Cybersecurity continues to be a hot topic for manufacturers – and rightfully so! According to the State of Industrial Cybersecurity 2018 by Kaspersky, “Over three quarters of the companies surveyed state that it is very likely or at least quite likely to become a target of a cybersecurity attack in the operational technology and industrial cybersecurity space. Despite this, only 23% are compliant with minimal mandatory industry or government guidance and regulations around cybersecurity of industrial control systems.”
For companies in the Defense supply chain, the Federal Government has increased the emphasis on addressing threats to the security of information. In December 2015, the U.S. Department of Defense (DOD) released a rule to the Defense Federal Acquisition Regulation Supplement (DFARS) that requires government contractors to implement the requirements of National Institutes of Standards and Technology Special Publication (NIST SP) 800-171 by December 31, 2017. Organizations at all levels of industry found themselves tasked with a new form of security compliance, focused on the handling and control of information in an area of their operations which has been, historically, taken for granted. While the initial level of attention allocated to this new requirement was, arguably, less than expected, as the deadline fast approached we observed a marked increase in efforts to achieve, or develop a plan to achieve, compliance.
The requirements of NIST SP 800-171 and subsequent revisions are intended to protect the confidentiality of Controlled Unclassified Information (CUI) in non-federal organizations and all levels of their supply chains. A failure to meet these requirements, including the development of a supporting System Security Plan and Plan of Actions & Milestones may result in the loss of supply contracts and liability for the organization should an escape of CUI occur internally or through their suppliers and service providers. While organization doing business with the federal government should expect these types of requirements to increase over time, it is good practice for all organizations — manufacturers included — to protect information they have been provided during business activities.
“All it takes is one weak link in the security chain for hackers to access and corrupt a product feature, an entire supply chain or a critical piece of infrastructure. The stakes are too high in the manufacturing industry for complacency or inattention.”
-Shahryar Shaghaghi, Head of International BDO Cybersecurity
Cybersecurity, and the external threats commonly associated with it such as hacking, spyware, ransomware and malware, should be front-of-mind topics for all organizations. However, it is important to realize that traditional Cybersecurity is just ONE PIECE of an effective Information Security Program. An organization’s exposure to information vulnerabilities extends well beyond the interconnected world. A risk-based comprehensive Information Security Program includes:
- Privacy: Adequately protecting the information and identity of your employees, customers, suppliers and other resource providers. Ensuring that controls, systems and procedures are in place to restrict access to this information to only those who absolutely need it and include procedures for the archiving and purging of excess, expired or unnecessary information.
- Physical Security: Protecting, isolating, limiting and monitoring access to information stores, access points and any interconnected devices. Securing data storage, access points and other means of physical access to unencrypted information.
- Contingency Planning & Disaster Recovery: Developing, testing and deploying the hardware, tools and processes needed to quickly and effectively recover information in event of a catastrophe. Speed to recovery from an information event can be the difference between recovery and loss of operations.
- Operational Security: Protecting private business intentions, processes and Media response channels. Limiting the access to strategic and market differentiating information. Developing an informational response plan to quickly and effectively address any potentially adverse information regarding the organization.
- Personnel Security: Implementing background checks for staff and service providers with access to information as well as behavior monitoring to proactively detect exposure risks. The depth and comprehensiveness of these checks should be in alignment with the sensitivity and strategic importance of the information to be accessed. Implement the tools and procedure necessary to have confidence that those invited to access information are focused on using it for the good of the organization and its stakeholders. Monitor activity at all levels and implement triggers and warnings should information flow or user behaviors vary beyond normal expectations. Test all levels of the organization for vulnerabilities, including Social Engineering, to discover and address potential exposure points.
Lacking any one piece diminishes the effectiveness of the other pieces of the overall security puzzle. Fortunately, manufacturers have a variety of continually maturing tools, templates, and documented best practices, along with the shared experiences of other organizations available to them to assist in their pursuit of comprehensive organizational security, starting with Cybersecurity.
The first step is to assess and evaluate the viability of one’s existing Cybersecurity protections and tools. Informed by this baseline, a planned and measured approach to addressing, closing and testing each finding may then be undertaken. Ultimately, taking protective steps can decrease the risk of exposure and reduce the time and resources spent on a security breach, should one occur.
Contact IMEC at info@imec.org or 888.806.4632 to learn more about existing self-assessments to get your company started.