Ransomware and cyber attacks at manufacturers is becoming increasingly common, disrupting operations and causing millions of dollars worth of damages. Consumer Products company Reckitt Bensicker was recently the victim of one such attack that impacted the company’s 60 factories.
What steps can be taken to prevent cyber attacks at manufacturers and eliminate business disruption? Here are 9 best practices that your company should consider implementing:
1) Maintain an Accurate Inventory of Control System Devices and Eliminate Exposure to External Networks
Although some organizations’ industrial control systems may not directly face the Internet, a connection still exists if those systems are connected to a part of the network – such as the corporate side – that has a communications channel to external (non-trusted) resources.
Organizations may not realize this connection exists, but a persistent cyber threat actor can find such pathways and use them to access and exploit industrial control systems to attempt to create a physical consequence. Therefore, organizations are encouraged to conduct thorough assessments of their systems, including the corporate enterprise segments, to determine where pathways exist. Any channels between devices on the control system and equipment on other networks should be eliminated to reduce network vulnerabilities.
2) Implement Network Segmentation and Apply Firewalls
Network segmentation entails classifying and categorizing IT assets, data, and personnel into specific groups, and then restricting access to these groups. By placing resources into different areas of a network, a compromise of one device or sector cannot translate into the exploitation of the entire system.
Access to network areas can be restricted by isolating them entirely from one another or by implementing firewalls. A firewall is a software program or hardware device that filters the inbound and outbound traffic between different parts of a network or between a network and the Internet. For connections that face the Internet, a firewall can be set up to filter incoming and outgoing information. By reducing the number of pathways into and within your networks and by implementing security protocols on the pathways that do exist, it is much more difficult for a threat to enter your system and gain access to other areas.
3) Use Secure Remote Access Methods
A secure access method, such as a Virtual Private Network (VPN), should be used if remote access is required. A VPN is an encrypted data channel for securely sending and receiving data via public IT infrastructure (such as the Internet). Through a VPN, users are able to remotely access internal resources like files, printers, databases, or websites as if directly connected to the network. This remote access can further be hardened by reducing the number of Internet Protocol (IP) addresses that can access it by utilizing network devices and/or firewalls to specific IP addresses and/or ranges and from within the U.S. Note that a VPN is only as secure as the devices connected to it. A laptop computer infected with malware can introduce those vulnerabilities into the network, leading to additional infections and negating the security of the VPN.
4) Establish Role-Based Access Controls and Implement System Logging
Role-based access control grants or denies access to network resources based on job functions. This limits the ability of individual users – or attackers – to reach files or parts of the system they shouldn’t access. For example, SCADA system operators likely do not need access to the billing department or certain administrative files. Therefore, define the permissions based on the level of access each job function needs to perform its duties, and work with human resources to implement standard operating procedures to remove network access of former employees and contractors.
Implementing a logging capability allows for the monitoring of system activity. This enables organizations to conduct thorough root cause analyses to find the sources of issues in the system, which may have been the activities of an employee or an outsider. Monitoring network traffic also allows organizations to determine if a user is making unauthorized actions or if an outsider is in the system, which provides an opportunity to intervene before problems are manifested.
5) Use Only Strong Passwords, Change Default Passwords, and Consider Other Access Controls
Consider implementing password security features, such as an account lock-out that activates when too many incorrect passwords have been entered. Organizations may also consider requiring multi-factor authentication, which entails users verifying their identities – via codes sent to devices they previously registered – whenever they attempt to sign-in.
6) Maintain Awareness of Vulnerabilities and Implement Necessary Patches and Updates
To protect one’s organization from these opportunistic attacks, a system of monitoring for and applying system patches and updates should be implemented. Where possible, organizations should also consider setting systems and software to auto-update to avoid missing critical updates. These updates are designed to fix known vulnerabilities and are encouraged for any Internet- connected device.
7) Develop and Enforce Policies on Mobile Devices
The proliferation of laptops, tablets, smartphones, and other mobile devices in the workplace presents significant security challenges. The mobile nature of these devices means they are potentially exposed to external, compromised applications and networks and malicious actors.
Therefore, it’s important to develop policies on the reasonable limits of mobile devices in your office and on your networks. These measures should be strictly enforced for all employees, as well as for contractors.
8) Implement an Employee Cybersecurity Training Program
Cybersecurity for critical infrastructure sectors that operate industrial control systems is extremely important given that these systems are increasingly being targeted. Therefore, employees should receive initial and periodic cybersecurity training, helping to maintain the security of the organization as a whole.
There certain topics that should be emphasized for general awareness. One topic is social engineering, which continues to be a popular means for cyber criminals to prey upon unsuspecting employees. These methods involve emails (“phishing”), phone calls, or other types of personal interactions in which malicious actors attempt to entice employees into providing sensitive personal or corporate information, such as account passwords or details about information technology infrastructure.
Among the key points in Booz Allen Hamilton’s Industrial Cybersecurity Threat Briefing for 2016, one-third of ICS operators around the world were breached in 2015 and spear phishing was the primary method of attack. In spear phishing incidents, the vulnerabilities were the users who were comprised through social engineering
9) Implement Measures for Detecting Compromises and Develop a Cybersecurity Incident Response Plan
Despite the many preventative measures organizations implement, many still experience compromises. Indeed, many cybersecurity experts have noted that experiencing a compromise is not really a question of “if,” but more of a question of “when.” When a compromise occurs, the organizations that fare the best will be those that quickly detect the issue and have a plan in place to respond.
Implementing such measures as intrusion detection systems and intrusion prevention systems, anti-virus software, and logs can help to detect compromises in their earliest stages.
Incident response plans are a critical yet underutilized component of emergency preparedness and resilience. An effective cybersecurity response plan will limit damage and reduce recovery time and costs. Plans should include measures for reacting to destructive malware in an ICS environment. In such situations, organizations should be prepared to “island” their ICS environments by disconnecting from non-ICS networks. They should also be capable of going to “manual operations” if network conditions impact visibility from the SCADA system, or if malware potentially renders control devices inoperable via an automated means.
Rather than being developed by a single entity, the plan should be a product of collaboration between all departments that would be stakeholders in cyber attacks at manufacturers. This will ensure a cooperative and unified response that leverages all of an organization’s resources to the greatest extent possible.
This task is not complete once the plan has been developed; it needs to be operationalized as well. It is critical that plans be routinely reviewed and updated to ensure they remain relevant and useable for when they are actually needed. Furthermore, to truly understand their cybersecurity incident response plan, organizations must practice them through regular exercises. This will ensure that all stakeholders understand the procedures that would be implemented in the event of a significant cyber attacks at manufacturers, enabling a more effective and efficient response.