect the safety of a machine, she noted. A bad actor also could plug in a USB drive and exfiltrate data. Or an employee could bring in a thumb drive from home that he or she didn’t know was compromised, plug it in, and introduce malware to the factory system.
“A USB port was one of the vectors that actors used to introduce malware into the uranium-enrichment environment in the Stuxnet attack (on Iranian nuclear facilities in 2010).”
A $25 lock can secure a USB port, plugging into an open port and permanently blocking or locking a piece of equipment unless an individual follows a set authorization process, Élan said.
When patching, which is the process to repair a vulnerability or a flaw that is identified after the release of an application or software, it’s critical to include all assets that can accept a patch, said Oscar Ornelas, chief product security officer at PTC.
Patch management is essential but difficult to do without halting the manufacturing process, Élan added.
“Often the patches require me to go to individual pieces of equipment—it’s difficult to automate software updates in the factory floor,” Élan noted. “Not only do I have to bring the processes down and do the security patching, but then I have to bring the equipment back up and make sure I haven’t changed any of the attributes of the pieces of equipment so my system is still working right.”
Segmentation, where parts of the network are compartmentalized and not accessible to others, is a powerful security tool, Élan explained, because it provides an effective way to isolate an active attack before it spreads. For example, segmentation ensures malware in one segment doesn’t affect systems in another. Creating segments reduces the attack surface to an absolute minimum. However, Élan cautioned, such separation is tricky to implement and requires an organization to have IT resources that can help configure the environment.
Instead of assuming every user inside the system is trusted and acting safely, adopt a “zero trust” approach with software and manage it accordingly, Élan said. Every data exchange and every user must be authenticated, authorized, and subject to continuous validation. Zero trust often requires manufacturers to rethink their architecture and to enable tools to monitor network traffic, she added.
A key factor is 24/7 email monitoring with alerts for potential breaches or inadvertently risky actions, Haugli asserted.
Physical security is not new but it is an essential part of cybersecurity, Élan said. However, physical security is often overlooked when cybersecurity policies and procedures are written. Cybercriminals can access hardware, downloading malicious software directly into systems. Therefore, it’s imperative that only authorized employees are given access to the parts of the organization and building they need to perform their jobs, Élan added.
Replace insecure devices, which are devices not able to be authenticated, and insecure protocols (those still communicating in plain text), Ornelas said. While you’re at it, get rid of all stations or systems still running on analog protocols, he added. While digital signals are encrypted and arguably more secure as a result, analog signals are not encrypted, allowing easy entry into an organization.
Once the basics are in place, manufacturers need an ongoing strategic OT cybersecurity program that is constantly being maintained and updated. If not, “It’s just a bunch of ad hoc controls put in place by a person who has likely moved on, and no one knows why the controls are there or how to maintain them,” Tommey said.
A governance structure “makes sure everything you’re doing is as effective on day 300 as on day one,” Haugli concluded.
Connect With Us