Top 10 Cybersecurity Tips for Digital Transformation

You don’t want to see a headline about your cybersecurity lapses. Nor do you want vocal critics to sully your carefully cultivated stellar engineering reputation. You want to avoid the cost and disruption of cleaning up after a cybersecurity incident.

Treating cybersecurity as an afterthought or something others will address during digital transformation projects is always a mistake. It leads to avoidable cybersecurity holes that bad actors love to exploit.

Thankfully, there are steps you can take to guard against the vulnerabilities that digital transformation initiatives often uncover. Here are the top 10 actions engineering companies can take to minimize cybersecurity risks during digital transformation, in order of least to most important.

10. Conduct an OT cybersecurity risk assessment

Sometimes digital transformation projects reveal that the realm of operational technology (OT) has not received the same amount of cybersecurity attention as information technology (IT). In this case, an OT cybersecurity risk assessment should be conducted.

The International Society of Automation (ISA) standard Security for Industrial Automation and Control Systems: Establishing an Industrial Automation and Control Systems Security Program (ISA-62443-2-1) provides valuable guidance for developing a business rationale for OT cybersecurity investments.

9. Assess technology changes

Often digital transformation projects introduce changes to the suite of information technologies that an engineering company operates. New technologies introduce or revise cybersecurity risks.

Your project team should update its IT cybersecurity risk assessment when technology changes occur and act on new findings.

8. Test Application Programming Interfaces

Most digital transformation projects develop custom application programming interfaces (APIs) for integrating databases or to allow software developers of external partners to access specific applications within an engineering company’s computing environment.

When attackers discover these APIs, they can easily create software to cause data breaches. The response to this risk is to ensure the following:

1. Test the API software thoroughly.
2. Change authorized credentials to access the API regularly.
3. Log use of the API and review the log regularly.
4. Store the API source code securely. Never publish it at an open-source repository.
5. Limit the circulation of the developer guide for using the API. Please don’t post it on the web.

7. Evaluate SCADA/IIoT integration points

Some digital transformation projects bring SCADA/IIoT data from OT infrastructure into the realm of IT systems. Often these two realms are managed by different executives with different mandates and priorities.

Evaluate the cybersecurity risks of the digital transformation projects’ SCADA/IIoT integration points. These points are often represented by a server or network device whose management responsibility is vague or ambiguous. As a result, the cybersecurity defenses can be uneven.

Act on the conclusions of your integration point evaluation. They typically include clarifying roles and responsibilities and updating the devices.

6. Confirm CSP cybersecurity defenses

Many digital transformation projects include a cloud component. That component can be either the use of a computing infrastructure operated by a cloud service provider (CSP) or a cloud operated by a SaaS provider.

Because most CSPs operate extensive cybersecurity defenses and proudly describe this work as a valuable customer benefit, most customers don’t invest more effort in cloud cybersecurity assessment or testing.

It’s prudent to allocate a modest effort to confirming the comprehensiveness of your CSP’s cybersecurity defenses.

5. Restrict access to cloud management consoles

Digital transformation projects with a cloud component will operate an associated management console. The console is a highly sought-after target for cyberattacks because these consoles control all aspects of an organization’s cloud resources. Unauthorized use of these powerful cloud consoles can create immediate havoc or data breaches.

The best response to management console risks is to treat access to the cloud management console as privileged access. This best practice is implemented by:

1. Requiring end-users to justify every login and track all logins to quickly identify unusual, inappropriate, or fraudulent access.
2. Authorizing every userid for only specific, limited access for a specified period to contain the damage any compromised userid can cause.
3. Employing single sign-on (SSO) so that end-users experience a secure and frictionless sign-in.
4. Implementing multi-factor authentication (MFA) to add an extra layer of protection before access to cloud consoles is granted.

Together these privileged access measures prevent cyberattacks against your cloud management consoles.

4. Incorporate cybersecurity in application software design

Digital transformation projects typically design, build and test some application software. It’s difficult to complete digital transformation projects using only data integration and application software packages.

Incorporate cybersecurity functionality in custom application software design by following best practices that include:

1. Maintain security around the software development environment.
2. Perform extensive data input validation.
3. Encrypt the data your application is creating and implement HTTPS.
4. Include authentication, role management and access control.
5. Include auditing and logging.
6. Adhere to best practices for configuring virtual servers.
7. Don’t shortcut quality assurance and testing.
8. Upgrade application software as security threats evolve.
9. Delete inactive virtual servers and databases.

Following these best practices will significantly reduce the risk of successful cyberattacks when your digital transformation application is in routine production.

3. Avoid over-permissioned accounts

Most digital transformation projects require establishing and managing end-user accounts and roles. When end-users are issued over-permissioned accounts and roles that allow them access to more data and databases than they need to perform their assigned duties, bad actors can penetrate your engineering company more easily to cause havoc.

To minimize this cybersecurity risk at design, digital transformation teams should:

1. Design software with many roles to limit the access of any one role.
2. Pay for enhancements to SaaS software to increase the number of roles.

Most database management software (DBMS) packages include functionality for restricting access to tables and columns. Using this functionality for managing roles is tedious and error-prone for your database administrator (DBA) staff. Ultimately it’s unsuccessful.

For operating the system that your digital transformation project will deliver, this limited access concept is implemented by:

1. Centrally managing all permissions.
2. Continuously reviewing permissions to identify misconfigured permissions, over-permissioned accounts and roles.
3. Considering the implementation of specialized software that makes recommendations to remediate problem permissions rapidly and efficiently.

Together these measures lower the risk of cyberattacks.

2. Understand compliance obligations

Some digital transformation projects touch on processes and data subject to various regulations for which engineering companies must demonstrate compliance. Data about people are particularly sensitive. Major example regulations that all include a cybersecurity component are:

1. Federal Information Security Management Act (FISMA).
2. General Data Protection Regulation (GDPR).
3. Health Insurance Portability and Accountability Act (HIPAA).
4. North American Electric Reliability Corporation Reliability Standards (NERC-CIP).
5. National Institute of Standards and Technology (NIST Cybersecurity Framework).
6. ISO 27001 Information security management.
7. ISO 27002 Information security, cybersecurity and privacy protection.
8. Payment Card Industry Security Council’s Data Security Standard (PCI DSS).
9. Service Organization Control (SOC) Type 2.

Each of these regulations lays out requirements with which engineering companies must comply. Relevant software vendors typically describe implementation and operation strategies that are helpful for digital transformation project planning.

Include tasks to implement the cybersecurity requirements of applicable regulations in the scope of your digital transformation projects.

1. Conduct an IT cybersecurity risk assessment

Conduct an IT cybersecurity risk assessment for every digital transformation project. The characteristics of the project will influence what the highest risks are. However, the following risks occur frequently:

1. Gaps in the internal cybersecurity defenses.
2. Insufficient cybersecurity maturity exhibited by the application software or the software-as-a-service (SaaS) vendor.
3. Varying supply chain vendor cybersecurity maturity.
4. Uneven employee and contractor level of cybersecurity awareness.

The typical responses to reduce cybersecurity risk include implementing the following:

1. Multi-factor authentication (MFA).
2. Advanced threat detection solutions.
3. More extensive use of encryption.
4. An employee and contractor cyber awareness education program.

Use the conclusions of your cybersecurity risk assessment to influence the requirements and design of your digital transformation project. This author further explains what a comprehensive IT cybersecurity risk assessment includes in this video.