Why Information Security is Vital to Manufacturing

AN ONGOING, GROWING THREAT

Ongoing attacks from cybercriminals pose an increased risk to every manufacturing organization. With Industry 4.0 and the significant growth of the Industrial Internet of Things (IIoT), cyberattacks have become nearly a daily occurrence.

NOT JUST THE FEW IN DARKENED ROOMS OR NATION-STATES

These attacks do not just affect the targeted enterprise, but their business partners, suppliers and customers.

In today’s hyperconnected world, it is no longer a supply chain, we are all in a digital supply web. Cybersecurity and information security used to be of interest to a few people in darkened server rooms or nation-states. Not anymore.

SOFTER TARGETS, LARGER PAYOUTS

Years ago, when the Stuxnet worm affected the Iranian nuclear program, many said: “Of course, rogue states and national actors will engage in this kind of activity – this is cyber warfare”.

Nation-actors remain quite active with their focus on high-value and highly visible targets.

Meanwhile, most people have ignored the wider implications of attacking industrial control systems, also known as Supervisory Control and Data Acquisition (SCADA) systems, the backbone of industrial operations.

Cybercriminals use the same tools and methods as nation-states, but focus on softer targets to ensure larger and faster payouts through paralyzing ransomware demands.

MANUFACTURING IS “CRITICAL INFRASTRUCTURE”

In many countries, several industries are considered so vital to national security that they are termed “critical infrastructure”, meaning there would be significant harm to the country and society if these industries were to be attacked.

The EU and US have identified manufacturing as part of the critical infrastructure and that the inherent nature of the sector’s global and digital supply chains poses a significant threat to security.

THE CASE IN THE US

While the US has no federal requirement covering the manufacturing industry, several regulations address an organization’s obligation to ensure cybersecurity and information security resilience.

As a result of several attacks on critical infrastructure in 2021, the US Cybersecurity and Infrastructure Agency (CISA) issued an Alert (AA21-287A) warning of cyber threats to water and wastewater systems.

In 2021, there were three instances in California, Maine and Nevada where critical infrastructure was the target of significant ransomware attacks.

COMMON INFILTRATION TECHNIQUES

As the Alert points out, in some cases, the entry point for an attack is a “spear-phishing” campaign aimed at luring an employee into opening an email with a payload that infects not just the user’s laptop/PC, but the wider network of connected devices. In other cases, the attack is via the cloud services most manufacturing companies use.

FOCUS ON YOUR SAAS

Think of all the Software as a Service (SaaS) your organization uses. They are targets for this type of cyberattack. For example, your organization’s calibration system might not be hosted on your servers but is on a server at the data center your calibration software provider does not even control. In the case of the calibration SaaS solution, four, five or even more (sub-) suppliers may be involved, and probably in different locations.

ENSURE RESISTANT AND RESILIENT SUPPLY CHAINS

In reality, these are all part of your supply chain. “Supply chain security” is not just a buzz phrase, it is imperative, and while you may think this relates to the challenges of getting parts from suppliers, it includes ensuring that your global supply chain is resistant and resilient to cyberattacks, to protect your information, your stakeholders and, ultimately, your organization.

Here are some information security-related areas that every manufacturing organization must consider:

• How are your intellectual property and that of your customers and other business partners protected?
• What would happen if the data/information under your control is manipulated (e.g. technical specifications are changed, such as order quantities)?
• What would happen to the safety of your employees if the safeguards (e.g. light curtains) around your automatic machines are disabled?
• What would happen if you program the products for your customers with incorrect (manipulated) firmware?
• How much of a potential target (or entry point to a target – e.g. your customers) are you for a nation-state?
• What would happen if your supply chain is cyber attacked? How long can your organization survive without critical parts or components?

Most manufacturing companies rely on a global supply chain (or, even, a supply web) yet supply chain risks are often “forgotten” or “ignored”. If any of the suppliers are affected by a cyberattack, the entire upstream customer base will be impacted.

