March 13, 2020//Tony Howlett
In our previous blog, we explained how cyberattacks are putting manufacturing systems at greater risk of data loss and malicious activity. Now let’s look at strategies companies can take to tighten up some of the security gaps that can leave manufacturing systems vulnerable to attack.
In the manufacturing industry, one of the biggest information security challenges is finding all your potential attack surfaces and the perimeters that defend those points. This is partly because the attack surface has grown exponentially in recent years, especially with the widespread adoption of the Internet of Things (IoT) and Industrial Internet of Things (IIOT) devices across global manufacturing systems. And the idea of a single, hard network perimeter with castle-like defenses around all your assets has crumbled and dissolved much as the aforementioned structures become obsolete with the invention of the cannon. Now, you may have many vendors and third parties inside your corporate firewall and as many employees coming from outside of it as from within. Before you can build an effective cybersecurity strategy that protects your assets, processes, and data from threats, you need to know what you are defending and what each element’s defenses are.
These days the idea of a single perimeter, the corporate firewall, is a myth. There are so many holes poked in the average firewall for VPNs, applications, and third parties that a single perimeter starts to look like a slice of Swiss cheese with plenty of holes for rats to crawl in through. And in the past, we could assume that anything within that castle wall was mostly safe; we only considered assets with internet-facing IP addresses to be the “perimeter”. However, with phishing emails designed to take over internal computers, many third parties operating inside the firewall and employees doing much of their work on external, cloud SaaS services, you need to begin to think of your attack surface as anything of value that a hacker might want and defend it from the endpoint out; adding in layers as you go. “Defense in Depth” is the only concept that will truly protect your data and critical assets in this perimeter-less age.
Once you know all your attack surfaces and perimeters, you need to know who is coming and going in your network and systems. Hackers and other bad actors are more likely to target overlooked vulnerability points, which is why you need to think holistically about who can gain access, through what means, and the valuable assets they can find there. Some of this information is easy to find. Active Directory users and groups will give you who your internal users are and what they have access to. Tracking down third parties is more difficult unless you have an integrated Vendor Management Platform. Other methods to track down these intermittent interlopers are network traffic analysis, interviews with application owners, general ledger searches for vendors being paid, and other Sherlock Holmes-like investigations.
Knowing who your external users are is only half the battle. You also need to know the data they are accessing, where it is located, as well as where it is flowing. In addition to a traditional internal server to internal workstation flow, consider your third parties and remote workers accessing internal data stores, and then internal users going out to access Saas providers. Once you’ve done this, you have a true picture of all the data flows and ALL the users accessing it, including the third parties. And at the end of the day, you may be shocked at the number of third party users and the nature of the data they are accessing.
Consider everything: proprietary data, customer and employee information, supplier and vendor files, information about processes, and more. Identify the types of information kept on the network and how they are used to run production. There is also a sea change in hacker behavior in the last few years with them looking to encrypt or destroy key data stores and even disable or destroy operational equipment. In the worst-case scenario, they may be seeking to create an industrial accident that causes and injury or loss of life. This vicious new breed of hackers are highly sophisticated and are looking to inflict the maximum amount of pain on your manufacturing enterprise either for extracting large ransoms or make political statements. Don’t let your facilities be the latest victims of their evil schemes.
In order to protect your data, you need to know where it resides. It may be on centralized file servers, on employee’s local hard drives, network share drives (often easily accessible by hackers with a low-level network credential), internal Wiki applications, or even on removable drives or USB media. Critical corporate data no longer just sits inside corporate-owned data centers. It may be on servers at rented colocation sites or stored on virtual infrastructure on a cloud provider like AWS, Azure or Google. SaaS providers muddy the waters further as much valuable information can be stored on these services that are often not fully under the control of IT. Wherever it is, you need to protect it and control access to it as if it were under your corporate firewall umbrella.
Security is only as good as your weakest access point. In order to maintain a strong security posture, your least privilege access controls must be consistent and universally used across the company systems – including third-party access. This means you should know what type of access each employee has and include both on-site and remote access. Employees or third parties may be required to use multi-factor authentication or other controls to get administrative privileges on essential systems. Make sure you have robust onboarding and offboarding processes and applying least privileges, especially tight with third parties. A system of role-based access control (RBAC) is always the best, rather than simple authentication levels like user and administrator.
Once you have gotten them access at the right levels, you need to implement review processes of their access, with third party access reviewed more frequently and more granularly than employees. Ideally, every access session should be fully documented for third-party users. You should review employee and vendor accounts on a regular basis and be able to quickly and easily identify their privileges.
How do you really know if your security program protocols are working? Testing them is the only way to find out. While internal auditing and testing are great to do, with the threat landscape constantly changing, ensuring seamless network security across the global supply chain is a big task for any manufacturing company to handle alone. You should consider employing third-party companies to perform penetration tests of your industrial network to identify vulnerabilities you may have overlooked. They should review your practices and security positions for potential oversights and weaknesses. They can also perform “threat hunting”, a new discipline which can identify digital remnants of previous or ongoing compromises. Make sure that the companies you use are reputable and certified to do such work and the scope of work is defined very specifically and tightly so that it does not create operational or legal issues.
In today’s hyperconnected world, security is never “done.” Having repeatable, durable processes that withstand the test of time should be the goal of any security program. But, they should not be set in stone and be regularly reviewed, updated, and changed as business requirements or external conditions require. These might include new regulations and novel attack vectors and methods. For example, the new privacy laws introduced by the EU and now California treat the ownership of personal data collected by companies fundamentally differently. This requires an adjustment in how you process and store such data. Make sure your security programs are always evolving and changing to deal with the current threat landscape.
In the meantime, to learn more about the risk of cyberattacks on manufacturing systems, download our infographic “The Top Remote Access Threats in Manufacturing.