…7 Cybersecurity Tips for Manufacturers
Cybersecurity has become a government priority, but the manufacturing industry is falling behind commercial business. The last few decades have seen numerous incidents where sensitive data has been compromised. Consumer information like email addresses, banking details and passwords have been stolen and used by hackers for a range of crimes including fraud and blackmail. One of the most widely reported incidents occurred recently, with the security of an estimated 50 million Facebook accounts attacked, seriously breaching users’ right to privacy
The introduction of GDPR
Incidents like this led to governing bodies working to formalise data protection laws. In May 2018, GDPR was implemented and affects all data for individuals within the EU. It aims to give people better control over their personal data and holds businesses to account for any mishandling of their customers’ information.
As a result, we’ve seen commercial businesses such as retailers tighten their data regulations and clarify how they use, maintain and store customer information. The supply chain is becoming ever more digitally connected, and it’s likely that some original equipment manufacturers (OEM) in the B2C sector will have direct access to personal customer data for warranty purposes, while manufacturers in the B2B sector are likely to have access to customer data via CRMs.
For example, a pharmaceutical OEM assembling products for a wellness brand may have access to their client, partner and supplier database. This is where manufacturers will have accountability for the personal data within their respective databases.
Sensitive business data
Although it’s not as tightly regulated as personal data, business data is highly sensitive, such as intellectual property, planning and production processes, and these are all at risk of cybercrime.
The position of Tier Two and Three manufacturers in the supply chain means they may not hold personal data, but they do have access to confidential business information like blueprints or intelligence. If intellectual property is stolen, it could have catastrophic consequences, in some instances an entire business can be lost due to commercial espionage.
Manufacturing is falling behind
The EEF’s Cybersecurity for Manufacturing report found that 59% of manufacturers said they’ve been asked by a client to show or guarantee the robustness of their cybersecurity processes. Failure to comply with GDPR can lead to a fine up to 4% of a business’ global turnover, or €20 million Euros. So, it’s no surprise that businesses are looking to test the robustness of any third party who will have access to the data they safeguard – and even make it a contractual agreement.
A breach of business data could also be costly – losing confidential blueprints to theft or industrial espionage could have dramatic legal and fiscal implications for the Tier Two or Three manufacturer it was stolen from and affect the wider supply chain. But 37% of manufacturers said they couldn’t make any assurances to their clients. And with the repercussions of non-compliance being so costly along with the risk of losing business data, clients and other manufacturers in the supply chain will be put off by a lack of cyber hygiene.
So how can manufacturers ensure they don’t lose business because they’re not cybersecurity savvy? Here are 7 of our top cybersecurity tips for manufacturers to follow to mitigate the risk of attack.
1. Train your employees
Human error has been found as a contributing factor in many cybersecurity breaches. AIG reports more than 80% of all cyber losses have a human element. A loss may be the result of accidental or malicious behaviour but can be caused by something as simple as clicking on a link.
In 2015, attackers gained access to a German steel mill through the plant’s business network. A phishing email was sent to an employee who opened the malicious attachment. The hackers were then able to infiltrate a number of systems including the manufacturing execution system (MES) to control plant equipment and caused physical damage.
The first thing manufacturers should do to ensure good practice is to train all employees on basic cyber security. It’s important for all users to understand that no matter their job title or responsibilities, they could be an entry point for attack, just by using a PC or laptop to access the network.Here are three key areas to train your team in:
• Educate employees on phishing scams
Phishing emails are becoming more advanced and can look harmless – often seeming to come from a trusted sender. Provide training on how to identify a malicious email, link or attachment and put a clear process in place for employees to follow if they think they have been sent a phishing email.
• Provide best practice for passwords
Make sure employees are aware they shouldn’t write down, share or re-use passwords on other systems. Use a simple algorithm to always “salt” your passwords from entry point to entry point, so that a “contamination attack” (where a hacker grabs your password form entry point X and re-uses it on entry point Y) isn’t possible.
• Make it a policy to only log in to the network from approved company devices and locations
Employees using personal laptops and phones or external internet connections to access the business network present another entry point for attackers. It’s difficult for IT administrators to properly secure these external devices or connections so employees should be provided with company-approved devices that have been configured for working remotely.
2. Use the appropriate level of security
In any instance where employees are using a device to remotely access the network, you should implement an appropriate level of security. An employee needing to access the enterprise resource planning (ERP) system from a coffee bar using their mobile device, or an office administrator who needs to send an internal memo, using Office 365 on a PC in head office, will require different levels of security for their tasks.
Risk-based authentication (RBA) utilises a set of rules and a points system to allocate the level of security required on a per user, per application basis. This can be based on a number of variables including: their physical location (GeoIP), the service being accessed, IP Address, last authentication, X509 Cert or device. This method of authentication is designed to be flexible and efficient for employees to use. It will help to increase the level of security without interfering with everyday work.
