Experts on the Top InfoSec Considerations for Manufacturers

by Ellen Zhang on Wednesday August 12, 2020

16 infosec pros and security experts discuss the top information security considerations for manufacturers today.

Manufacturers face unique information security challenges when it comes to the many facets of their operations. Important security considerations are often overlooked in the manufacturing industry, with much of the focus placed on optimizing operations and managing the supply chain.

To help manufacturing organizations determine what they should be paying the most attention to when it comes to information security, we reached out to a panel of InfoSec professionals and manufacturing experts and asked them to answer this question:

"What are the top information security considerations for manufacturers today?"

Meet Our Panel of InfoSec Pros and Manufacturing Experts:

Steven Solomon
Jake Gibson
Paul Harris
Fred Reck
Gregory Morawietz
Ian Khan

Ian McClarty
Todd Millecam
Srivats Ramaswami
Michael Fimin
Rhand Leal

Greg Kelley
Trave Harmon
Abhijit Solanki
Rodrigo Montagner
Leia Kupris Shilobod

Steven Solomon

@Arcutek

Mr. Steven Solomon is a Technology Solutions Consultant at Arcutek with a technical focus in cybersecurity. Mr. Solomon is actively a guest speaker at information security forums and has multiple engineering certifications in this field.

"Manufacturers face security challenges similar to most organizations today..."

Having a multi-layered security strategy helps manufacturers reduce the risk of data breaches that result in the theft of intellectual property, customer information, business information, and/or other sensitive data. A holistic approach to securing manufacturing systems begins by adopting the requirements of the National Institute of Standards and Technology (NIST) Cyber Framework. Manufacturers need to identify and inventory their IT assets for better management and maintenance, and then protect those assets by prioritizing mission critical systems and implementing best-of-breed security products and services. Some protections may include access control, network security, endpoint security, data encryption, and event monitoring. Manufacturers will also need to detect systems that are compromised or vulnerable to exploitation and create a response plan that is process-oriented to reduce the recovery time of all affected assets across the organization. The best security plans are those that are iterative, process-oriented, and agile to a dynamic threat landscape where new attack vectors and techniques require manufacturers to stay alert at all times.

Jake Gibson

@Lightedge

Jake Gibson is the Chief Security Officer/Chief Compliance Officer at LightEdge Solutions. With over 20 years in the information technology field, Jake has served in IT leadership positions across the healthcare, insurance, pharmaceutical, and food industries. At LightEdge, Jake focuses on developing, implementing, and supporting the strategic security vision while aligning with business objectives. This includes improving operational processes to meet their clients' ever-increasing regulatory requirements.

"As today’s technology environment continues to evolve at a rapid pace, two primary factors stand out as top concerns for the manufacturing industry..."

The first is the major boom in the Internet of Things (IoT). The IoT is the interconnection of all your computing devices, both at work and in everyday objects. TVs, refrigerators, door locks, vehicles, light bulbs, and even thermostats are now all connected to be controlled easily from anywhere. What was designed to simplify day-to-day life and make business operations more streamlined and efficient, can actually expose you in a major way. The IoT creates a broader attack surface that makes it much easier for hackers to access your private information than ever before.

The second factor to keep top of mind is software updates. No software is perfect. There are open gaps hackers can take advantage of. Software must always be updated, in order to ensure privacy and security for your business and customers is constantly maintained. As holes are discovered, they should be patched immediately.

The logistics involved in keeping software patched can be a major undertaking in itself. Take auto manufacturers, for example. In order to update the software each time, buyers have to bring their vehicle into the shop. This makes the process very hard to control because of the dependency on a variety of individuals and their unique timelines. What about those devices whose softwares are so discrete, owners aren’t even aware they need updating? The majority of those with thermostats probably never consider that there is software running in the background that needs regular, ongoing updates. This leads to consumers opening themselves up to an array of attacks unwittingly.

The best way to combat these vulnerabilities is to continuously tap into 24x7x365 global threat intelligence and monitoring. This will help you anticipate and build proper safety measures into each of your products and services. You should also make sure all security and software updates are upheld, and never left defenseless. Information security is truly one area where you must stay proactive in your safeguards versus trying to resolve major issues after your critical information has already been accessed.

Paul Harris

@Secarma

Paul Harris is the MD at Secarma, an international team of more than 55 cybersecurity consultants, operating out of 20 cities in 10 countries around the world. Secarma's ethical hackers work with businesses to eliminate security holes, ensuring digital assets are secure from cyber threats.

