Virtual CISOs in the manufacturing industry, securing supply chains. How can a virtual CISO help you if you’re managing a manufacturing company within the manufacturing industry? In this article we will highlight some of the most critical cybersecurity task a virtual CISO can support.
Number one is common across any type of business.
Protect Sensitive Data
It’s really protecting your sensitive data, ensuring greater uptime, identifying the threats, and making sure you have proper cybersecurity controls in place. So about 80% of what a virtual CISO can do is common across the manufacturing industry to other industries. Now, there’s a couple areas above and beyond that that I want to focus on in this article today.
Regulatory Attestation
Number two is regulatory attestation. As a manufacturing industry, you can reduce the friction of your sales process in the promotion of what your company does out to the industry by acquiring some type of cybersecurity attestation that shows partners and vendors potential prospects that you’re doing cybersecurity well. You’re protecting your sensitive data.
You’re protecting their sensitive data because at the end of the day, there’s a high chance that you’re going to be collecting a lot of their information to be performing the manufacturing that you’re doing. Within manufacturing, there are cybersecurity attestations. And when you think about it, we say certifications, they’re not actually a certification.
They’re more of an attestation that you can get to help your business and prove that you’ve got a good cybersecurity program. A couple that come to mind, obviously a SOC 2 Type 2 is kind of the industry leader, but within manufacturing, there’s the ISO 27001. And that is a very strong cybersecurity control framework that you can get certified in.
And a virtual CISO can help you understand the ISO 27001 security requirements and map them to the security controls and make sure that those technologies, those people, when I say people, I mean roles and responsibilities and those processes are in place. And once they are, the virtual CISO can help collect the evidence required to provide the ISO auditor evidence that you have successfully implemented the controls required for the ISO 27001 to gain that certification. Now, the second area, we talked about general cybersecurity and now certifications and attestations.
IoT / OT Security
The number one area virtual CISO can help with in the manufacturing company that’s different than the rest of the industry is really around IT and IoT. So, we’re talking about device security and the way that devices communicate with technology. You’re going to want to find a virtual CISO that has specific experience in IT and IoT device security.
There are some really great publications out there I was just going to look, I’ve got a couple of them here. (Obviously, I can’t find the one I want.) This is the best book, Securing Systems, Brooke S.E. Schoenfeld, Applied Security Architecture and Threat Models.
This is a great book for doing manufacturing security. Here’s the other really good one. This is my favorite, Industrial Cybersecurity.
These are two great resources. I’m just going to flip around. You can really see here, I should probably put this in a better slide, but it breaks down an enterprise based on manufacturing.
And the way that professionals have done this is by creating zones for devices and how they work with management planes and the way that they work with the rest of your enterprise network. And this comes down to segmentation, authentication, encryption, and I’m going to add manufacturer patching because these manufacturers are just coming into the age where they’re trying to do cybersecurity better. So, we need to stay in touch.
We need to keep applying the pressure and letting them know how they can help us do that. And we need to be listening to them and consuming their threat intelligence and their publications on how to configure these devices properly to achieve those cybersecurity results. And obviously what’s really important within manufacturing is applying the cybersecurity controls, but to the point where we don’t negatively impact production.
A lot of manufacturing companies that I’ve worked with are all about production. They’re very much about efficiency, numbers, speed, metrics. So, we want to secure this environment so that we can help keep a high uptime.
We want to prevent an outage or a threat from making the manufacturing unavailable. Well, we can also make it unavailable by tightening the screws of cybersecurity too much. We want to be pragmatic in our approach to this.
Credential Management
The number one thing that I see in manufacturing is a common username and password being used across multiple devices. We’re talking about username and password; we’re essentially talking about credentials. These credentials within device configurations are often transmitted without encryption.
So that means if an attacker has any way of listening on your network, there’s a high probability that they can find out what the username and password is. As I said before, my experience is this is common across all devices and they’re not segmented, which means if they have that password, they can get to any and all devices. Now, sometimes that could mean they could make those devices unavailable.
If there’s viruses available, which are available for some manufacturing equipment and some not, and the other ones we’re not really sure, maybe somebody has them, but we’re not aware of them, they could put a virus on them. The other thing they could do is change the configuration of them. We really move up the control plane to the management plane and they can get in and they can listen, they can collect metrics, they can collect intelligence about what you’re doing and exfiltrate that data out.
If there’s one area that you can improve very quickly without even asking a virtual CISO for help is around credential management within manufacturing. Come up with a plan on how to segment the different devices, control planes, and assign different accounts to those in a way that does not negatively impact manufacturing. I hope that helps on how a virtual CISO can help in the manufacturing industry in securing the supply chains.
If you have any questions, let me know, be happy to share some more stories.
Recent Comments