The motivation for cyberattacks on manufacturers are varied. They range from financial fraud to industrial espionage (an example of espionage would be the theft of detailed product or equipment plans to be fed to a pressure die casting machine). The following tips can help manufacturers reduce the likelihood of a successful attack.
- Start at the Top Like any other company initiative, successful cybersecurity is dependent on management buy-in. If the people at the top of the organization do not set the right tone in word and deed, it becomes harder to motivate staff lower down the hierarchy to do the right thing. Cybersecurity cannot be left to the CIO or the technology department alone. In fact, communication on cyber matters should occasionally come from the CEO’s office. That will get employees to see the seriousness of the issue and align their behavior accordingly.
- Perform a Broad Risk Assessment Conduct an exhaustive cyber risk assessment that covers the industrial control systems, ERP systems and any standalone systems. The assessment should be done at least once every six months in order to capture vulnerabilities that have been introduced by changes to the operating environment. The risk assessment should not only cover traditional cyber risks like password management and firewall configuration but should delve into more manufacturing-related risks such as IP protection.
- Circulate Cyber Risk Reports A cyber risk assessment report is of no use if it all it does is gather dust on an office shelf. Instead, enterprise risk reports including remedial action roadmaps should be shared with the board and executive leadership. There should be a high level discussion of the key sticking points with a view to demonstrating impact and identifying areas of priority in resource allocation. Decisions can then be made that take cognizance of the manufacturer’s risk posture and risk tolerance goals.
- Built-in Security All new manufacturing equipment, software and connected products must be evaluated for compliance and coherence with the company’s cyber risk program. Since the acquisition and deployment of major equipment and software will usually be done by a special project team, always confirm that there’s the requisite cyber security talent in this team. This will ensure security considerations are a decisive factor in the acquisition from the get go.
- Recognize Data as an Asset The importance of cyber security can be harder to sell to the management of manufacturing companies than to leaders of service-oriented industries such as banking. Manufacturers are used to dealing with a tangible product built by tangible equipment and may thus not readily see data as a critical business asset. Yet, treating data as an indispensable asset is at the heart of any successful enterprise-wide cyber security campaign. Making sure management and staff see the business value of data and why it needs to be protected will inform the adoption of best practice on where the data is stored, how it is accessed and who can access or modify it.
- Assess Third-Party Risk The success of a manufacturing operation is dependent on the reliable partners including suppliers and service providers. In order to do business seamlessly, such third parties will sometimes need access to enterprise systems or facilities. This introduces a potential loophole for a data leak. Manufacturers must perform thorough background checks on the third parties they work with and clearly define the rules of engagement including outlining what is off limits. Third parties should be given physical access only to the areas of the facility that they need to do their work.
- Vigilant Monitoring Good organizational policies, procedures and action plans are only as good as their implementation. Create checklists, reporting procedures and escalation mechanisms that ensure existing and emerging cyber threats are caught before they spiral out of control. Regular scheduled monitoring creates an avenue for identifying loopholes that had fallen through the cracks and amend policies and procedures to mitigate against these risks.
- Recovery Planning Some of the companies that have suffered massive cyberattacks were doing the right thing and checking all the right cyber risk boxes at the time. A robust cyber security plan is no guarantee that an attack will not occur or that systems will not fail. A detailed recovery plan is required that includes what actions to take in the event that a cyberattack is suspected to have taken place. Manufacturers can increase their resiliency through war-gaming or table top simulations that envisage the worst case scenario.
- Clarify Responsibilities Many organization problems can be attributed to the absence of a specific person assuming full responsibility for a process. It should be clear who is tasked with each component of the cyber risk program including at department level. Ideally, there should be a cybersecurity champion within each department who’ll ask all the important questions whenever a new project or product is planned.
- Drive Awareness Most cybersecurity breaches are less to do with technology failures and more to do with deliberate or accidental human actions. Employees must be regularly sensitized on what their individual responsibilities are in mitigating non-technical cyber risks such as social engineering, phishing and identity theft. They should also be provided with a clear reporting path whenever they notice suspicious or unusual activity. These tips can help manufacturers deeply embed cyber risk management, identify areas of improvement and chart a road map towards a more vigilant, secure and resilient work environment.