Protecting Manufacturers from Digital Disruption

By Tom Wojcinski, principal, and Michael J. Devereux II, CPA, CMP, partner, Wipfli

While talking with a group of manufacturers, one asked if there was anything it could do to ensure its operations are not hacked. But, of course, there is no way that’s possible, especially in today’s connected manufacturing environment. Even if a company disconnected everything from the internet, it still could be the victim of a technology hack if physical access is available to any bad actors or those working on their behalf.

Cloud-based ERPs, digital transformation and Industry 4.0 solutions are creating efficiencies, customer engagement and business intelligence that are improving operations and profitability, which cannot be duplicated on analog systems. Consequently, however, this increased digitization creates greater risk to manufacturers’ data and operations; and the research has shown that no manufacturer is too small or too big to be safe from cyberattacks. Leadership often assumes that no one will hack their company because the data isn’t valuable to others. The bad actors disagree, however. Data is valuable, and they would like to put the company in a position where it must pay a ransom to get its data back. And data isn’t just limited to financial information, it could include confidential customer information, bills of material, engineering drawings or mold designs, processing data, sampling results and more.

Wipfli recently conducted a survey of over 200 manufacturers. The survey found that almost half of the respondents experienced three or more network breaches in the past 12 months. That can be overwhelming to leadership, not to mention IT staff or the supporting organization.

Focusing on Manufacturing Resilience
A company’s data isn’t the only thing at risk. Cyberattacks can focus on physical assets, rather than digital assets. Cybercriminals can lock up or seize equipment operations. Not only can this result in a significant amount of unplanned downtime but also can pose a physical risk to employee safety.

For example, consider a manufacturer that stores and recalls processing data for each job within an ERP or MES system. What happens if those digital services are disrupted or the underlying operational data is held hostage? Or a worse scenario, what if the technical specifications are changed, and the company continues to make parts that don’t meet internal or external specifications? Similarly, vision and quality systems within the plant could be vulnerable and the target of a potential attack. While some of this seems implausible or unlikely, cyberattacks are becoming more sophisticated and aggressive, and exposure in these areas can cause very real risks to organizations.

Manufacturers can protect their operations by building and implementing resilience strategies to cyberattacks. In this instance, resilience does not mean “bullet proof.” Rather, it means that a company can resist an attack, to respond quickly and thoroughly when the attack occurs, and to efficiently recover any data or business operations that are compromised. That starts by identifying weaknesses in the digital perimeter and then building a multilayered strategy to protect and respond to the cyberattack.

Common Blind Spots
For manufacturers, there can be multiple physical and digital avenues into operations or data (including financial, operational, technical or front office information). Often, these paths are hidden or are seemingly insignificant. Outdated and unsupported hardware and software on the shop floor are two of the most overlooked sources of vulnerability. While this equipment may not be used like traditional PCs or laptops, it is still connected to the network. If it’s not maintained, it could be a security risk to the organization.

All too often, the IT department is not involved in all IT decisions. With the advancement of software-as-a-service model and cloud computing, it’s easier for employees to purchase new software, download applications or share files using the cloud, without the oversight of skilled IT or cyber professionals. Systems and software that are not vetted against company policies or maintained properly could pose additional, not-so-obvious risks. In addition, they extend the number of vectors a bad actor may use to gain access, often without a company’s knowledge, making it more difficult to protect data and operations.

A lack of real-time cyber monitoring is another common blind spot for manufacturers. Without real-time monitoring, a company has no visibility into attempts to infiltrate its network. Stopping and safeguarding against attacks is harder if a company does not know that they’re happening. For instance, real-time monitoring can protect against the violation of impossible travel rules. In this scenario, a legitimate user logs into the network from his or her home office in Milwaukee, Wisconsin. Let’s assume is the corporate controller of a manufacturer, just outside of Milwaukee. Then, just three hours later, the corporate controller logs in from Dublin, Ireland. This is an impossible travel scenario and clearly a sign that the corporate controller’s credentials have been breached. However, it could go unnoticed for some period of time without proper, real-time monitoring in place.

Creating a Multi-Faceted Security Strategy
The most effective means to resist an attack is to establish a multilayer security strategy. At its most basic level, the strategy should include:

Password protocols: Require the use of strong passwords.
Email protections: Technologies that limit spam and spear-phishing attempts will reduce the risk of social engineering.
Multi-factor authentication (MFA): MFA requires users to take additional steps to verify their identity anytime when logging in or accessing a system or company app. MFA should be implemented on all removed access points, as well as internal administrative accounts. This includes email, VPN and all cloud-based applications.
End-point detection and response (EDR): EDR increases the ability to detect suspicious events by providing real-time visibility into potential attacks. EDR often is confused with antivirus software, which also should be used by all manufacturers. Antivirus software looks for malicious programs running on the computer or network, while EDR searches for malicious activity in the memory of the computer.
Regular vulnerability scans and penetration testing: If a company is not monitoring its environment, it cannot identify vulnerabilities or ways to fix them. Monthly or quarterly penetration testing of the external systems and vulnerability scans of the internal systems are critical to identifying weaknesses before they can provide access to bad actors.
Vulnerability management: Cyber criminals are regularly probing for security gaps. A company can make it more difficult for them by deploying security patches and software updates, removing unnecessary software and disabling unused system processes.
Air-gapped backups & segmented networks: If an employee can browse directly to the company’s backup files from its primary network, they are not safe from ransomware or other cyberattacks. Separated backup files on a stand-along network that requires separate credentials often mitigates this risk.
Recovery testing: What happens if a company is attacked? Have steps been taken to restore the network, files or operations? Are the backups occurring as designed? A network failure or cyberattack isn’t the best time to find out files haven’t been backed up or do not have the means of restoring them. Manufacturers need to regularly test the backup process to confirm the protocol is working, as designed, and intended.

Employee Engagement in Cybersecurity
It’s critical that employees understand the importance of cybersecurity. Many hackers don’t hack systems, they hack people, as they’ve found it’s easier to trick someone into sharing their credentials than to break into a network. It’s for that reason that employee engagement on cybersecurity is just as important as the focus on a company’s perimeter. To start with, manufacturers must put controls in place to govern how data and information are used, managed and stored. Sensitive data should be limited to those who absolutely require it to perform their job functions.

In addition to understanding where the data is stored and who has access to it, a manufacturer’s best practice is to implement a comprehensive training program. Hackers will use a variety of social engineering techniques to steal information, including email (phishing), SMS text messages (smishing) and phone calls/voicemail (vishing). Training employees to be skeptical is key. When employees understand what they need to do and why, company operations will be better protected against cyber criminals.

Regular Cyber Assessments
Finally, manufacturers should engage in regular cyber assessments, whether that’s done internally by IT staff that keeps up with the cyber security trends or by an outside firm. These assessments provide visibility into potential avenues bad actors can access data. From there, companies can develop or modify safeguards and policies that can better protect them from cyber fraud.

Tom Wojcinski is a principal in Wipfli’s cybersecurity and technology management practice. He leads a variety of engagements designed to help organizations, including cybersecurity risk assessment, control program development and implementation, incident response planning and simulation and more. Michael J. Devereux II, CPA, CMP, is a partner and director of Manufacturing, Distribution and Plastics Industry Services for Wipfli. Devereux’s primary focus is on tax incentives and succession planning for the manufacturing sector.

More information: www.wipfli.com