March 03, 2020//Tony HowlettLast Updated: November 19, 2020
Manufacturing facilities, in the past, have dealt with various vendors (suppliers, business partners, contractors, etc.) on a manual or analog basis. In an industry that deals with physical items being made, vendors were treated in much the same way. In other words, they regularly came to the plant site to deliver their goods or do maintenance or support work.
However, with the modernization of many factory floors, Just in Time (JiT) inventory, automation and robotization, and other manufacturing advancements, many of these third-party entities are interacting with their manufacturing customers through remote connections across the internet. Add to this the increasing use of Internet of Things (IoT) and Industrial Internet of Things (IIoT) devices and the threat of intellectual property theft and ransomware from cyber thieves. This means the average manufacturer can have significant operational and compliance risk from third parties remotely accessing their production networks and systems.
Here are details on several of these risk factors and best practices that make up a robust third-party risk management program, crucial for any modern, successful manufacturing concern.
Just the sheer volume of external players operating on an enterprise’s internal systems should give any company pause. A study by Edge Research showed that the average-sized entity had 67 vendors and each of those vendors has multiple individuals that access an enterprise’s network. For larger companies, this could easily escalate into the hundreds or thousands of individuals who are not employees operating on internal networks and sensitive systems. Each one of these represents a target for a hacker and a vector straight into the heart of your manufacturing operations.
Whether it’s cyberterrorism, cyber extortion, or just plain IP theft, there are a lot of reasons for manufacturing companies to be targeted by hackers. State actors are looking for intellectual property or to cause disruptions in operations. Financially-oriented hackers are targeting manufacturing lines with ransomware and other malware because they know that such companies cannot afford the downtime of critical systems that affect production.
If a hacker can get into a manufacturing company’s network via an insecure remote access line, they often find a treasure trove of exploitable systems. Older ICS and SCADA systems often run on archaic hardware and aging software platforms. Even modern systems, such as IoT and IIOT, are not patched often, if at all. Embedded non-standard operating systems and the critical 24/7 nature of a manufacturing line make it hard to upgrade and patch such systems. Default passwords are common with minimally secured web interfaces to make maintenance easy for nontechnical line workers, which is music to a hacker’s ear since they know that they have many vulnerable targets to choose from.
Do you know all the ways into your network? Is there wireless guest access? Are there uncataloged VPNs coming to vendor devices? Once you have identified all of your possible perimeter access points, review the firewall rules and access control lists on these devices to make sure they do not have dormant rulesets or unnecessary ports open. You do not want many “ALL to ALL” type rules on your perimeter defenses. And on your internal networks, are you fully aware of all the devices on them? Ping scans and other discovery software can help you map out ALL the devices connected and root out any “rogue” IT infrastructure.
Before you can defend your networks from vendors and third parties, you have to know who is accessing them. A recent study showed that only a third of companies know the number of vendors accessing their systems. Interviews with managers and staff, A/P reports from the general ledger, and network monitoring software can help give you a full picture of all the vendors accessing your systems. Don’t forget SaaS services which might not show up in any of those places, since they are often charged to credit cards and expensed. And this is not a one and done proposition. Updating your vendor inventory needs to happen on a regular basis, minimally once per year and perhaps more often if your vendor count is large.
Don’t give broad-spectrum VPN access to a vendor who only needs to access a few machines; that is just a recipe for trouble. Even if the rep isn’t a bad actor, they can make mistakes and work on systems they are not supposed to be on or reboot servers in the wrong networks. And if their account is compromised, it can be used to scan the network for vulnerable devices. Use Privileged Access Management (PAM) or Vendor Privileged Access Management (VPAM) solutions to vault away administrator credentials and obfuscate them from direct use by vendors. This can prevent a credential from being stolen in the first place. And be sure to observe the principle of “least privilege” with vendor reps, giving them only the rights and access to the resources they need to do their job, nothing more. For example, if a support rep for a vendor only needs to access a web interface on their device, make sure you write rules such that those are the only ports and IPs they can access.
When it comes to networks, one of the best protections for a manufacturing facility is to make sure to segregate your network, especially those with SCADA and ICS devices and services. General network users should never be able to access these areas. If possible, “air gap” these networks from your main IT infrastructure. This will keep bad actors from leapfrogging from easy to hack desktop systems into more complicated and critical manufacturing systems.
Keep detailed logs on third party access, even more so than internal staff. The more granular you can get, the better. Go beyond just username and access times. You will want to know the context around every access session (reason, approver, ticket#) as well as what they did while in the system. Use technology such as VPAM that can keep keystroke logs or video captures of sessions so you know exactly what they were up to in those sessions. And keeping detailed logs is great but if no-one looks at them, they won’t do you much good. Make sure there is a regular review schedule so that you can catch problems before they become incidents.
So we have talked about the novel risks facing manufacturers from cyberattacks in this always-connected, always-online world. And how your vendors and suppliers can be a conduit for bad actors to compromise your manufacturing operation and cause a lot of chaos. But by following best practices for third party risk management and implementing technical controls such as PAM and VPAM, you can keep your manufacturing operations online and safe from the hacker hordes. To learn more about the risks, download our helpful infographic that maps out the scope of threats and helps you to identify key vulnerabilities