Manufacturers are ripe targets for hackers. According to a report from IBM Security, the manufacturing industry moved into the position of second most attacked industry in 2015, behind health care.
Manufacturers, with their treasure trove of intellectual property and sensitive information, tend to run a lot of legacy software applications longer than other industries, and that older software has less up-to-date security features, speculated Derek Ochs, director of software development for Macola Software, Dublin, Ohio. Macola develops enterprise resource planning and other business software for small and medium-size manufacturing and distribution companies.
He added that manufacturers are typically more focused on the production occurring on the plant floor than the computer systems running the data behind the scenes. However, the scenario is changing as they integrate more software and networked manufacturing technology into their operations and gain additional insight into their businesses. “As that becomes more prevalent,” Ochs said, “you’re going to see manufacturers become much more aware of their vulnerabilities.”
To minimize their risk of being hacked, Ochs recommends a number of areas to focus on. One is ensuring that an organization’s software and network equipment are patched with the latest security updates. That process begins with inventorying the various companywide components.
“A lot of organizations, depending on their size and how ‘siloed’ they are, may not know all the different applications, different operating systems, different pieces of network equipment that are running,” Ochs said. “They need to figure that out.”
A large majority of updates issued for operating systems, such as Windows, are security-related, he noted.
Another area to concentrate on when reducing security vulnerability is email. Ochs said preventing social engineering attacks can be a challenge because they take advantage of human nature and people’s propensity to want to help other people, such as someone masquerading as an authority figure, when asked.
“The way to stop social engineering attacks is really by educating employees,” he said. “Talk to everybody in your organization, from the night watchman to the executive level, to make sure they all understand how these attacks work.”
In addition, it’s important that manufacturers develop policies about what equipment employees can take, such as laptops, from the workplace to use at home or elsewhere, Ochs emphasized. “You never want an employee to lose a laptop because their car got broken into.”
Ideally, sensitive data isn’t on a stolen computer, he added, but if it is, that data is protected. “With data, you’re typically talking about some type of encryption.”
Ochs said cybersecurity should be modeled like a castle, which has multiple walls to serve as layers of protection. Correctly setup firewalls function as the outermost layer, and physical elements, such as card keys, are further inside. Also, it’s critical to know how many people, including vendors and utility personnel, have access to a facility and what software and hardware they can interact with while there.
“You have to look at an all-encompassing security model if you really want to do the right thing,” he said. “You want to look at all those different layers of security.”