Manufacturing companies are no exception when it comes to the need for cybersecurity. As companies continue to embrace automation, edge computing, supply chain optimization, and remote diagnostics – among other technologies across the production chain – they become more vulnerable to cybersecurity threats due to this increased external connectivity. Ironically, smaller manufacturers are more likely to be targeted than their larger counterparts because they are viewed as easier to penetrate as entry points into larger manufacturing supply chains. In this article, we’ll provide an overview of how to start thinking about cybersecurity and best practices in terms of actually getting started.
Basic steps to protect your company network from intrusion
Put in a firewall to separate your manufacturing network from your business network
Install antivirus protections
Conduct regular patches (updates) for all of your software and systems
Have a robust backup system in place and do regularly scheduled backups
Deploy an intrusion detection system or anti-malware software
Train your employees on the basics of avoiding social engineering attacks
An excellent resource for getting high-level data and information on recent cybersecurity incidents in the manufacturing industry is Verizon’s annual Data Breach Investigations Report – now in its 13th year – which combines data from both public and private organizations globally, including law enforcement agencies, national incident-reporting entities, research institutions, private security firms, and Verizon. The 2020 report encompasses 157,525 reported incidents and 108,069 breaches for all industries and then breaks down its findings by industry.
In 2020, the manufacturing industry experienced 922 incidents, 381 with confirmed data disclosure. The majority of attacks were financially motivated (73%), with the others falling into the category of espionage (27%). Types of data compromised included credentials (55%), personal data (49%), other (25%), and payment data (20%). The report also notes that 75% of attacks came from external sources, while 25% originated internally.
How should a business understand the risks it faces, and how should it best approach the challenges of cybersecurity, especially if it is a small to medium-sized manufacturer (SMB) that wants to maximize every dollar spent?
AMT recommends that you learn more about existing cybersecurity standards and best practices by becoming familiar with the NIST Cybersecurity Framework and then go on to learn where your company’s specific weaknesses are by hiring an ethical hacker to conduct a penetration test of your network. We’ll break these two recommendations down.
The National Institute of Standards and Technology (NIST) Cybersecurity Framework, launched in 2014 and updated annually, is guidance based on existing standards, guidelines, and best practices for organizations to better understand, manage, and reduce their cybersecurity risks. It is designed to help you determine which activities are most important for your business and how to prioritize your investment in cybersecurity and maximize the impact of each dollar spent. The site also features more than 100 online resources produced by private and public sector organizations that offer guidance and examples about using the framework.
By providing a common language to address cybersecurity risk management, the framework is especially helpful in communicating inside and outside your company, including between and amongst IT, planning, and operating units, as well as senior executives. The framework can also be used to communicate current or desired cybersecurity needs between buyers and suppliers.
Penetration testing is a best practice and a quick way to get started
A penetration test, also known as ethical hacking, is an authorized, simulated cyberattack on a company’s computer network performed to evaluate the security of the system. The test is performed to identify weaknesses, including the potential for unauthorized parties to gain access to the system’s features and data. The test can also evaluate any existing cybersecurity strengths, enabling a full risk assessment to be completed. There are many companies nationwide performing this service, so get some recommendations from your industry peers or from local businesses to bring in a few companies, or individuals, to evaluate for doing this work.
SMBs may not have the resources to support full-time, in-house cybersecurity teams, which is why more businesses choose to outsource their cybersecurity needs. By choosing to work with a cybersecurity company, you benefit from 24/7/365 monitoring and support.
Manufacturers who are contractors or subcontractors with the Department of Defense (DOD) need to become familiar with another important resource: the Cybersecurity Maturity Model Certification (CMMC) Accreditation Body, which is authorized by the DOD to be the “sole authoritative source” for the operationalization of CMMC Assessments and Training for DOD contractors. The CMMC is the unified standard for implementing cybersecurity across the defense industrial base. Released by the DOD in January 2020, CMMC version 1.0 changed cybersecurity requirements for DOD contractors. Contractors were already responsible for “implementing, monitoring, and certifying the security of their information technology systems and any sensitive DOD information stored on or transmitted by those systems.” But as of January 2020, the CMMC also requires third party assessments of contractors’ compliance with certain mandatory practices, procedures, and capabilities that can adapt to new and evolving cyber threats from adversaries. All DOD contractors need to learn the CMMC’s technical requirements and prepare for certification, and by 2025, all DOD suppliers will need CMMC certification to bid on contracts.
Too many phish in the C:
Research has shown that the majority (over 80%) of security breaches happen because of social engineering and phising attacks. Social engineering tactics trick employees into opening email, visiting websites, permitting physical access, or plugging thumb drives or other media into the business’s computers for the purpose of inserting malware or gaining unauthorized access, or both. The best network security protecting a company can be bypassed through a social engineering attack. Holding organization-wide cybersecurity training for all employees about social engineering risks and what they look like is critical.
For more information, contact AMT’s director of manufacturing technology, Benjamin Moses, at bmoses@AMTonline.org.