Cybersecurity for Manufacturers - Where to Start

From phishing or fraud targeted to executives, to relatively common (but still very serious) ransomware attacks to complex supply-chain hacks like Solar Winds, or even dramatic Stuxnet type hacks (that targeted the SCADA controllers in Iranian PLCs controlling uranium enrichment centrifuges), manufacturers face serious and unique risks every day. That means you face challenges in automated production lines, robotics, storage systems, and across all the interconnections that link you to your supply chain and your distribution chain - that’s industry 4.0. It also means that the lines between Information Technology (IT) and Operational Technology (OT) are getting blurred.

Hackers are just looking for the best targets. They don’t care about internal differences between IT and OT. Manufacturers often have valuable IP, and in the case of ransomware, they know manufacturers can’t afford production shutdowns. So, If you are siloing your cybersecurity and not giving OT the same priority as IT, you are putting yourself at risk.

So, that sounds ominous, right? But the risks are very real, and not acknowledging them is no defense. The good news is that there are well-understood steps you can take to lower risks, maximize resilience and minimize impacts.

Stop. Think. Act.
In this post, we will focus on the first two things you need to do once you’ve realized your cybersecurity isn’t where it needs to be. You may think the first thing you need to do is call some vendors and buy some software. And while that is an essential part of the equation, it isn’t the first thing you should do. For most organizations, if you haven’t done so in the last year, the first two steps are to carry out an audit and, based on the results of that audit, create a prioritized action plan. And maybe one other thing we’ll mention directly below.

Take Stock - Carry Out a Security Audit
Before you start trying to find technologies or build a SOC or hire an MSSP provider, you need to understand your current security posture. A security audit (including a security risk analysis) is vital. You need to understand and document factors like company security policies, computer hardware, and software assets, cloud systems, and SAAS applications. You’ll also need an overview of what data you hold and how sensitive it is.

To get started, you’ll need to assemble an audit team conduct your audit. Then you’ll need to present it to decision-makers. If you don’t have the expertise in-house, you may need to find an outside consultant to help. We’ve developed a quick audit worksheet especially for manufacturers to help you get started. You can download it here.

Do
Make sure your audit includes IT, OT, and any other departments with a stake in cybersecurity (e.g., compliance).

Don’t
Silo your audits. You need to have a cohesive snapshot of your current security posture. This will be essential when it comes time to generating recommendations and creating a security plan.

Get a Game Plan Together - Create an Action Plan
Once your audit is complete, you can put together a prioritized action plan of initiatives you need to take to improve your security posture. You may think the next thing you need to do is buy some software. After all, your production lines are at risk. Your distribution network may be poorly protected. And your valuable trade secrets may be vulnerable. But hang on. There is another step yet. If years of real-world experience in cybersecurity has taught us one thing, it’s that you need a plan before you start investing in technology, cybersecurity staff, or services.

Prioritize
Remember this proven management dictum as you start your planning process: when everything is a priority, nothing is a priority. Your audit should identify your risk factors, define initiatives that will address those risk factors, and then prioritize those initiatives. Prioritization will allow you to build a realistic timeline once you get to the planning phase.

Your plan should cover the findings of your audit plus factors like new security technology requirements (for IT and OT), data management/governance, organizational cybersecurity awareness and good practices, and emergency response and recovery. Again, remember you need to take a holistic view of your planning process. Hackers don’t respect silos.

Go Fast. Fill in the Details Later.
You should target 2-3 weeks to develop your plan - longer, and you lose momentum. The planning process is time-sensitive, so factor that in. And if you need outside expertise, bring in a specialist to help you get your plan together. This may sound like a crazy timeline for something so important. But your initial action plan is like a roadmap. It guides your decision-making. As you implement your plan, you may deviate from your route as you get more information. But if you don’t have a map to guide you, how will you know what destination you are trying to get to.

Do
Create a realistic action plan that addresses your prioritized needs. Do it fast. Present it to leadership and secure your budget asap. Hackers won’t wait ‘till your next budget cycle.

Don’t
Wait until you’ve crossed every I and dotted every T. You can’t know everything or plan for every contingency. Your plan will evolve as you implement it.

Next Steps
Once you’ve developed your plan, the next steps are to protect your network, implement good security practices, and put in place strong data governance practices to minimize your risks. If you want some more context about these next steps and some help thinking about how to budget for all these requirements, you can download our Cybersecurity Priorities & Budget Worksheet.

Need Help? StreamScan is Here.
Whether you need help conducting a security audit, developing a security plan, or implementing a Managed Detection and Response solution, StreamScan has experts with years of experience in the manufacturing sector who can help. Get in touch with us at smbsecurity@streamscan.ai or call us at 1 877-208-9040.