Manufacturing Insights Managing Industry 4.0 Cybersecurity Risks€¦ · 7 Managing cyber risks 8...

Manufacturing Insights

Managing Industry 4.0 Cybersecurity Risks

3 EXECUTIVE SUMMARY

5 INTRODUCTION

5 Changing attitudes about cybersecurity

6 Quantifying risk

7 Managing cyber risks

8 PART I: A GROWING GAP, INCREASING ATTACKS AND A SUPPLY PROBLEM

8 The digital transformation

9 Today’s threat landscape

9 Manufacturers face unique risks

10 Recent trends

11 The supply chain

11 A global shortage of cybersecurity professionals

12 PART II: BUILDING A CYBERSECURITY FOUNDATION

12 An effective governance structure

13 Metrics that matter

13 Operating timeframes

14 OPERATIONAL SECURITY CONSIDERATIONS

14 MANAGING SUPPLY CHAIN RISK

15 OUTSOURCING SECURITY OPERATIONS

15 What cybersecurity services does our organization need?

16 What are the solution provider’s qualifications?

16 Does the solution provider understand our organization?

16 How will we work together with the cybersecurity provider?

16 What related services does the solution provider offer?

17 EIGHT COMMON MISTAKES WHICH INCREASE RISK

20 CONCLUSIONS AND RECOMMENDATIONS

22 REFERENCES

Table of Contents

3Manufacturing Insights: Managing industry 4.0 Cybersecurity Risks — 2020

Executive Summary

As a motivated adopter of new technologies, the manufacturing sector has changed significantly in the last

decade. Automation, artificial intelligence, embedded sensors, cloud services and centralized management

systems have enabled new processes and products, greater efficiencies and higher revenues.

But while manufacturers look at facilities and see the manifestation of Industry 4.0, private and nation state threat

actors see a vast attack surface littered with vulnerable systems and valuable data—all belonging to companies

with much to lose.

Headline-grabbing breaches and shutdowns have put manufacturers of all sizes on notice that everyone

is vulnerable and no one—no matter how small or large—escapes the interest of attackers. As a result,

manufacturing firms recognize that cybersecurity is now a board level issue; however, security governance

competes for attention and resources with other aspects of the business which can often appear more

urgent or important.

As the rapid introduction of new operational technologies creates a widening security gap, boards must provide

the leadership and the commitment necessary to make protecting the organization a priority. Two foundations of

this leadership should be:

1. Shifting the executive mindset from one of security as an IT cost to one of business risk management

which offsets the financial losses associated with operational disruption, lost revenue, penalties/fines and

irreparable harm to brand reputation.

2. Recognizing that it is only a matter of time until an organization experiences a disruptive security

incident—even if the incident is the result of a vendor in the supply chain.

The former completely shifts how cybersecurity is viewed while the latter forces the organization to adapt its

security posture to include elements of detection and response (rather than the obsolete approach of placing

trust purely in perimeter-based defenses).

Additionally, company leaders should create a culture of cybersecurity awareness throughout the entire

organization by regularly referencing the subject and championing training initiatives and other investments.


Executive summary (cont.)

But creating an effective cybersecurity strategy is a real challenge. As a starting point, manufacturers of all sizes

should take steps to:

• Enable effective cybersecurity governance by creating reporting structures and adopting metrics which

enable the board to make informed and timely decisions.

• Understand operational security considerations to ensure cybersecurity thinking extends beyond the

traditional IT to encompass operational systems in industrial Internet of things (IIoT) environments.

• Manage supply chain risk with a combination of prevention, policies and promises (plus consequences).

• Outsource certain security operations as a strategic and cost-effective means to overcome a global

shortage of cybersecurity professionals.

• Avoid common mistakes which can undermine even the best-intentioned and well-funded

cybersecurity blueprints.

Managing cyber risk in a manufacturing organization is no simple task. It requires cooperation between those

responsible for operational technology (OT) and the IT group, under strong leadership from the board and

C-level executives.

However, managing cyber risk is a modern business imperative and with a disciplined approach it is possible for

manufacturing organizations to enjoy the benefits of Industry 4.0 without falling victim to debilitating, expensive

and public attacks.


IntroductionWhile financial management and legal compliance receive most of the risk management attention, the corporate

governance responsibilities of the board of directors extend well beyond those two realms to include cyber

risk as a critical component. For manufacturing firms, cybersecurity is still a relatively new board-level topic and

should be more than “just an IT problem to fix.”

Cybersecurity is frequently viewed as burdensome and it can be challenging to communicate the benefits

of proactive security investments unless a breach has already occurred. In fact, when eSentire surveyed

manufacturing customers, 46 percent of respondents cited “demonstrating the value of cybersecurity spend to

executives and boards” as a significant challenge.

