Many manufacturing companies take a reactive approach to managing cyber threats, as it can be difficult to predict when and where a security incident will take place. While a defensive position can help reduce the impact of most cyber risks, it’s important to strive for constant improvement and resolve underlying issues with your security program before new incidents occur. This proactive framework allows for faster response times and a more efficient allocation of IT resources, which can save manufacturers time and money.
Manufacturing has been experiencing an increase in financially motivated breaches the past two years, but espionage is still a strong motivator. Most breaches involve phishing and the use of stolen credentials. The 2019 Verizon report documented 352 incidents of which 87 confirmed data disclosure. You may be thinking, that is a small number and we agree. Law enforcement agencies estimate the number of cybercrimes that go unreported by businesses number in the millions. In the absence of legal and compliance motivations, there are no incentives for reporting cybercrime. Therefore, our probability projects are skewed if only considering reported incidents and breaches.
A written information security program is one of the most crucial cybersecurity resources for any manufacturing business, as it establishes a detailed set of policies, procedures and guidelines to responsibly manage the risk from your employees’ use of technology. The modern IT landscape is full of complex threats that can jeopardize the integrity of your production systems and internal networks, many of which capitalize on users’ unfamiliarity with common exploitation tactics. This accounts for why most security experts emphasize IT compliance, as a single data breach can lead to significant monetary and reputational losses.
Is it a Policy, a Standard, or a Guideline?
To increase shared knowledge, the following definitions outline how these terms support your information security program. Effective security policies make frequent references to standards and guidelines that exist within an organization.
A policy is typically a document that outlines specific requirements or rules that must be met. In the information/network security realm, policies are usually point-specific, covering a single area.
A standard is a formalized protocol which typically outline rules or a collection of system-specific or procedural-specific requirements, that must be met by everyone. People must follow this standard exactly if they wish to support policies.
A guideline is typically a collection of system specific or procedural specific suggestions for best practice. They are not requirements to be met, but are strongly recommended.
A protocol is the rules under which the procedure should be done, used by two or more parties.
A procedure enumerates lower-level processes and provide steps your employees need to take to adhere to your policies or complete a process.
A process is a series of actions or steps taken in order to achieve a particular end.
As your business scales and your information security program matures, the needs for general security, network security, server security, and application security will change.
We work alongside business and IT leadership to build a comprehensive information security program roadmap that outlines effective security management practices and controls that are specially tailored to manufacturing environments. Our team can help you anticipate gaps in your security program and develop clear standards for ensuring the integrity, availability and confidentiality of your company’s essential data.
Information Security Policy
Defines the requirement for business units, supported by the information security team, to develop and maintain a security response plan. Information security policies typically cover a large number of security controls. The primary information security policy is issued by the company to ensure that all employees who use information technology assets within the breadth of the organization, or its networks, comply with its stated rules and guidelines. This policy is designed for employees to recognize that there are rules that they will be held accountable to with regard to the sensitivity of the corporate information and IT assets.
Acceptable Use Policy
Defines acceptable use of equipment and computing services, and the appropriate employee security measures to protect the organization’s corporate resources and proprietary information. It is standard onboarding policy for new employees to read and sign before being granted a network access, but do they really understand the policy? It is recommended that organizations collaborate across IT, security, HR, and legal departments to discuss what is included in this policy.
Defines the standard for the creation of strong passwords, the protection of those passwords, and the frequency of change.
Incident Response Policy
A security incident is an event that leads to a violation of an organization’s security policies and puts sensitive data at risk of exposure. The incident response policy is an organized approach to how the company will manage an incident and remediate the impact to operations. The objective of this policy is to describe the process of handling an incident with respect to limiting the damage to business operations, customers and reducing recovery time and costs.
Defines the requirements for proper use of the company email system and make users aware of what is considered acceptable and unacceptable use of its email system. Some policies also cover blogs, social media and chat technologies.
Pandemic Response Planning Policy
Defines the requirements for planning, preparation and performing exercises for pandemic disease outbreak over and above the normal business continuity and disaster recovery planning process.
Disaster Recovery Policy
Defines the requirement for a baseline disaster recovery plan to be developed and implemented by the company, which describes the process to recover IT Systems, Applications and Data from any type of disaster that causes a major outage. This plan includes both cybersecurity and IT teams’ input and will be developed as part of the larger business continuity plan.
Business Continuity Plan
The Business Continuity Plan (BCP) coordinates efforts across the organization and will use the disaster recovery plan to restore hardware, applications and data deemed essential for business continuity. BCP’s are unique to each manufacturers because they describe how the organization will operate in an emergency.
Creating an effective information security program.
Successful security programs contain a variety of overlapping policies and procedures that ensure your company’s cybersecurity practices align with your business objectives and regulatory requirements. While manufacturers do not typically collect sensitive consumer or financial data, malicious actors can profit from exploiting vulnerable production hardware, networking tools and intellectual property. Some of the common methods for hacking manufacturers, in order of frequency, include:
URL redirector abuse (DNS redirects)
Abuse of functionality
Use of backdoor or Command and Control
Use of stolen credentials
How are these incidences and successful breaches occurring? By far the most common method (70%+) is through web applications, then followed by Backdoor or Command and Control, VPN, desktop sharing and desktop sharing software. The three top patterns reported in manufacturing breaches were web applications, privilege misuse and cyber espionage. These three represented 71% of breaches reported. The threat actors for breaches were External (75%), Internal (30%), Multiple parties (6%) and Partner (1%).
While many of these security threats are external in nature, untrained and negligent employees also represent a potential entry point for would-be hackers. Integrating user awareness training and least-privilege protocols into your security program can help offset the risk of accidental exposure, but protecting your critical infrastructure from exploitation requires a lot of careful planning. This is especially true for production environments that deploy a range of disparate technologies, as each piece of hardware will have its own security standards and controls. The only way to properly manage your attack surface is to create a written security program that documents every aspect of your protection strategy, from threat detection to disaster recovery.
We understand the challenges to automate and digitize your operation and supply chain, as well as the complexities that can be difficult to address. We are committed to personalized guidance that puts your business needs first.
IT Management and Governance
In addition to employee-focused policies, it’s important to develop procedures and standards for managing your IT assets. The growing use of IoT technologies has created new challenges for manufacturers, as these devices often lack built-in cybersecurity features. Additionally, most IoT devices are shipped with default credentials, making them easy targets for cyber criminals. By building a customized security program, your company can uphold best practices for new hardware deployments and sensor integrations, such as developing strong passwords for authentication and streamlining your device management infrastructure.
Efficient IT administration combines several different domains of concern, including incident detection and response, security governance, compliance and risk management. The cybersecurity policies your company implements should incorporate these capabilities while also outlining the specific roles and responsibilities of your internal or external IT security team. Working with third-party service providers can leave you with limited visibility over your system and network security, which is where Certitude Security® can help. We assess the exact parameters of your attack surface and evaluate the performance of your external IT provider to ensure the individual components of your information security program are maintained.
We will work with you to assemble effective security policies and controls, which support your production environment, reduce costly downtime, and bolster your network protection. Our team has years of experience co-developing security frameworks, policies, and controls that incorporate industry-specific certifications and regulatory requirements, so don’t hesitate to reach out with your concerns.