The following article was submitted by Kevin Bong to Industry week on Aug 29, 2018. It has not been modified.
Criminal attention has turned from stealing personal information to ransomware and electronic payment fraud.
Many manufacturers are low-hanging fruit for hackers today. How did we get to this point?
Cybercriminals historically focused on stealing credit card numbers and sensitive personal information like Social Security numbers. As a result, healthcare, finance and retail organizations were the top priorities for hackers. Additionally, these targeted industries are subject to stringent information security regulations while manufacturing is not. For these reasons, it’s been easy for some manufacturing leaders to deprioritize security.
The threat environment is changing, however. Hackers now seek to monetize cybercrime through ransomware and electronic payment fraud, meaning they’re looking for companies with easy vulnerabilities to exploit. Unfortunately, many manufacturers fit this bill.
Sikich’s 2018 Manufacturing Report found that less than 20% of respondents said they are “very ready” to address cybersecurity risk, and 63% believe they are only “somewhat ready.”
And threats are growing. With the rise of the internet of things and robotics, advanced technology continues to expand throughout manufacturing operations, which can increase cybersecurity vulnerabilities.
So, the time for complacency is over. Manufacturers must work aggressively to improve information security preparedness. They must eventually put in place comprehensive security programs that include regular risk assessments, penetration testing and vulnerability scanning. But they can get started with six key initial steps to shore up vulnerabilities and ensure they’re no longer easy targets for hackers.
1. Strengthen passwords
For many people, strengthening passwords means including symbols and a mix of uppercase and lowercase letters. However, password complexity is less important than password length.
Sikich frequently performs penetration tests for manufacturers. During these tests, we seek to hack into a company’s IT system to identify vulnerabilities. In our experience, if a company uses eight-character passwords, we usually break in, no matter how complex the password requirements are. But if a company uses 16 characters, even with minimal complexity (e.g., letters with no symbols or numbers), we almost never break in. So, manufacturers should implement company-wide password policies that force employees to choose longer (ideally, 16-character) passwords instead of shorter, complex ones.
2. Improve controls over remote access
Remote access to an IT system is an essential element of modern business. By providing employees access to key systems and documents from any location, remote access facilitates productivity and collaboration. However, it also provides more entry points into a network. To ensure remote access doesn’t turn into a cybersecurity liability, companies must use dual-step authentication. With dual-step authentication for remote access, a hacker who steals or guesses an individual’s network password can’t use the password to breach the network perimeter.
Additionally, companies should strictly control remote access for vendors and carefully vet vendors’ security practices. Manufacturers must ensure vendors adequately test for security vulnerabilities and follow strong security practices, such as using unique passwords when they access different customers’ systems.
3. Pay attention to default settings
When a manufacturer installs new IT systems, it should thoroughly review the default settings on the machines. In some cases, these default settings can open back doors into a company’s IT system for cybercriminals. With Windows operating systems, for example, default settings are in place to ensure that newer machines can interact seamlessly with older versions of Windows. While these settings may facilitate more operational efficiency, they introduce vulnerabilities into the IT system. The company would be much better off replacing old versions of Windows entirely and turning off these easily exploitable legacy settings.
In addition to reviewing default settings when it adds or updates software, a company should also perform quarterly vulnerability scans to identify other potential weaknesses in system configurations.
4. Manage patches
Many manufacturers use off-the-shelf third-party applications for online shopping or blog sections of their websites. There’s no inherent problem with this. However, management of these applications requires vigilance. These third-party applications release patches, but they don’t update automatically. A manufacturer must log into the websites for its third-party applications on a regular basis to download and activate any patches. While these updates require some extra effort from a manufacturer’s technology team, they are crucial to ensuring a consistent high level of security.
5. Filter traffic
Manufacturers should closely monitor traffic on their networks and have protocols in place to block malicious traffic. These efforts can stop many breaches in their tracks. Almost every breach includes some sort of malware command-and-control channel. In other words, when malware infects a machine, it communicates back to the hacker for instructions on what to infect and exploit. A strong internet filter will recognize the difference between normal traffic and this command-and-control traffic and effectively trap viruses, limiting their damage. Further, with strong filters in place, an IT team can quickly identify and clean the affected machine.
6. Improve employee vigilance
As hackers increasingly target users of IT systems, employees across a manufacturing operation are on the front lines of cybersecurity threats. So, one of the most important things companies can do is educate employees on how to recognize and handle suspicious emails. Third-party security experts can carry out a practice phishing campaign in which employees receive fake phishing emails to test their vigilance and awareness. Testers can then share the results with management and highlight areas that need improvement.
Prepare for the worst
Despite a company’s best preventative efforts, breaches can still happen. Therefore, manufacturers need to develop a comprehensive post-breach incident response plan. If a breach happens, time is of the essence. So, a manufacturer should plan how it will put its security team into action and what outside resources it will tap. Additionally, the company needs a thorough communications plan that details how it will explain the incident to customers and respond to any media inquiries. It should also have access to a lawyer who can advise on all necessary reporting regulations.
From a technical standpoint, a company should ensure its servers and workstations log all important events and store at least six months of data. In the event of a breach, logs help forensics investigators determine how and when a virus infiltrated a system and what data was stolen.
Commit to a comprehensive cybersecurity overhaul
Overlooking even a couple of these keys to success can be damaging for manufacturers. For example, a company may have advanced antivirus software and regularly update patches. However, if it doesn’t have strong filtering, and an employee clicks on a phishing link, a virus can infiltrate its network and wreak havoc.
That’s why manufacturers need to execute a comprehensive cybersecurity overhaul. With concerted action today, manufacturers can shore up vulnerabilities and protect their operations from disruption.
Kevin Bong is a senior manager for penetration testing in professional services firm Sikich’s security and compliance practice.