"There is a rush to market to get IoT products out very quickly..."

There are thousands of vendors all trying to enter the smart device marketplace and security is just not a consideration in that process.

Quite often these are small startups operating on seed funding, and they don't have the time or budget to consider security when they're getting products out into the marketplace.

It's clearly a huge concern for the security community. Devices are insecure, they have no process for updating software and they are shipped with default passwords which are available on the internet in manuals.

When our team at Secarma attack devices on behalf of our clients, one of the first things we do is download the manual and find the default password. Nine times out of ten that gets us in. These are clearly huge issues that manufacturers need to address.

There are a number of processes companies should go through. The following high-level tips should be at the front of your mind while developing your devices:

Secure by Default - Ask yourself if configurations are secure out of the box, or if the user must do something to enable protection. As cybersecurity has evolved over the last decade, the strategy of securing out-of-the-box is preferred over relying on users. General tips would include disabling features until they are enabled and generating random per-device passwords, for example.
Provide an Update Function - Even the best engineered solution will eventually have some functional or security bug that would require an update. To support this, design a robust update mechanism which protects users long term.
Assume the source code is visible - Make sure there are no hard-coded secrets on the device which have a security impact for all devices. Attackers will have physical access to your products over many years. These are ideal conditions from which to reverse engineer. If you need hard-coded secrets, then design them to be unique for each device. So that finding the default admin password within firmware does not expose all other devices. Additionally, be aware that the source for any admin interfaces is equally exposed.
Plan for Decommissioning - IoT products are consumer electronics in most cases. Give users an easy way to remove their data from the device so that they can sell it or dispose of it securely.

From a user point of view, it's about asking whether you really need this device connecting to the internet, whether that's a kettle or a light bulb. If the answer is yes, then search for security concerns and vulnerabilities on that device before you connect it to your network. Maybe even consider setting it up on a separate network.

Fred Reck

@Innotek_cc

Fred is an Amazon #1 Best Selling Author, technology-industry speaker, and leading consultant based in Central Pennsylvania. Pulling from his beginnings with IBM in their systems integration and training division, Fred has advised over 1100 companies on technology issues through his business InnoTek Computer Consulting.

"As IT Security Professionals, we know that there are many areas that need to be protected from an IT standpoint..."

Our manufacturing clients are most concerned about areas that affect production, cash flow, and sales. The following are the top concerns for manufacturers that we see everyday:

Social Engineering Attacks/Phishing/Spear Phishing

The vast majority of network breaches are caused by some sort of human error or complacency and can lead to Ransomware, Bank Fraud, or some type of Data Breach.

According to Kaspersky Labs, ransomware attacks have increased 8x in the last year. A network that has been hit with ransomware can cause a manufacturing facility's entire network to be inoperable, and can halt production and lock crucial financial files, affecting payment collections and order processing.

43% of all attacks used some form of social engineering per Verizon Data Breach Investigations Report (DBIR). Social attacks can cause vital banking information to be leaked and allow unauthorized use/withdrawals from the business bank account. Even if banking information is not compromised, client and pricing lists can be exposed and misused.

Weak Network Security Leading to a Network Data Breach

DBIR reports that 62% of breaches were caused by outsiders hacking into a network and 51% of attacks included the deployment of some sort of malware. All of the IT managers that InnoTek consults with have some level of concern about the security that is deployed on their network, and network security makes up a significant portion of their responsibilities.

Hardware Failure

A hardware failure can affect all areas of a business, but typically will have the biggest impact when it is directly related to the production lines. A hardware failure can cause the production line to stop or create an inability to ship finished product, quickly filling valuable storage space.

As long as a business has a solid preventative maintenance program in place and is proactive with hardware replacements, this sort of interruption poses the least risk to a manufacturing facility.

Information Security Concerns from a Solutions Standpoint

To combat the concerns listed above, IT managers of manufacturing facilities should focus their efforts on:

Multiple layers of network security
Implementing a regular maintenance and update process
Building a Business Continuity and Disaster Recovery plan
Building a Security Mindset within the employees (probably the fastest growing concern in 2017)

Gregory Morawietz

@SinglePointOC

Gregory is an IT Security Specialist with Single Point of Contact with over twenty years' of network and security experience. He has worked with hundreds of firms on improving IT environments, consulting and integrating technology for the enterprise network.