CYBERSECURITY THROUGHOUT SUPPLY CHAINS

Traditionally, supplier evaluation focuses on financial and quality aspects, but in recent years, more industries recognize the importance of cybersecurity throughout the supply chain. For example, the US Department of Defense (DoD) initiated the Cybersecurity Maturity Model Certification (CMMC) program to ensure that all suppliers in the defense industrial base have a solid information hygiene system in place.

As another example, for several years, German car manufacturers have required their suppliers to be assessed to the Trusted Information Security Assessment Exchange (TISAX®).

Both CMMC and TISAX® require organizations to ensure that they protect their customers’ information to specific levels. While both have a specific industrial sector focus, they have a similar desired effect. CMMC and TISAX® (and many other industry-specific information security frameworks) can be easily mapped to ISO/IEC 27001.

SO, WHAT IS THE SOLUTION?

While there is no one-size-fits-all solution, let alone a silver bullet, organizations are required to do more to protect themselves and their business partners. The time when companies can play the innocent victim and blame bad actors is over. No one is accepting these excuses any longer.

In case of cybersecurity events or breaches exposing Personally Identifiable Information (PII), stiff penalties can be levied. Under the EU’s General Data Protection Regulation (GDPR), these penalties can be 4% of the organization’s annual global revenue. In the US, violating the California Consumer Privacy Act can cost an organization up to USD 7,500 per record exposed. Given that these types of breaches average around 25,000 records leaked, which can add up to more than USD 187 million, more and more organizations realize that their respective infrastructure needs protection as they are increasingly vulnerable to cyberattacks.

But what are these protections and how can an organization institute them? Security needs to be reviewed and managed based on a constantly changing threat landscape. This requires an understanding of the environment and context in which the organization operates, followed by a regularly updated risk assessment. These two crucial steps are also the basic requirements of a management system based on ISO/IEC 27001 – the internationally recognized standard for an Information Security Management System (ISMS).

To stay relevant, ISO standards are regularly reviewed and revised to address industry developments. For example, ISO/IEC 27002 now addresses issues often found in manufacturing and other sectors, such as “data masking”, “information security for the use of cloud services” and “web filtering”.

THE IMPORTANCE OF ISO/IEC 27001

ISO/IEC 27001 has been adopted by tens of thousands of organizations to ensure that they implement and follow globally recognized best practices and establish a solid governance system. There are multiple reasons why so many organizations have adopted and gained formal certification to ISO/IEC 27001:

• The standard is written so that it applies to all organizations – there are no specific industry or size requirements.
• The standard is technology agnostic – it does not matter what technology environment you have.
• Because it is a management system standard, it aligns well with other globally recognized standards like ISO/IEC 27701 (privacy management), ISO 22301 (business continuity), ISO 9001 (quality), ISO 14001 (environmental) and ISO 45001 (occupational health). This alignment allows companies to implement the requirements of several of these standards within their organization with minimal effort while benefiting from the synergy effects. There is also a very strong link between several of these standards, e.g. ISO/IEC 27002, which has specific controls addressing “ICT readiness for business continuity”, thereby linking it to ISO 22301.
• External and independent third-party certification assures interested parties that the organization has implemented a solid ISMS.

HOW WE CAN HELP

While some organizations are using ISO/IEC 27001 as a “guideline” to see what “good looks like” and implement best practices, the standard’s real benefits come from the fact that it can be used (and is mostly used) for the foundation for formal certification.

While implementing a management system without gaining formal certification is possible, this misses the point of demonstrating to external parties (clients, shareholders, suppliers and regulators, etc.) that the organization takes information security and information resilience very seriously.

In many industries, formal certification of an organization’s ISMS is a contractual requirement and, even if this is not a requirement today, it might be in the future. Whether it is a requirement now or in the future, formal certification assures your business partners and increases the organization’s trustworthiness, which is especially important when dealing with international business partners.

Manufacture better InfoSec, protect your vital information. Learn more here.