Changing attitudes about cybersecurityCybersecurity is a complex, multi-disciplinary topic that covers user controls, processes and policies, competing

technology solutions and a growing list of emerging standards that often bring misunderstood risk. Decision

makers must have fundamental knowledge of this important business continuity engine. In particular, leaders

should have a grasp of risk management in the context of the criminal and political nature of today’s

cybersecurity environment.

It’s not the responsibility of the board to become IT experts, but the board must know what questions to ask

the Information Security and Information Technology (IS&IT) departments. Similarly, the IS&IT departments

must provide the board with meaningful metrics which can inform important decisions about cybersecurity

investments. Unfortunately, many struggle in this regard: in the same survey cited above, 42 percent of

respondents indicated that “measuring and reporting the status of security programs” was a major challenge.

Additionally, boards must provide the leadership and the commitment necessary—by proactively overseeing and

holding management and the C-suite accountable—to make protecting the organization a priority. Part of this

leadership is a change in attitude. While 50 percent of survey respondents suggested that “bearing the cost of

ever-increasing security demands” was a challenge, the reality is that investments in security are investments in

business continuity which preserve the ability to operate and deliver significant returns.

There are several good guides on the key pillars of risk management and board obligations, including the

National Association of Corporate Directors (NACD) Handbook on Cyber-Risk Oversight,1 the National Cyber

Security Centre board toolkit on Supply Chain Security Guidance,2 and Navigating the Digital Age.3 While each

resource provides differing levels of information, there are five common pillars:

• Awareness: understanding the impact of cyber risks and trends, experiencing the business impact of a

breach and exposing personal risks

• Risk: identifying nonpublic assets and protected data, and documenting regulatory and

contractual obligations


Changing attitudes about cybersecurity (cont.)

• Program: establishing budget, staffing and programs that align to overall business risk priorities

• Reporting: annual planning, quarterly reporting, dashboards and peer/industry comparisons

of performance

• Incidents: understanding incident response, board roles, critical business decisions and reporting to

authorities and crisis communications

Quantifying riskIn the 2018 Ponemon State of Endpoint Risk Study, 64 percent of survey respondents indicated that their

organizations suffered a data asset and/or IT infrastructure compromise, reflecting a 54 percent increase over the

previous year. Of those breached, 57 percent reported significant disruption to business operations with a loss of

more than 1,000 records containing sensitive or confidential information.4

Of course, one limitation of relying on a survey is that only respondents who know they have been compromised

can indicate that a compromise has occurred. This sample bias means that the Ponemon stats undercount

security incidents because many compromises go undetected.

It’s not a matter of if, but when

The most accurate way to inform predictions about risk is to study the real world. Using observational data

from our Security Operations Centers (SOCs), eSentire calculated the mean probability that a manufacturing

organization had at least one incident involving a bypass of existing endpoint security controls over a 12-month

period (Figure 1).5

One clear observation is that the more sites an organization has, the higher the risk, most likely due to a larger

threat surface and more opportunities for attackers. But don’t overlook the fact that even a manufacturing

organization with only a single location has an almost 40 percent chance of falling victim to a security incident.

The major takeaway from this empirical analysis is that it’s not a matter of if an organization will experience an

incident, but when. Using this fact as an operating assumption can influence an organization’s priorities and

expand the security conversation beyond perimeter defenses to include topics such as detection and response,

containment and incident response.

Probability of one or more incidents in a 12-month period, by locations

Figure 1—The probability of at least one breach in a 12-month period approaches near-certainty as an organization adds locations

100%

Locations1 2 3 4 5 6 7 8 9 10

75%

50%

25%

61%76%

85% 90% 94% 96% 98% 99% 99%

38%


Managing cyber risksBoards and the organizations they govern are recognizing the need for cybersecurity governance; plus, the

return on investing in cybersecurity solutions is becoming clearer with every headline-grabbing incident.

Unfortunately, cyber risk management within manufacturing organizations is a complex issue influenced by

several factors, which we examine in Part I.

In Part II, we shift attention from the requirements and challenges facing manufacturing organizations to provide

information and resources which can help in cybersecurity initiatives.


Part I: A Growing Gap, Increasing Attacks and a Supply Problem

For manufacturing organizations to effectively manage cyber risk, they first need to understand three factors

which shape the operating context:

• A digital transformation which is creating a widening security gap

• An ever-evolving threat landscape driven by motivated and well-financed attackers

• A global shortage in cybersecurity professionals

The digital transformationIndustry 4.0 is the interconnection of industrial equipment which accesses and analyzes centralized

operational data. In essence, it represents the next industrial revolution in advanced manufacturing and smart,

interconnected, collaborative factories.

This new paradigm is characterized by the action of the physical world becoming a type of information system

through sensors and actuators embedded in objects and linked through networks.

Beyond having the potential to completely change material and manufacturing processes, Industry 4.0 is

expected to contribute to more efficient operations by aggregating data across all your facilities, letting you

monitor, measure, and improve performance.