"The top security consideration that manufacturers need to consider today is..."

Their lack of a security infrastructure for their operational technology environments. There has been a long tradition of powerful and strong security infrastructure with products and software for IT environments. That is not the case for operational technology environments. These OT networks are highly vulnerable to attack and do not have any kind of protection systems that IT environments have. Luckily a new host of startup companies are rising up to meet this need. Security monitoring of OT environments is now a possibility with these products and can be used to mitigate security risks. Manufacturers are always concentrating on keeping costs predictable. Having a predictable security cost needs to be implemented as well to close this gap.

Ian Khan

@IanKhanFuturist

Ian Khan helps organizations understand the impact of technology on business and how future trends shape our business decisions.

"The top three security considerations for manufacturers are..."

1. Nothing is 100% Secure - The idea of having 100% security is flawed. Today more and more data is stolen and compromised internally rather than from people outside an organization. Shadow IT costs organizations billions of dollars every year in lost productivity, unauthorized software, and security leaks that affect business. Create processes around IT policy within your business and remind end users of the challenges and threats to the business.

2. Invest in Security - As threats of intrusion increase, better and more robust security solutions justify their costs multifold when you think about the risks that are averted.

3. Prioritize What Needs to be Secured - One of the most important aspects within manufacturing is the ability to produce manufacturing plans. If the production line is not running, your business is not running. Take time to prioritize the most important aspects within your manufacturing business. Staying operationally sound with the maximum amount of up time is a key priority and should be followed by other aspects of the business. Time lost because of security breakdowns costs millions of dollars. It is key to create best practices around security and ensure that your manufacturing business embraces making security a priority.

Ian McClarty

@phoenixNAP

Ian McClarty is the President of PhoenixNap, LLC based in Phoenix, AZ, with 20 years of experience in information technology and computer networking fields. He has a proven track record in relationship building, vendor management, network operations, colocation, and data center administration, along with project methodology and processes, both at strategic and tactical levels.

"The greatest challenge lies with the company and executive culture of the organization, both before and during an incident..."

At many companies, Information Security takes a back seat to the bottom line, day-to-day operational urgency, and adherence to regulatory requirements. Because of this, companies can be woefully unprepared when major issues arise. Staff is overwhelmed, and the response lacks coordination. Sometimes the complex systems or infrastructure aren’t fully understood by the Incident Response Team. Often, the responders lack clear "authority to operate" which can also slow or impede the effectiveness of the response.

The financial and reputational impacts of a breach are costly. Companies that merely check boxes instead of implementing a security culture will struggle. It is better to be a prepared organization that instills trust in leadership and its security team and implements security controls on top of compliance checkbox basics.

Todd Millecam

Todd Millecam is CEO of SWYM Systems, Inc., a private IT consulting, full solution engineering services company specializing in IT infrastructure, DevOps, and development.

"The most important consideration is..."

How will we deliver updates? Exploits will be found on any system, guaranteed. There is much we can do to minimize them, but the only way to keep your product and customers safe from exploits is to have a stream-lined and non-obtrusive update delivery process. If your end-user has to press a button, or download a file and apply an update, then you've designed something that will be inherently insecure – unless it requires trained professionals to operate it in the first place. Make sure your update delivery mechanism addresses the needs of your customers.

After that, the other consideration is, how much testing has been done against our dependencies?

Parts fail, and frameworks have bugs. If a technology is mature and has been a target by a good number of professionals for a long time (like a relational database) then it's a safe bet from a design perspective. If it's an immature framework, then be in contact with the lead developers and make sure they understand your concerns.

Lastly, think of the possible attack vectors. Will malicious users have physical access, or network only? Is it behind a firewall, or on a VPN? Am I relying on an external system to keep my product safe from harm or does it have its own security measures? How would your engineers, who are most familiar with the product get in? Is social engineering a concern?

Think of what an attacker would actually DO to get into your system, and then simulate it and test it. Don't let pride or ego interfere with a complete and thorough test. Let the security team or consultants actually break it and see how to make it better.

Security is a never-ending race between defender and attacker. Keep a steady pace, improve your security paradigm and process, and follow the long standing best-practices in the industry.

Srivats Ramaswami

@42qMES

Srivats Ramaswami is the CTO at 42Q.

"Manufacturers deal with sensitive data each and every day..."

