IoT and manufacturing: Is your network cybersecure?

Modern manufacturers must embrace holistic security with multiple layers of defense by linking infrastructure, machine processes, and people

by David Van Dorselaer, AVP of Channel Marketing – Manufacturing at AT&T Business

Protecting the business from cybersecurity vulnerabilities is a top-of-mind issue for manufacturers. We sat down with David Van Dorselaer, AVP of Channel Marketing – Manufacturing at AT&T Business to discuss the challenges business leaders are facing with adopting a cybersecurity solution, how they can begin their journey, and how to continue to protect their organization as technology continues to advance for the industry.

Q: IoT isn’t new to manufacturing, yet many companies struggle to find the balance between having a highly secure network in place and expanding their use of IoT to take advantage of its benefits. Is it possible to expand the use of IoT without cybersecurity?

A: IoT solutions need to be built and deployed with security top of mind. IoT devices communicate with so many disparate systems, that there are risks with deploying broad IoT solutions without a security plan solidly in place.

It’s important to compare what you know about your network against devices that are connected, but unidentified. This will remain a key factor in the challenge of maintaining effective cybersecurity for IoT.

Navigating the complexity of IoT within the context of cybersecurity is a huge undertaking: from traditional firewall and endpoint protections to IDS/IPS (intrusion detection systems/intrusion protection systems), WIDS/WIPS (wireless intrusion detection system/wireless intrusion prevention system), mobile device management, more complex Network Access Control, and analytic solutions to enforce policy and mitigate attacks. Leaving these complexities to industry experts can help ease the burden and overcome the many challenges for IoT and cybersecurity.

Q: “Phishing” is a common way that hackers gain access to sensitive data. What about anti-virus, anti-malware, and spam filters? Are they adequate protection for companies that are not ready to invest in additional cybersecurity protections?

A: As a manufacturing organization, the types and amount of information you deal with on a regular basis make you an attractive target for cybersecurity attackers. From intellectual property to customer lists and production secrets, your data can be extremely valuable to them.

It’s important to have the basics of antivirus, antimalware, and spam filters in place, as well as to perform regular internal phishing tests. Your strategy can’t stop there, though, because companies need to have a multi-layered approach to cybersecurity.

For example, implementing concise learning programs and training can help those who access the network become more aware of key cybersecurity risk behaviors, trends, and cyberthreats. This training—online and in the classroom—equips employees with the ability to recognize threats and to be accountable for their activities.

Q: AT&T Business released Volume 8 of its Cybersecurity Insights Report in 2018. It states that 58% of IT leaders surveyed believe their security risk management strategy needs work. This is especially so for those with in-house management. Could you speak a little bit about why an in-house strategy isn’t sufficient?

A: The security landscape is changing quickly as new technologies and subsequent threats emerge. In most cases, an in-house approach to cybersecurity can’t adequately prepare for vulnerabilities and the sophisticated ways attacks can occur. New technologies are being brought into legacy environments, and they require a comprehensive security approach.

What tends to happen is companies look to point solutions to solve security gaps. Using an industry leader with a comprehensive view of the latest security protocols provides a framework that can integrate, automate, and orchestrate your business’s security needs.

With all of the endpoints in the factory—not to mention if there are several locations, field employees, and third-party vendors—consistent monitoring and system updating is also needed, not just to keep up, but to stay ahead of attackers.

Q: What are some of the key areas that should be considered in a comprehensive risk assessment?

A: First, make sure risk assessments are actually performed. It’s easy to make assumptions about where your company stands in its risk and readiness. After that, establishing a cross-functional team of key stakeholders in the cyber program, including IT (information technology), OT (operational technology), R&D (research and development), finance, and risk management is key to (1) identifying and socializing the risk framework to define mitigation strategies, and (2) clearly identify ownership for implementation.

From there, organizations should prioritize risks, define policies, and automate assessment processes such as IT governance, risk management, and compliance that span all of your IT and OT/ICS (industrial control systems) environments.