This digital transformation introduces new generations of intelligent solutions and integrates these solutions

into existing manufacturing processes and technologies including SCADA/ICS and PLCs. In many cases,

this collection is controlled by a Manufacturing Execution System (MES) which is tightly integrated into the

manufacturing organization’s ERP system.

One result of this evolution is that every element is connected, centrally controlled and monitored.

Another—unintended—outcome is that the entire manufacturing process (and, by extension, the company which

depends on that process running effectively) is more vulnerable to cyberattacks.

A widening security gap

In manufacturing, investments are largely motivated by the pursuit of increased operational effectiveness

and efficiency: doing more for a lower per-unit cost. Often, these investments manifest as new operational

technology (OT), for instance to enable higher degrees of automation, accelerated assembly timelines and

improved real-time insights.


The digital transformation (cont.)

This OT gets added to a large information technology (IT) stack which has often been built over several decades;

in that time, the IT stack has become a complex mix of legacy, aging and modern solutions held together by

vulnerable protocols and a “don’t touch what isn’t broken” stability strategy.

Unfortunately, this pursuit of improved operations comes with a consequence: a widening security gap.

Operational motivations are about speed and efficiency, not security. Security was a distant priority when

vendors created their new OT solutions and security is at best a secondary priority for most manufacturing

organizations.

In fact, the rapid introduction of OT can create tension in the organization: IT understands the security risks and

best practices and wants to take the time to do things as safely as possible; OT is under pressure to hit targets

and can feel like IT is slowing them down by unnecessarily overstating the risks.

From the shadows, attackers see highly connected, unprotected systems built by vendors who know very little

about system security and who are content to pass risk to their customer—the manufacturing organization.

Today’s threat landscapeToday’s manufacturing organizations face a wide array of cyberthreats. From opportunistic attacks using

commodity malware as a service, to sophisticated hands-on-keyboard attacks which surgically evade defenses,

to advanced persistent threats which can operate for years undetected, to industrial espionage using legitimate

credentials harvested from phishing campaigns—the list is long and the consequences can be devastating.6

The rise of hands-on-keyboard ransomware, in particular, is a worrisome development. Headlines are full of high-

profile examples of downtime, disruption and—owing to a bug in the Ryuk ransomware decryptor—destruction.7

Modern threats can readily bypass legacy antivirus solutions and take advantage of vulnerability windows.

Organizations need solutions that can harden endpoints, prevent polymorphic malware and fileless attacks,

mitigate malicious code execution and provide investigation and remediation capabilities with dynamic response

to security incidents.

Manufacturers face unique risks

As manufacturing has become more connected, the threat surface—the collection of points an attacker can use

to try to gain access—has increased substantially and now extends from endpoints and networks into cloud

services. Here’s how David Broussell, vice president and executive director of the Manufacturing Leadership

Council sums up the situation:8

Manufacturers are using cutting-edge digital technology to a greater degree than ever before. We’re

putting sensors in equipment, digitizing supply chains and gathering data from customers to better the

customer experience, to name just a few examples. The number of electronic connections we’re making

is enormous—and the more you electronically link products and processes, the more vulnerable they

become to cyberattacks.

Plus, manufacturers must grapple with systemic vulnerabilities in operating systems and control systems. For

instance, it’s important to recognize that many industrial communication standards don’t even consider security

because they are based on the old firewall model of complete trust within the network.


Today's threat landscape (cont.) The 2018 Forrester SCADA survey indicated that 56 percent of organizations using SCADA or ICS systems

experienced a breach in the previous year. Only 11 percent indicated that they never experienced a breach.

A successful cyberattack against OT or a SCADA control system not only has the potential to damage the

business financially, but also could result in physical consequences to such things as infrastructure and services,

the environment, and possibly human life.

Unfortunately, we don’t have to look far for examples in which manufacturing and industrial organizations were

targeted by cybercriminals.

Perhaps the best-known example is the infamous 2019 ransomware attack which took Norsk Hydro’s facilities

offline, causing tens of millions of dollars of damage. Even though the damage inflicted was enormous, it’s

important to recognize that there wasn’t anything special about the attack itself—it employed commodity

malware against everyday business systems.

Recent trends

While malware specifically targeting industrial control systems has long been recognized as a threat, incidents

against commercial facilities have been quite rare—but that may be changing.

In February 2020, reports emerged of a new malware called EKANS which, in addition to encrypting data,

terminates 64 different software processes on victim computers—including many that are specific to ICS.9

EKANS (also called Snake) and its potential precursor, Megacortex, are likely portents of a future in which the soft

underbelly of manufacturing and industrial systems are mercilessly targeted. Wired’s coverage notes that:

Industrial firms have certainly been hit with run-of-the-mill Windows-focused ransomware in the past, such as

the disastrous cyberattack on Norwegian aluminum firm Hydro Norsk last year. But EKANS and Megacortex

go a step further, into the technical guts of industrial control systems. Among the dozens of processes

it terminates are those used by GE's Proficy software—a "data historian" program that keeps records of

operational information in industrial settings—as well as the mechanism that checks for a customer's paid

license for GE's Fanuc automation software, the monitoring and management software Thingworx, and a

control interface program sold by Honeywell.

