In the not-too-distant past, manufacturers spent the vast majority of their security resources on physical security. But now with the convergence of IT and OT (operational technology), that’s not an option. In fact, manufacturing was the second most-attacked industry in 20201 (we’re still waiting on 2021 figures). This means taking surface-level measures like air gapping (ensuring a computer or network has no network interfaces connected to outside networks), is not enough. In this blog, we’ll take manufacturers through the four steps they can build a robust security program. Plus, we offer a free downloadable checklist at the end of the article.
Step One: Identify your assets and their vulnerabilities
Manufacturers’ network perimeters are becoming more fluid, which means there may be IT or OT assets that aren’t visible or secured. At this step, we recommend beginning by identifying all fixed and mobile endpoints. Then take a look at the risks. These could be traditional, human, environmental, quality and vulnerability risks that include IT/OT network configurations. A helpful tip? Consider conducting a risk assessment. You can reference the Guide to Industrial Control Systems (ICS) Security from NIST for guidance.
Next, review your security policies. Make sure they’re documented and call out specific requirements within security categories. Some policies to consider include acceptable use, asset management, security incident management and access management.
Finally, audit your requirements and security frameworks. Identify the information needed for audits from sources such as executive management, auditors, internal policies, industry regulation and your board of directors. Choose a security framework that aligns with these requirements and covers the basic security activities. At Nuspire, we use our Security in Action framework – you can learn all about it here.
Step Two: Create a thoughtful, comprehensive security plan
Having a security plan in place for your manufacturing business is table stakes these days. But what should it include? First, look at your security monitoring. Are you using a dedicated staff or a managed security services provider (MSSP) to monitor and manage your gateways, IT/OT networks and endpoints? Either way, require 24x7x365 security monitoring to help identify normal versus abnormal behavior and potential malicious activity.
Next, determine how you’ll address threat detection. Figure out how you’ll detect threats and manage them. Consider how frequently your detection capabilities evolve. Attackers shift tools and tactics continually, so your detection methods also need regular updating. We recommend evaluating managed detection and response (MDR) services to augment your detection and response capabilities. When you vet MSSPs, ask about their cybersecurity experts, experience and detection technologies.
Incident response (IR) is another important area to plan for. Develop an IR plan that details how security breaches will be handled. Include a variety of scenarios and matching responses. Here’s an example of an IR plan you can reference.
Disasters can happen anytime, anywhere. Make sure your security planning includes a disaster recover (DR) plan that specifies what actions will be taken before, during and after a disaster. Include roles and responsibilities for responders, communication procedures for employees and vendors, a detailed asset inventory and restoration procedures, and data backup procedures. Consider special handling procedures for sensitive information like
Lastly, confirm you and your team know the process for shutting down production if you are breached. It should be clear when and how to shut down and restart operations.
Step Three: Implement a cadence for managing security essentials
Manufacturing organizations need to implement the right security protections and continually manage them to stay ahead of cyberattacks. Security essentials include:
Access Control: Safeguard IP, technology, assets and production lines with appropriate controls for onsite and remote access. Consider solutions such as identity and access management (IAM), privileged access management (PAM), multi-factor authentication and endpoint detection and response for fixed and mobile devices.
Intrusion Detection System (IDS) and Intrusion Prevention System (IPS): IDS (monitoring) and IPS (control), combined with skilled security analysts, block and respond to network intrusions.
Patch Management: After you identify and list IT and OT assets such as operating systems, software and servers, assign ownership to ensure regular patching. Follow a consistent patch management process to lower your risk of attack and breach.
Password Management: Introduce and reinforce an employee process to ensure passwords meet requirements and are reset regularly. Consider additional security layers such as vaulting, rotation and re-authentication settings.
Network Segmentation: Segment the networks of different departments or groups and the IT network from the ICS network and demilitarized zones (DMZ). This allows IT to observe behavior and performance and apply security controls within segments. Segmentation also allows IT to block communications from suspect IP addresses, limit an attacker’s lateral movement, and keep proprietary information limited to need-to-know groups.
Step Four: Conduct regular audits of your security program
The bad guys are always evolving, so it’s important to review your manufacturing organization’s security measures to ensure they are meeting current needs. Look at your security event triggers and verify you are identifying security events quickly. It’s critical you maintain visibility of your entire network to monitor malicious or anomalous behavior and review security actions with context.
Revisit your process for identifying assets and endpoints and their security status. There’s technology out there that can track and monitor these for you.
Evaluate your security program performance against the policies you created. Are they aligned? If not, make the necessary adjustments.
And finally, evaluate your security program performance against threats documented in your risk assessment. Be sure that the risk factors you identified in the assessment are eliminated or managed to your risk tolerance profile.
By conducting these four steps – Identify, Plan, Implement and Audit – your manufacturing organization will be well-positioned to address today’s security challenges and the many unknowns that lie ahead.