Manufacturing Supply Chain Insights
- Manufacturing is the No. 1 industry for data loss from cyberattacks and the No. 2 industry by cyberattack volume.
- Many small and midsized manufacturers assume their limited profile shields them from being targeted in cyberattacks, the opposite is often true thanks to the supply chain.
- If you don’t know where to get started with cybersecurity, try leveraging an organizational cybersecurity framework as a starting point.
Given the interconnectedness of global manufacturing, cybersecurity can be a massive challenge. Companies are only as strong as the weakest link in their supply chain, and many small and medium-sized manufacturers don’t even have their own information technology (IT) departments. As organizations digitize and become more interconnected, they must be constantly vigilant with not only their own security practices but also with those of their suppliers.
The International Manufacturing Trade Show (IMTS) was held from Sept. 12-17, 2022, at McCormick Place in Chicago. While the majority of the sessions centered around digital and traditional manufacturing – from 3D printing to drilling and grinding – there was an element of cybersecurity on the show floor, as well. On Monday, Sept. 12, Laura Elan, senior director of cybersecurity with MxD, spoke at a breakout session on Protecting the Digital Manufacturing Supply Chain While Promoting Innovation.
MxD works heavily with the Department of Defense (DoD) and nearly 300 industry and academic partners to develop and implement digital capabilities into the U.S. defense industrial base and supply chain. As part of their efforts, MxD has launched the National Center for Cybersecurity in Manufacturing to help secure the factory environment, especially for small and medium-sized manufacturers.
Why do cyber criminals target the manufacturing supply chain?
According to Elan, manufacturing is the No. 1 industry for data loss from cyberattacks and the No. 2 industry by cyberattack volume. In addition, 35% of all cyber espionage attacks in the U.S. are targeted at the manufacturing sector. There are 244,098 U.S.-based manufacturing firms, and almost 194,000 of those qualify as small or midsize companies.
While many of these smaller companies assume their limited profile shields them from being targeted in cyberattacks, the opposite is often true. Cyber-crime is a big business. In 2018, the cyber-crime business was estimated to be worth $1.5 trillion, according to a study commissioned by Bromium. Threat actors understand that they can access prime companies by finding the weak links in their supply chain – often small and midsized companies that are lacking in proper cybersecurity hygiene.
To safeguard sensitive national security information, the DoD recently launched CMMC 2.0, a comprehensive framework to protect the defense industrial base from increasingly frequent and complex cyberattacks. But according to Elan, this threat is real and persistent and deserves attention even without a compliance requirement. These supply chain risks are a critical source of vulnerabilities for industrial companies. Plus, industrial attacks impacting control systems can be especially dangerous because they can cause physical damage and human injury, unlike an attack on IT.
Elan said there are several challenges manufacturers face when trying to protect their systems:
- How do we scale without blowing the budget?
- How do we manage all of the tools and technology?
- Where do we find skills and talent?
- Where do we start?
- What standard should we use?
The cybersecurity framework debate
If you don’t know where to get started, Elan suggests leveraging an organizational cybersecurity framework as a starting point. As for which framework to choose – NIST, ISACA, ISO – Elan said there is quite a bit of overlap between them. The important thing is getting started. “Pick a framework and go,” she said. Some points to help companies get started:
- Inventory: Know what assets you have and where your valuables are.
- Assess: Know where you might be vulnerable.
- Write/Train: Develop procedures and rules.
- Build a Wall: Protect your perimeter network.
- Lock the Doors: Protect all your endpoints.
- Watch for Intruders: Monitor the threats.
- Make a Plan: Incident response action plans.
- Insurance: Be ready recover in case of attack.
Which framework to pick comes down to your objective and what your regulatory requirements are. Different frameworks are better for different things. You obviously need to know which systems the framework or regulations cover. According to a 2017 study by the SANS Institute, the NIST Cybersecurity Framework (identify, protect, detect, respond, recover) is becoming a leading framework in industrial environments.
Boost your defenses
If you really want to boost your defenses, Elan suggests starting with these must-have security capabilities:
- Staff Awareness Training: Human error is the leading cause of data breaches, so you need to equip staff with the knowledge to deal with the threats they face. Training courses will show staff how security threats affect them and help them apply best practice advice to real-world situations.
- Application Security: Web application vulnerabilities are a common point of intrusion for cyber criminals. As applications play an increasingly critical role in business, it is vital to focus on web application security.
- Network Security: Network security is the process of protecting the usability and integrity of your network and data. This is achieved by conducting a network penetration test, which scans your network for vulnerabilities and security issues.
- Leadership Commitment: Leadership commitment is the key to cyber resilience. Without it, it is very difficult to establish or enforce effective processes. Top management must be prepared to invest in appropriate cybersecurity resources, such as awareness training.
- Password Management: You should implement a password management policy to provide guidance to ensure staff create strong passwords and keep them secure.
Elan concluded by talking about how to put together an effective plan. She begins by asking whether there are compliance requirements in your industry you have to meet? From there, choose a standard that makes sense for you. Then, decide if you want all the instructions or you will build your own approach. Finally, start building your security program, and do not forget to audit.