Moreover, while earlier attacks against major manufacturers and industrial facilities were believed to be

sponsored by nation states, researchers believe these latest attacks are the work of cyber criminals motivated

purely by profit.

Of course, criminals don’t need to shut down a facility to extract payment. In many cases they exfiltrate sensitive

information (trade secrets, proprietary data and intellectual property, financial details, private emails, account

credentials) and then threaten to release it publicly if a ransom isn’t paid. In some cases attackers have even

weaponized regulations like GDPR which impose fines when breaches compromise personal information.

And attacks aren’t solely the act of private malware groups; nation states are also participants in this space. In

these scenarios, the nation states simply extract valuable intellectual property as discreetly as possible and then

use it to increase the competitiveness of local companies relative to the organizations which were compromised.


Today's threat landscape (cont.)

The supply chain

As trusted partners, third-party vendors often become the overlooked or unwitting accomplice in criminal

activities. A Spiceworks survey of 600 IT and security decision-makers which asked about supply chains

highlights this risk.

While the majority of respondents felt confident in their vendors to keep data safe, nearly half (44 percent) of

firms had experienced a significant, business-altering data breach caused by a vendor. Human error and stolen

passwords accounted for 26 percent of the breaches, while malware played a key role in half of the attacks.

As a recent example, in April 2020 reports emerged that the criminals behind the DoppelPaymer ransomware (a

variant of BitPaymer) had published data from the US Navy, Lockheed-Martin and SpaceX. The data appears to

have been taken from contractors working with those organizations.10

The Spiceworks survey showed that of the nearly 250 companies that experienced a breach, personally

identifiable data was impacted in 32 percent of cases, 29 percent included payment information, and 24 percent

exposed proprietary business data. What’s worse, only 15 percent of firms reported that their vendors provided

notification to them when a breach occurred.

Respondents indicated that third-party breaches resulted in disrupted operations (27 percent), increased

operational complexity and cost (52 percent), reputational damage (19 percent) and financial losses and

penalties (26 percent).

A global shortage of cybersecurity professionals

Unfortunately, the factors outlined above—a widening security gap, capable attackers and the need for

executive accountability—exist against a backdrop of a global shortage of cybersecurity professionals.

Just how large is the shortage? Non-profit IT security organization (ISC)2 estimates that “it would take another 4

million professionals to close the gap.”11

This shortage means that it can be very difficult for manufacturing organizations, even those which are

sophisticated and well-funded, to attract the cybersecurity expertise needed to harden defenses against attacks.


Part II: Building a Cybersecurity Foundation

Managing cyber risks within your manufacturing organization is a challenging and multifaceted—but extremely

worthwhile—endeavor.

To help organizations get started or recognize potential blind spots in existing plans, the following sections

present resources to help you:

• Enable effective cybersecurity governance

• Understand operational security considerations

• Manage supply chain risk

• Outsource security operations

• Avoid common mistakes

Cybersecurity governanceEnabling cybersecurity governance requires an effective governance structure, board visibility into the right

metrics and an appreciation of the relative dynamism of security needs.

Too many organizations have a misplaced satisfaction that the board is already receiving the information they

need to fulfill their cybersecurity governance obligations.

Business priorities, cyberthreats and the organization’s operational context change over time and sometimes

very suddenly. Metrics and information which were sufficient only a few months ago might have dangerous

blind spots today. To stay on top of cybersecurity and risk management, it’s important to regularly challenge

assumptions about what information the board needs.

An effective governance structure

The most effective governance structures come from a combination of top-down principles that define the

objectives and operational approach of a complementary bottom-up effort.

From a bottom-up perspective, the information security organization (whether the IT department or a well-staffed

security team) needs to be able to recommend the type of structural reporting they believe is necessary.

Cybersecurity reporting typically flows through the IT director into the CIO, who has ultimate responsibility for

the security elements of governance. Unfortunately, this structure can create conflicts of interest. Today, many

enterprises are adopting structures in which cybersecurity reporting goes to the COO, CSO, or Chief Risk Officer.

At the same time, the board needs to recognize the flaws and trade-offs inherent within any reporting structure

and consciously advocate for an approach which will provide them with the information and visibility they need.


Building a cybersecurity foundation (cont.)

Metrics that matter

In today’s information-rich manufacturing environments, producing data is straightforward; however, delivering

what’s needed to enable effective cybersecurity governance requires careful consideration.

Metrics have maximum value when they capture an operating reality and can be placed in context. When these

conditions are met, metrics reveal how you are performing today and how your performance is changing over

time in the operating context of your business and risk environment. These insights enable the board to make

decisions which help the business get to (or remain in) a desired state.