Q: Okay, so a framework is in place, then there’s a risk assessment process…now what?

A: Well, now business leaders can focus on enforcing the implemented IT policies. The good news is that adopting a cybersecurity solution doesn’t have to start from scratch. A basic risk assessment formula should consider the impact of the risk and the likelihood of it becoming a risk.

Compliance can be automated based on ISO 27005, which provides a basic structure for security risk management. It’s important to include built-in automation and workflow to not only identify threats, but also remediate incidents as they occur or anticipate them before they happen. Also, once the risks are determined, communicating the IT- and OT-risk in business-related terms helps business leaders understand the impact of your strategy.

Q: It’s good to know that it’s not necessary to start from scratch to implement cybersecurity. On to implementation then. What does that look like?

A: It’s no secret that IT and OT often have different priorities in any industry, but with the complexity and technology involved in manufacturing, this is certainly the case. The expansion of IoT sensors and devices makes convergence between IT and OT more necessary. They may also view the approach to cybersecurity differently. But there are steps you can take to address this.

First, initiate a formal risk management process with the needed tools in place to manage the security involved with the convergence of IT and OT. Then you want to make sure everyone is on the same page for what you’re protecting. Create a holistic inventory of all connected devices attached to network segments to know exactly what you’re trying to protect.

While “defense in depth” is an important consideration with relation to ICS, trends in the manufacturing space are moving toward a “zero-trust network,” that is, a “never trust, always verify” approach that extends to all layers of the enterprise. This helps reduce the exposure of vulnerable systems while decreasing the likelihood of lateral movement in the event of a breach. This, in turn, decreases the risk of significant production downtime, detrimental impacts to production quality, and the loss of IP and/or safety events.

Q: Who’s going to hold the responsibility for this structure being in place?

A: The best thing to do is to establish cross-functional cybersecurity teams to promote governance and best practices, and create a sense of accountability.

Q: That’s great information. It seems like a lot to consider.

A: Yes, it can be. There are a few questions manufacturing leaders can ask to help them navigate these waters, though. From a strategic perspective, for example, does the exposure of vulnerable systems impact strategic business decision making that can jeopardize achieving strategic business goals? Operations, on the other hand, may ask if the security escapes impact production, people, processes, and systems that could result in downtime or any other inefficiencies.

For considerations outside of the factory, how may an organization’s customers be impacted? Is the risk related to problems that could impact delivery schedules and as a result, customer confidence and their overall business reputation?

And finally, a top consideration is the compliance aspect. Does the risk impede your ability to adhere to laws, business rules, or regulations?

Q: So, to summarize some of the points you’ve mentioned, the expansion of IoT in manufacturing makes it necessary to go beyond first-level protections. Getting all employees trained and engaged is needed to truly protect the business. And it’s key to make sure IT and OT are on the same page and working together to protect the best interest of the business. And, consistent monitoring is needed as well. Any closing thoughts for how manufacturers can achieve highly secure operations today?

A: Well, we could go on, but I’ll close with this. Manufacturing companies must include the entire ecosystem and new cybersecurity strategies in their evaluations. Not only is the issue of security changing and expanding beyond the four walls of the corporation, but security also must be embedded into business ecosystem processes. More specifically, security needs to be part of the design for solutions and not a stand-alone topic.

As the factory floor and business processes align more closely, issues are extending beyond the enterprise. Connecting things, machines, workflows, databases, and the people who are on plant networks with the people who are on enterprise networks in a manner that’s highly secure is vital for data protection.

Modern manufacturers must embrace holistic security with multiple layers of defense by linking infrastructure, machine processes, and people. Day by day, this is becoming more business critical. But for those companies that bring the stakeholders of the business into a single vision, educate their workforce at all levels of the business, and reinforce these steps with a reliable service provider, protected operations can be a reality.