3. Ensure all applications are up-to-date
Another way manufacturers can improve their cybersecurity is to make sure any applications employees might require access to are kept updated. IT applications like Microsoft Word present another potential entry point for attackers. New versions are released regularly and often fix any weaknesses within the application that could be a security threat. This year alone, Microsoft released over 70 patches and Adobe, over 100 patches to their apps.
Although updating software is time consuming, and administrators often need to deal with aftermath from updating software such as memory leakage or software and driver compatibility issues, not doing so could potentially lead to a security breach.
Manufacturers need to make sure there is a process and the time set aside to update applications. This helps to remove one variable that could be a weak spot and see your system infiltrated by cyber criminals.
4. Use a jump host
Due to the connected nature of manufacturing supply chains, manufacturers need to include security points to prevent hackers gaining access to multiple systems. For example, PLCs (programmable logic controllers) which control hardware for manufacturing such as pick-and-place machines and other automated machines in manufacturing including computer numerical control (CNC) machines, can easily be hacked if they aren’t protected on the network.
This can cause catastrophic consequences if any sabotage goes undetected for any significant amount of time – dependent on production. The PLC attacks are the jump from a virtual world attack to a real-world attack, as we saw in August 2017 when a petrochemical plant in Saudi Arabia was infiltrated by hackers with the intention of causing a physical explosion.
PLCs need to be protected from unauthorised access. A Jump Box or Jump Server can help protect them from external threats. This uses a computer on an insulated network which allows the PLC to be accessed by authorised personnel. The PLC and computer is linked externally when it needs updating but is protected at all other times – closing the connection to attackers.
The insulated network could also be secured with multi-factor authentication (MFA). In addition, if your PLCs also support RADIUS protocol, adding 2FA or MFA to the RADIUS authentication can further protect all the PLCs from cyberattacks.
5. Apply single sign-on to access your separate networks
An infrastructure where hardware such as PLCs sit on insulated networks, and are separate to any external facing networks, will help to prevent hackers gaining access to the whole network. But manufacturers may regularly need to access systems seamlessly and without compromising security. Some systems might include:
• Customer Relationship Management tool (CRM),
• Enterprise Resource Planning (ERP),
• Product Lifecycle Management tool (PLM)
• Management Execution System (MES)
With so many tools and systems to keep separate, employees may require separate log-ins for each, meaning there’s a multitude of usernames and passwords to remember. This can slow down or complicate working processes.
Although single sign-on (SSO) can provide greater efficiency, giving employees access to all platforms and systems (even if they are on different networks), it’s imperative that risk-based authentication is utilised with SSO functionality, to ensure continued security.
6. Use multi-factor authentication
But it’s not just enough to have a password for SSO. All the applications, systems and more on your network could also be secured with multi-factor authentication. This asks the user for a few pieces of evidence, like a password and a numerical code, before giving them access to the network.
Choose your MFA supplier wisely and be aware that although some two-factor authentication applications can be prone to credentials theft – they only update the code every 40-seconds, during which time a hacker can use the code to access the network.
Dedicated MFA platforms offer more secure authentication and are updated frequently to stay one-step ahead of cyber criminals such as delivering new security strings for each access request. However, there are a few elements of an MFA platform to consider so you achieve the maximum benefit, including:
• Efficiency – while SSO isn’t enough on its own, some MFA platforms will allow for an SSO option and this is ideal for ensuring efficiency
• Flexibility – organisations are continually evolving, and the IT set-up needs to support the changing business. Your MFA platform should be able to integrate with hundreds of applications, so you’re not restricted in the future
• Intelligence – with so many devices being used to access applications and employees travelling all over the world for work, it’s important to be able to adapt your MFA platform based on any attributes you set. For example, you might configure the platform to recognise users based on a list of parameters like job title and give them access to the relevant platforms rather than the entire network
7. Aim for maximum adoption
Your cybersecurity features will only be effective if they’re used in the right way. So manufacturers need to make it as simple as possible for employees to follow any security processes. If they are too complicated or interfere with everyday work, then getting employees to follow them will be difficult.
As well as providing a flexible MFA platform, streamlining processes with SSO options and offering training, you should help your employees understand why cybersecurity is critical for the manufacturing industry. Information about how attacks happened to other manufacturers will help your employees better understand their role in protecting the entire company.
It’s not just one of these solutions that will help you protect your manufacturing business from a cyberattack. You should follow a combination of practices to make sure you can guarantee clients the robustness of your cybersecurity.
Different solutions will work for different companies and maximum adoption is key to make sure there are no weak spots in the network. So, it’s important for you to find the solutions that suit your business and way of working.
Manufacturers need to keep up with other industries when it comes to cybersecurity, or risk losing out on business. Talk to us for more ways you can secure your network against online threats.