Broadly, metrics can be divided into two categories:

• Lagging metrics look into the past and tell the board things like the number of incidents, the likelihood

that an incident results in a breach, the time to containment, the costs incurred and the effectiveness of an

organization’s incident response capability; these metrics are relatively easy to produce, as they tend to be

counting- and measurement-based, but it is important to normalize them to account for changing scales

• Leading metrics take a forward-looking approach and capture information like the threat surface, the

organization’s readiness to respond to an incident and how investments are going to be operationalized in

pursuit of cybersecurity goals; these metrics are more challenging to produce and for that reason they are

often overlooked or perpetually exist just beyond the to-do list

Both sets of metrics are valuable. Moreover, they are connected: for instance, an “Incident Prevention Score”

should have value as a predictor of an organization’s incident response capability. Care should be taken to

ensure leading metrics hold real meaning and aren’t simply vanity scores with little predictive value.

Operating timeframes

When it comes to cybersecurity, all manufacturing businesses—small, medium and large—must shift their

thinking regarding operating timeframes. Often, this thinking is shaped by annual planning cycles and long time

horizons, so it needs to be recalibrated to account for the dynamic nature of the risk environment in which the

business truly operates. For instance, requests for funding should be considered quickly (which may require new,

accelerated processes), as they may be in response to a threat which has only just materialized.

Likewise, the organization must be able to execute with velocity: there’s little point in quickly making the correct

decision if teams don’t have the resources to take action.



Operational security considerationsBuilding a strong cybersecurity foundation in a manufacturing organization requires careful consideration of

operational security. Table 1 provides a simple framework to organize different elements.

Managing supply chain riskBy implementing a three-pronged approach that brings together prevention, policies and promises,

manufacturers can strengthen their security posture, mitigate risk and maintain trust with customers.

Prevention is key

Most manufacturing organizations employ multi-step processes to evaluate vendors, but security is not always

part of the criteria. The best way to protect your company from a breach is to avoid one in the first place—by

doing all of the due diligence needed. Yet only about half of companies require a signed contract obligating

third-party suppliers to adhere to security and privacy practices and less than half review the written policies of

their third parties.

Supply chain risk becomes more manageable when an organization has company-wide policies in place that

specifically take security into consideration when it comes to bringing on third parties.

Consideration Intention Examples

Business Risk ManagementCapture high-level risks inherent to the organization’s operating context

• Data classification

• Regulatory / privacy obligations

• Client contractual commitments

• Geographic / industry risks

Threat Landscape Monitoring

Maintain awareness of the ever-changing

threat landscape as important risk

management context

• Broad cyberthreat trends

• Industry-specific threats

• Technology-specific vulnerabilities

• Tactics, techniques and procedures

OT Asset DiscoveryEnsure operational technology is included

in cybersecurity programs

• Discover L2 devices (workstations)

• Discover L2 devices (PLCs, controllers)

• Central mapping of OS, patches, etc.

Vulnerability Assessments

Provide proactive insight to quantify risk

and enable preventative actions to

reduce risk

• IT vulnerability assessments

• Vulnerability scanning

• Risk scoring and recommendations

Continuous Monitoring

Ensure the organization can identify

threats in real time and is prepared

to respond

• Threat and anomaly detection

• Event run books and responses

• OT operations run books and responses

Incident Response

Ensure the organization has thought

through challenging scenarios which

may necessitate decisions with

significant consequences

• Documented incident scenarios

• Team roles and responsibilities

• Simulations and red-blue team / table-top exercises

Table 1—A simple framework to organize operational security consideration



Policies are a must-have

Most IT and security teams apply a multi-step approach to evaluate third parties, but formalized data policies

and senior management support for third-party risk assessment are often lacking. In fact, many organizations

have third-party data risk management policies in place, but simply fail to execute policies completely owing to

competing priorities.

eSentire’s research has shown that the strong majority of manufacturing organizations consider their policies to

be effective, but this result conflicts with reported breaches attributed to vendors. While companies consider

their policies effective, only a quarter of firms completely agree that their company allocates sufficient resources

to manage third-party relationships.

However, most keep an up-to-date inventory of all third parties with whom they share data.

Promises and consequences

While the majority of organizations include in their contracts legal or monetary consequences in the event of a

third-party data breach, far fewer discontinue their relationships with guilty vendors and distressingly few change

their risk policies as a result of the incident.

When a customer agrees to do business with you, there is a tacit promise of trust that must be kept. Taking

action is part of that promise, which must be kept in order to continue as a successful company. Consequences

include immediately firing the third party, legal actions including lawsuits and financial reimbursement to cover

breach costs (technical, legal and PR) and extra damages. These actions show that your company takes

security seriously.

Ask the tough questions

Finally, manufacturers should not be shy about asking their suppliers the same tough security questions that the

manufacturers should be asking themselves.