This includes test and quality data, warranty information, device history records, and especially the engineering specifications for a product that are highly confidential. Trusting that data to a cloud-based application, or cloud services provider, is a major step. Manufacturers need to fully educate themselves about the security risks and advantages of cloud-based software.

According to the recent Verizon DBIR, approximately 50 percent of all security incidents are caused by people inside an organization. Good user management and password security policies are the best way to prevent these types of attacks. This is the underlying purpose of application password protection.

The system must be architected to prevent as many types of external attacks as possible. Also, application providers must use internal personnel and external consultants to run frequent penetration testing. These tests look for common paths that attackers use to gain access to systems through the internet. The tests help ensure there are no doors left open for hackers. Be sure to ask about penetration testing, including both the frequency and the methodologies used.

Michael Fimin

@TrueCalifornian

Michael Fimin is the CEO and co-founder of Netwrix, a provider of a visibility and governance platform that enables control over changes, configurations, and access in hybrid cloud IT environments to protect data regardless of its location. Netwrix is based in Irvine, CA.

"Cyber-attacks that target manufacturing organizations have been growing and what is particularly scary about them is the amplitude of damage they can cause..."

They can lead to actual physical damages, disruption of supply chains, quality issues, and leakages of sensitive data, including intellectual property. Another aspect that makes cyber risk management so exhausting is the wide-spread use of mobile devices and the rise of Internet of Things (IoT) technologies. While they are beneficial for production efficiency, they also expand the potential attack surface.

The problem is that in the attempt to speed up their business processes, manufacturing organizations lag behind in the adoption of the necessary security practices:

Many manufacturing organizations do not feel confident in their abilities to beat cyber risks. The industry seems to be characterized by a general lack of dedicated security personnel and lack of well-thought-out security strategies that include risk-management and information security governance.
The main reasons for this state of things include insufficient budgeting, lack of time, complexity of IT infrastructures, and lack of visibility into user activity.
Despite the fact that lack of visibility into user activity is one of the top obstacles to security, monitoring and analysis of user behavior is not something all manufacturing companies do. Many organizations consider their own employees as the main security threat.

Manufacturing organizations need to change their approach to security to withstand existing and new threats. They need to strive for more visibility into user activity and IT events to detect potentially harmful behavior and better understand processes and risks across the IT environment. In the nearest future, most of them should focus on data protection, including intellectual property, against fraud, breach, and theft.

Rhand Leal

Rhand Leal is one of the lead Advisera ISO experts and Information Security Analysts in charge of ISO 27001 compliance and other security standards. He has 10 years of experience in information security, and for the past 6 years he has continuously maintained а certification in Information Security Management Systems based on ISO 27001.

"The top consideration is the protection of intellectual property..."

Organizations invest a considerable amount of money in research and development to stay ahead of their competitors, and all this effort can be for nothing if, by means of an information breach, the developed knowledge falls on wrong hands.

Other points manufacturers should consider are the increased connectivity between elements in industrial control systems and the Internet. Before, these systems were less susceptible to attacks because they were isolated stand-alone systems. This scenario is quickly evolving to fully integrated systems, and in many cases, they are being deployed with minimum security considerations, making production environments highly exposed to even less sophisticated attacks.

Greg Kelley

As co-founder of Vestige Digital Investigations and CTO, Greg leads Vestige’s Digital Forensic and E-Discovery services. Greg’s responsibilities include helping to determine strategic direction of the company, overseeing the day-to-day operations and internal Information Systems infrastructure, and personally handling some of Vestige’s engagements. He helps in performing as well as managing the digital forensic investigations and leads the Data Evidence Specialists and Forensic Analysts on the Vestige team. Greg has 20 years of experience working in the computer industry. His various positions and responsibilities included custom software design and implementation, network management and security, database programming, disaster recovery and end-user support.

"Manufacturers need to be on the lookout for what is termed as Business Email Compromise..."

In these attacks, hackers represent themselves as a vendor or client and request redirection of goods or payment to another location under control of the hacker. Sometimes the hacker will work both sides of a sale at once. It is more of a social engineering attack than what people consider a hack. Companies need to have good polices and controls in place that define the process by which redirection of services or payment is conducted. Employees need to be trained on that policy and checked to see that it is followed. That policy should include verification of the change by a method other than email.

