A few years ago my company was hired to do a data security assessment at a large manufacturer. We drove past the eight-foot fence at the entrance and drove the perimeter. Along a country road around the back, the fence ended, providing access to the whole property.
Once on campus, some of the doors on the multi-building campus were left open — some were even removed because they were traversed so often.
When cybersecurity is discussed, it’s easy to think about hackers in a foreign country using sophisticated tools to break into a network. If someone is getting at your data, it doesn’t matter if it happens over the internet or by walking up on-site to steal data. The reality is, it’s important to think about cybersecurity holistically.
Why attack my company?
Manufacturers are good targets for those looking to steal data.
Of course, an attacker can gain access to human resources, accounts payable and receivable data, information technology, communications, inventory and operations data. But, beyond that, at a manufacturing location, a hacker can damage machines, interrupt production, misdirect shipments and even cause physical harm. Hackers can also steal that company’s information, including design plans, patented methods or access to the larger company’s systems and infrastructure.
While a global brand may have a lot of controls in place, attackers know the manufacturer’s industrial control systems and supply chain may be a weakness to exploit.
In addition to the common business functions, manufacturers also often have additional points of entry for an attacker.
An operations network provides connectivity, maintenance and automation for the organization’s industrial control systems, sometimes called ICS. Typically these industrial control systems will include supervisory control and data acquisition systems, distributed control systems, and other control system configurations such as programmable logic controllers.
These ICS environments are getting increasingly similar to traditional IT systems. And the integrations are sometimes executed to get things working well without an eye to security. The old systems were far more insulated to the outside world, so as ICS environments get more sophisticated, they’re also more likely to be targeted.
In addition, in many manufacturing environments, there is tension between the office and the plant. So instead of a holistic approach to the way the systems talk to each other, both groups are operating independently. And that’s a great way for vulnerabilities to arise.
Things to think about
To address the cybersecurity issues in a manufacturing environment, those responsible for the business network and those responsible for the operations network must work together to identify the confidentiality, integrity, reliability and availability issues that exist in each network and how they impact each other.
There are five key areas to think about:
• Physical Security: Why spend the time and effort to get digital data secure if anyone can walk right in the back door?
• End Point Security: Do you have visibility into data accessed at all end points, from desk computers to cell phones and tablets?
• Cloud Service Providers: Do you know how many of the 12,000+ cloud providers are being accessed? Are you sure no one has ever used an online PDF conversion tool, many of which have gained access to confidential documents?
• Wireless Security: Is your wireless network secure?
• Network security: Who can access the most sensitive locations on your network, including internal employees?
To properly address security in a manufacturing environment it is essential for a cross-functional security team to share their varied domain knowledge and experience to evaluate and mitigate risk to all the networks. The security team should be led by a senior member of the management team and strive to include, or have direct team participation by IT staff, control engineers, control system operators, network and system security experts, and a member of the physical security department.
And don’t forget to fix your fence.
Gary Sheehan is the Chief Information Security Officer for ASMGi, a practical IT innovation products and services firm offering security, custom software and IT services solutions — and operates as a virtual CISO for many clients. His email address is [email protected]. Further information can be found at www.asmgi.com.