Outsourcing security operationsMost small and medium manufacturers—but also many large, sophisticated ones—lack the specialized expertise

required to appropriately manage cybersecurity risk. Additionally, as noted previously, there is a major dearth of

cybersecurity talent in the global pool.

For these reasons, many organizations turn to third-party solution providers as a cost-effective means of

managing risk through outsourced security operations.

Choosing a cybersecurity provider isn’t easy and it’s a decision you want to get right. With that goal in mind, here

are some questions which can help you choose the best solution provider for your needs.

What cybersecurity services does our organization need?

Like many decisions, choosing the right cybersecurity provider—for your organization—begins with

understanding your own needs. Of course, even this internal assessment can be challenging because it still

requires substantial knowledge of the subject. Thankfully, a consultative solution provider can help you identify

functional gaps and make you aware of needs that you otherwise may have overlooked.



What are the solution provider’s qualifications?

When looking for a cybersecurity provider, be sure to ask about specific qualifications and experience.

Detection and response are specialized fields; broad cybersecurity is more general. This distinction is akin to the difference between a neurosurgeon and a general practitioner: both are important and both have qualifications, but you would approach each for different reasons. Potential solution providers should be ready and willing to

provide you with a list of certifications.

Next, go beyond qualifications and ask about practical matters and experience: How many cases has the

provider handled? What references can they provide? Where are their team members based?

Does the solution provider understand our organization?

It’s important that your cybersecurity provider understands your organization; that way, you can jointly develop

effective plans, agree upon division of responsibilities, and—most importantly—assist each other effectively

during an incident.

To that end, your potential solution providers should be very curious about how your organization operates, what tools you use, your risk profile, and so on. Additionally, you should ask potential providers if they have worked with other manufacturing clients, if they are well-versed in the regulations governing your organization’s activities and operating geographies, if they are familiar with the tools and technologies your organization employs—including specialized industrial systems—and other questions to determine the degree to which they truly

understand your organization and your operational context.

How will we work together with the cybersecurity provider?

From knowing when to contact your solution provider to understanding the operational details of detection and

response, it’s vitally important that both parties understand the working relationship.

In reality, this question can only be answered by speaking with each potential solution provider and then

by working with your chosen provider to precisely define your policies, plans and procedures. As timely

communication is critical during an incident, be sure to designate within your organization a point of contact and

at least one backup.

What related services does the solution provider offer?

There are many services related to detection and response and there is considerable benefit to finding partners

who can offer such services. For example, doing so reduces the number of third parties involved, avoids

complications relating to information sharing and maintains expediency.

You should inquire about:

• Training and awareness programs and resources (many of which are freely available)

• Insider threat assessment and program development

• Cybersecurity framework assessment and program development

• Data privacy/compliance assessment

• Cloud cybersecurity assessment

• Penetration testing, which pits your defenses against a human adversary emulating the actions and

techniques used by advanced threat actors

• Incident response



Eight common mistakes which increase riskFor a manufacturing organization to best address their cybersecurity needs, it’s important to avoid mistakes.

Here are eight of the most common mistakes which increase risk.

Keeping employees in the dark and not talking about cybersecurity

Whether due to a lack of domain expertise, discomfort with the subject matter in general—or some other

reason—too many organizations don’t talk with their teams about cybersecurity.

While awareness alone isn’t a substitute for investments and processes, the more your employees are aware that

cyberthreats exist the better prepared they are to understand the risks and embrace new initiatives.

Simple steps to increase awareness include addressing cybersecurity (in general or specific initiatives) during

company meetings and within internal communications, conducting training sessions, directing employees to

third-party resources and including cybersecurity goals among the company’s guiding objectives.

Thinking cybersecurity is an IT problem

Information technology has evolved faster than perhaps any other domain in human history. Where once

“computer” referred to a human job, now the term almost lacks specific meaning as all manner of devices include

embedded computational capabilities.

Desktop computers which kept workers tethered to a single location are becoming a relic of the past—an

intermediate stage of the evolution of business between manual desk-based labor and the cloud-hosted,

increasingly mobile, ever-more-interconnected reality of today.

In the early days of the Internet revolution, cybersecurity was largely limited to client-based antivirus and

firewalls. Over time, intrusion detection and prevention devices appeared. Crude port- and signature-based

solutions gave way to behavioral recognition powered by machine learning.

This IT-oriented past shaped the thinking of a whole generation of executives, but it is already dangerously

outdated. When the environment around us changes, changing with it is the key to survival.

Thinking about cybersecurity as only an IT issue fails to recognize the degree to which modern business relies

on information as its lifeblood.