On top of that, manufacturers need to be cognizant of information security issues such as insider theft of intellectual property. We've seen insiders steal information via taking of pictures of proprietary data displayed on a computer screen. Finally, as manufacturers tend to employ a larger workforce, there is always the threat of theft of employee personal information. This attack is common around tax season with malicious requests for W-2 information but can occur any time.

Trave Harmon

@TritonTech

Trave Harmon is the CEO of Triton Technologies, which started in 2001 and has grown exponentially over the years. They have a variety of international and multilingual clients.

"The top security considerations for manufacturers are…”

Securing your devices’ firmwares from unauthorized changes, patching those changes regularly and meeting compliance with new military requirements for IOT devices.
In manufacturing, theft of intellectual property is rampant. Make sure that you have a good firewall, good antivirus solution, and group policy objects that prevent copying of data from leaving the network.
You need to constantly monitor your equipment to make sure that it is operating properly and on top of that, prevent any kind of intrusion from a third-party hostile competitor.

Abhijit Solanki

@abhissol

Abhijit Solanki is the Founder of Whiteboard Venture Partners, most recently the cybersecurity investment lead at NexStar Partners. He previously worked at McKinsey, Symantec, and VMware and is focused on helping entrepreneurs create, build and scale the next generation of enterprise companies.

"As technology's influence on manufacturing has increased, the scope of security problems has evolved from legacy use cases to emerging ones..."

I like to segment the considerations for manufacturers into 3 buckets:

Security of the manufacturing designs & processes:

LEGACY: On-premise software and data need to be secured by controlled access.
EMERGING: Use of 3rd party SaaS products and new 3D printing processes is resulting in the need for new security solutions to help preserve the efficacy of their design.

Security of the manufacturing facilities:

LEGACY: Secure the perimeter with physical access solutions (key cards) and use limited network connectivity to manage devices.
EMERGING: There is a need for security solutions that can support productivity improvements at manufacturing operations. This needs to happen in a complex network environment where employees demand BYOD flexibility while IT & Operational Technology converge at the manufacturing plants.

Security of the manufactured goods:

LEGACY: Secure the packaging of the item with seals, and have a unique serial number (or RFID) to identify it across the supply chain.
EMERGING: Given the advent of 3D printing, how can you identify counterfeits? Quality assurance (especially for sensitive goods) backed by guarantees need new ways of fingerprinting authentic goods as they move within the supply chain.

Rodrigo Montagner

Rodrigo Montagner is an Italian and Brazilian IT Executive with 20 years of experience in Cyber Security and Technology. He has managed multiple teams globally during the last 15 years.

"The top information security considerations for manufacturers today are based on the current challenge to keep most of the devices connected and at the same time guarantee a reasonable level of security..."

Here are a few considerations for manufacturing facilities:

Segregate the industrial network from the rest. Even if it’s not fully physically segregated (an entire separate network), make sure you have a proper security measure (a firewall, for example) installed at each and every point of intersection/logical vulnerability;
Segregate special industrial machines and users. Make sure you have all special computers, such as the ones directly connected to shop floor production machines, segregated from your corporate environment, or at least in separate user containers.

Make sure you keep all operating systems along with hardware updated and have good anti-virus protection.

Leia Kupris Shilobod

Leia Kupris Shilobod is the founder of InTech Solutions, Inc., a Pittsburgh Area IT Consulting Firm specializing in working with growing manufacturers and professional services firms who want same side of the table advice and integration for computers, networks, and IT security.

"While there are a lot of information security concerns for manufacturers, there are two I would consider top..."

The first is the fact that small and mid-sized manufacturers in particular are targets for hackers because they are easy prey. Hackers seek to compromise their networks and leverage the relationship they have with upstream, larger vendors and/or clients that are targets. Large companies with sensitive information and DoD/federal contracts use small- to mid-sized manufacturers frequently. These smaller manufacturers generally don't have the resources or the knowledge to know how much of a target they are or to protect themselves fully. Hackers aren't stupid and they are actively and easily embedding in these networks and using email and jump drives (among other things) to leverage into the larger companies (the ultimate target). The FBI has been continuously gathering data on this and confirms this strategy.

The second concern aligns with security and is also time sensitive. All manufacturers who have any federal/DoD information in their networks must comply with the NIST 800-171 digital security standards by the end of the year or lose their contracts. Most of these manufacturers I've talked to don't have internal IT and don't even know where to start.

Tags: Data Protection