Are manufacturing enterprises secure against cyber attack? That question was addressed in a panel discussion of industry experts held during the 2015 FABTECH event in Chicago on November 10.
Moderated by Dominick Glavach, CISO and senior principal IS security engineer with Concurrent Technologies Corporation, the panel included Ben Gibson, owner of SysRoc Systems, Rob Dolci, president of Aizoon and Jay Conolly, director of commercial solutions at Prescient Edge, LLC.
Conolly kicked off the discussion with an industry problem: “It’s about identifying the inside threat. At the end of the day, any trusted agent in your company, employee or vendor can cause a breach and then you’re responsible. If you’re working with a third party vendor and they have a problem, you have that problem, too.”
How do smaller companies address problems like this?
According to Conolly, “It’s not as complicated as it seems. Reflect on how you vet new hires, vendors and suppliers. Then, monitor and recognize that an event has occurred when it occurs. It’s about developing awareness of the threat.”
Rob Dolci agreed: “It starts with a focus on the assets the firm needs to protect. Manufacturing companies often don’t have that capability – to understand the risks that occur when a firm opens up a communication connection. At the end of the day, it’s risk mitigation; the average damage from a major breach is about 4 million dollars.”
Losing customer data is serious, but what about proprietary information like product designs?
Ben Gibson states: “Anything connected to the Internet is vulnerable. Malware is a problem. There is inexpensive software that can watch for bad behaviour or that can fingerprint connected devices to make sure that they behave in expected, normal ways.”
But who attacks smaller manufacturers?
Gibson sees two threats: “One is opportunistic; a hacker sees an open door and goes in. The second type has malicious intent. They want to alter files and steal information. You need to approach both kinds of threats.”
Conolly adds, “We’ve seen an increase of hacker attacks that occur just to cause damage. It often happens when an employee opens a bad e-mail or accesses a bad website. Internal polices to control what employees do online could reduce attacks by up to 90 percent in some cases.”
Rob Dolci notes that malware comes in many forms: “If anyone wants to become a hacker, there are websites that let you download software to let you start right away. If you have a competitor or a disgruntled employee, the sophistication of the software is huge. I’ve seen a spot welding application hacked to move the welds in a way that compromised product safety and quality. The effect on consumer perception and a company’s reputation can be huge. It’s highly unpredictable and difficult to measure the extent of the possible damage. The insurance industry is working hard to develop risk models.”
Does the Cloud add security?
In a sense, it does, declares Gibson: “The Cloud is really like a neighbourhood watch. It’s somewhat safe for that reason: software vendors on the Cloud have a sense of liability and have teams watching, but your corporate applications may have holes. I see the Cloud as a benefit to smaller companies who don’t have the infrastructure to protect their internal systems adequately. Cloud providers should be able to provide references, just like any contractor you might hire.”
Downloading software to a USB stick or to a laptop is a common way to avoid the hassle of having to go to the Cloud frequently, but it adds risk, says Dolci: “It’s in everyone’s interest to keep systems safe, but you can’t depend on Cloud apps alone. Amazon can only do so much. I’d like to see one or two penetration tests every year. It’s inexpensive, but a Cloud vendor should be ready for this.”
So what’s the first step?
Conolly suggested starting with a security policy. “It doesn’t have to be complicated, but it should include employee conduct, IT systems and a disaster recovery plan. If something happens, what do I do? Do I need an outside provider?”
Dolci agreed: “You may have hardware of many ages and security levels. Staying behind the curve in software and hardware adds to vulnerability. Moving from a simple PLC, for example, may add vulnerability. It’s important when moving to industrial IoT to add a security protocol.”
To learn more about other FABTECH 2015 events, visit http://www.fabtechexpo.com.