Having incomplete preventative measures in place

Cybersecurity requires specialized expertise, organizational commitment, disciplined personnel and layers of

modern tools to provide defense in depth—but even sophisticated organizations who understand the necessities

make mistakes like failing to consider and cover the entire threat surface, unnecessarily keeping some devices

out of scope, keeping services externally exposed, treating insecure behavior from executives as necessary

exceptions or simply introducing defense solutions too slowly. Incomplete implementations of tools and allowing

exceptions without compensating controls leads to issues within environments.



Believing an incident won’t happen

The unfortunate reality is that—at some point—an incident will happen: maybe configuration or patching issues

will leave gaps, a laptop will be misplaced, a phishing attempt will succeed or a sophisticated attack will

break through.

The prudent approach to risk management is to accept this unwelcome truth and prepare your organization,

because with the right processes and systems in place you can at least limit the frequency, reduce the

magnitude and be aware of incidents (what you don’t know most definitely can hurt you).

Not knowing how to respond to an incident

Time is of the essence when an incident occurs; delays negatively impact containment and recovery activities

and can give threat actors time to destroy evidence.

Plus, delays can also have an enormous impact on commercial productivity. For example, consider an attack

which forces a company to rebuild their domain controllers: following a defined method of procedure might limit

production disruption to one day, versus days or even weeks if no procedure is in place.

Two major causes of delays which impact an organization’s ability to manage risk are decision paralysis and

failing to have a detection and response provider at the ready.

First, subscribing to a cybersecurity service ensures you have around-the-clock protection and someone to

call when an incident occurs—or better yet, they call you at the first sign of an anomaly or possible intrusion.

The alternative requires you to pick up the phone to reach out to different providers to initiate conversations

and negotiate contracts and legal terms—during a period of time characterized by chaos, panic and a need

for expediency.

Second, it is crucial during a security incident to designate someone within your organization with sufficient

decision-making authority to enable and enforce timely responses. Seriously explore different scenarios and

capture decisions in written policies. For instance, ask what happens if an industrial controller is found to be

infected—should you shut down the assembly line? What criteria should go into this decision?

Avoid committees, as they create dangerous delays and lead to very conservative, least-objectionable thinking

at a time when decisiveness is paramount.

Additionally, ensure the designated person is willing to make potentially tough decisions (for instance, taking an

assembly facility offline to contain an incident) and has real authority within the organization. A security incident

is not the time to debate power dynamics and to get pulled into political discussions, nor is it the time to discover

that people feel empowered to disobey the instructions because they came from the ‘wrong’ person.

Not knowing your regulatory and contractual obligations

Regulations and contracts impose specific obligations upon your organization and it’s crucial you understand them.

A “breach” has specific legal/contractual meaning and implications, and an incident should not be labelled

as such until the specific conditions are met. Again, it’s important to understand regulatory and contractual

details so you can reserve the term “breach” for incidents which meet the criteria, thereby avoiding

unnecessary consequences.



Furthermore, your incident response plan should clearly identify who within your organization has the authority to

label an incident a “breach.”

Failing to properly understand your notification requirements can lead to two follow-on mistakes:

1. Failing to send a notification when you were obligated to do so

2. Sending a notification when you were not obligated to do so

Both can cause significant damage. To avoid such errors, your organization needs to be keenly familiar with two

sets of notification requirements relating to cybersecurity incidents:

• Government regulations: bloc-, federal-, and state- or provincial-level laws and statutes (for example, GDPR

and PIPEDA) governing notification requirements and timelines, including when you are required to notify or

involve law enforcement agencies

• Contractual obligations: upstream and downstream commitments to notify suppliers and customers

While many breach notification regulations and requirements contain similar components, there can be important

differences. Moreover, as breaches rise in frequency and prominence, regulations and contractual obligations

are changing, which require organizations to stay up to date.

Believing that compliance guarantees security

Most businesses today have a well-developed understanding of the regulatory environment in which they

operate and their degree of compliance. However, compliance is no guarantee of security.

First, some companies make the mistake of assuming that compliance in one area (for example, PCI) is

suggestive of competence in another (for example, cyber risk management) when, in reality, the two areas are

very different and have little correlation.

Second—and likely much more common—many companies conclude that compliance in an area equates to a

validation of security in that area. Unfortunately, compliance requirements are often little more than outdated

checklists of minutia and do not meaningfully assess security capabilities.

Both scenarios can lead to well-intentioned, but mistaken, reports to the board which suggest a stronger

cybersecurity posture than is warranted.

Thinking that there’s a single best approach to managing cyber risks

If only it were this simple. The reality is that there are countless risks, every manufacturing organization has

unique exposure and risk tolerance and resources vary enormously from company-to-company.

The board must help management to identify which risks should be avoided, which should be accepted, which

should be mitigated, and which should be transferred.

In most cases in general, but especially for manufacturers, managing cyber risk involves leveraging a

combination of internal resources and third-party solution providers, plus purchasing insurance.


Conclusions and Recommendations

Attacks on manufacturing firms will only continue to increase as operational technology and information

technology systems converge and blend into one ecosystem.

Company leaders should create a culture of cybersecurity awareness throughout the entire organization by

regularly referencing the subject and championing training initiatives and other investments.

There are no magic bullets, but manufacturers of all sizes and resourcing can follow this list of security “must

haves” to reduce the risk and improve their ability to respond and recover from an attack:

1. Identify and audit critical systems and data. Protect what matters.

2. Understand your obligations (legal, regulatory, supply-chain, and client).

3. Establish cybersecurity policies, procedures, and executive reporting mechanisms.

4. Conduct an annual risk assessment and security readiness exam (penetration testing, red-blue

team exercises).

5. Require encryption of stored data (mobile devices, laptops, servers, etc.).

6. Use VPN security to protect data and user credentials in motion through a virtual private network.

7. Establish mobile and bring your own device (BYOD) rules and controls to enforce strong passwords and

limit access to corporate assets.

8. Establish back-up systems and services. Pay particular attention to domain controllers, as they are prize

targets of threat actors.

9. Establish an incident response plan and team, and practice fire drills to hone your program.

10. Consider cyber insurance to cover investigation, disruption, lost revenue, and other costs not covered in

non-cyber specific policies.

Beyond those best practices, manufacturers of all sizes should take steps to:

• Enable effective cybersecurity governance by creating reporting structures and adopting metrics which

enable the board to make informed and timely decisions.

• Understand operational security considerations to ensure cybersecurity thinking extends beyond the

traditional IT to encompass operational systems in industrial Internet of things (IIoT) environments.


• Manage supply chain risk with a combination of prevention, policies and promises (plus consequences).

• Outsource certain security operations as a strategic and cost-effective means to overcome a global

shortage of cybersecurity professionals.

• Avoid common mistakes which can undermine even the best-intentioned and well-funded cybersecurity

blueprints.

While cybersecurity is a complex and intimidating subject, it is also a modern business imperative. Thankfully,

there are many resources available from governmental organizations, industry associations and third parties to

help manufacturers manage risks.


References

[1] “NACD Director’s Handbook on Cyber-Risk Oversight,” NACD, February 25, 2020, https://www.nacdonline.

org/insights/publications.cfm?ItemNumber=67298.

[2] “Supply Chain Security Guidance,” National Cyber Security Centre, January 28, 2018, https://www.ncsc.gov.

uk/collection/supply-chain-security.

[3] [[three author names]] et al. Navigating the Digital Age: The Definitive Cybersecurity Guide for Directors

and Officers, second edition ([[city of publisher]]: Caxton Business and Legal Inc., 2015), https://www.

securityroundtable.org/navigating-the-digital-age-2nd-edition/.

[4] Ponemon: 2018 State of Endpoint Security Risk Study

[5] And note that this examination is limited to bypasses of endpoint security controls; that is, it doesn’t even

account for network or cloud intrusion, impersonation attacks and other threats; for more analysis, including

calculations of financial risk and operational savings, plus example scenarios, please see Making the Case

for Outsourcing Endpoint Protection

[6] For a snapshot of the contemporary threat environment, please see eSentire’s 2019 Annual Threat

Intelligence Report

[7] See the Emsisoft post Caution! Ryuk Ransomware decryptor damages larger files, even if you pay

[8] Extracted from Manufacturers Make Cybersecurity Central to Industry Culture

[9] For a digestible summary, see Wired’s coverage in Mysterious New Ransomware Targets Industrial Control

Systems

[10] See Ransomware Gang Releases Secret Industrial Documents

[11] See (ISC)² Estimates Cybersecurity Workforce at 2.8 Million

Manufacturing Insights: Managing industry 4.0 Cybersecurity Risks — 2020

eSentire, Inc., the global leader in Managed Detection and Response (MDR), keeps organizations safe from constantly evolving cyberattacks

that technology alone cannot prevent. Its 24x7 Security Operations Center (SOC), staffed by elite security analysts, hunts, investigates and

responds in real-time to known and unknown threats before they become business disrupting events. Protecting more than $6 trillion AUM,

eSentire absorbs the complexity of cybersecurity, delivering enterprise-grade protection and the ability to comply with growing regulatory

requirements. For more information, visit www.esentire.com and follow @eSentire.

The National Association of Manufacturers is the largest manufacturing association in the United States, representing small and large

manufacturers in every industrial sector and in all 50 states. Manufacturing employs more than 12.8 million men and women, contributes

$2.37 trillion to the U.S. economy annually and has the largest economic multiplier of any major sector and accounts for 63% of private-sector

research and development. The NAM is the powerful voice of the manufacturing community and the leading advocate for a policy agenda that

helps manufacturers compete in the global economy and create jobs across the United States. For more information about the Manufacturers

or to follow us on Twitter and Facebook, please visit www.nam.org.

Date post:	21-Jul-2020
Category:	Documents
Upload:	others
View:	2 times
Download:	0 times