Historically, critical manufacturing systems and data generally existed in isolated networks and security in manufacturing focused on the physical aspect of the business. Cyberattacks were infrequent and primarily conducted by state-sponsored actors. Even as technology advancements and interconnected supply chains expanded, cybersecurity best practices such as endpoint protection and strong authentication protocols were largely considered a “nice-to-have.” This outdated perception lingered, despite a steady uptick in financially motivated cyberattacks over the past several years. Recent events, however, such as the Colonial Pipeline ransomware attack make it clear that manufacturers sit firmly in cybercriminals’ crosshairs.
Moreover, attacks aren’t limited by geography or company size. The 2021 IBM X-Force Threat Intelligence Index identified the manufacturing industry to be the second most attacked overall; a huge jump from eighth position the previous year. Only the finance industry experienced more cyberattacks.
The latest threat level indications are worrying news for the manufacturing industry:
Per Dragos Security, a cybersecurity firm that focuses specifically on infrastructure and manufacturing companies, many attacks are enabled by poor cybersecurity, particularly around secure authentication.
Nearly 80% of all hacking attacks on manufacturing originate from stolen credentials, and considering 66% of consumer goods and 53% of pharmaceutical companies admit to leaked credentials, this is unsurprising. Compounding the authentication vulnerabilities of security in manufacturing are the access controls deployed; 44% of manufacturers have sensitive files open to all employees, meaning a breach of anyone’s account could lead to widespread theft.
With a rising threat level and increased ransomware activity that can cause complete operational shutdown and millions in losses, what can manufacturing companies do to harden defenses, minimize attack vectors and reduce organizational risk? Given that credentials and authentication are the weakest security link for manufacturers — the Colonial Pipeline disaster started with a compromised password — it’s essential that security controls are robust enough to withstand unauthorized attempts to access systems and networks.
Here we’ll take a look at some best practices for security in manufacturing and how to implement them in your own organization.
Phishing and other attack methods often incorporate a human error element. Making all employees aware of these risks and their countermeasures is essential for creating and maintaining robust security in manufacturing.
Organizations should remind employees of what good password hygiene looks like. Publish clear and simple policies around how to identify suspicious emails, attachments and links, even those purportedly from recognized internal contacts. Conduct training and ongoing testing, including simulated phishing attacks. You should also establish clear policies around vendor communications as “invoice redirect” fraud is a common low-level attack.
Though various OT and ICS networks are often insulated, or at least partially divided, modern process management and dataflows require employees to access most or all of these systems, often simultaneously. Holding multiple accounts can mean using, losing or forgetting multiple credentials, or worse, an employee using the same credentials everywhere.
Single Sign-On (SSO) systems are built to integrate with this dispersed network architecture. This means employees only need one highly secure access point, which then authenticates them for the various systems they’ve been given access to. A single authentication point also saves time and improves productivity. For security in manufacturing specifically, SSO can relieve much of the risk introduced through the employee vulnerabilities mentioned above.
While SSO can reduce the risk associated with multiple sets of credentials, it still doesn’t eliminate one of the biggest risk factors in cybersecurity: passwords. Whether you deploy SSO or not, strong multi-factor authentication (MFA) is essential to ensure authentication security in manufacturing. In fact, it’s mandated by the government for all federal agencies as well as by many other industry bodies.
MFA is based on a user proving their identity through at least two factors that they should have, namely:
The more required factors there are, the more difficult it will be for a hacker to access an account since brute force attacks or credential stuffing simply won’t work. Not all MFA is created equal, however, as some MFA processes, such as SMS, one-time passwords and push notifications, can be broken relatively easily.
As mentioned, not all authentication factors create the same level of obstacle for would-be attackers. Any credential in the form of a secret shared between the user and an authenticating server is vulnerable to phishing, man-in-the-middle and SIM-swapping attacks. Any time there are centrally stored secrets, they can be breached and exploited in attacks. Removing shared secrets from the login flow is critical for robust authentication security in manufacturing.
Authentication based on asymmetric cryptography uses a private-public cryptographic key pair to authenticate a user’s identity instead of the traditional system where a password or other identifiers are shared and verified. Users identify themselves with a private key held on a phone, smart card or security device, which is then authenticated with a secure server’s public key. This system means that no secrets are ever shared or transmitted in the authentication process. Depending on the system’s capabilities, additional device-side verification factors can be incorporated into the authentication process. True Passwordless™ multi-factor authentication uses this approach.
Compliance with cybersecurity regulations in different jurisdictions, and being able to prove it, has become increasingly important for businesses across all verticals. 59% of manufacturers have been asked to prove or guarantee the effectiveness of their security procedures. There are also significant financial penalties for non-compliance, such as the 4% of global revenue fine that can be levied under Europe’s GDPR.
In the US, regulations, such as the OMB’s guidance on the May 2021 Executive Order and guidelines from the National Institute of Standards and Technology (NIST) provide more granular detail about acceptable methods of multi-factor authentication, specifically regarding resistance to phishing. Many manufacturers also need to meet standards regarding access control and data protection under the Sarbanes-Oxley Act (SOX).
Cyber insurance requirements also factor in, with many insurance companies mandating that companies implement multi-factor authentication in order to obtain coverage.
Employees and departments may be comfortable with current processes and resist change, even if these processes are vulnerable and introduce organizational risk. Creating authentication processes that are simpler than your current ones is the key to overcoming this resistance. A smooth and fast user experience leads to quicker adoption and fewer requested exemptions that can undermine security efforts. Most people more readily accept solutions that use processes and technologies they are familiar with, such as their smartphone. Minimize the steps users must perform to login; ideally they initiate the multi-factor authentication flow with a single action.
It is also important that your workforce is able to securely access systems when offline, without additional friction.
The escalation in cyberattacks has serious consequences for manufacturers. IBM’s latest report puts the estimated cost of a single data breach for the industrial sector at nearly $5 million and, as we’ve seen, the havoc wreaked by ransomware attacks can go far beyond financial damage.
HYPR provides secure, passwordless multi-factor authentication that significantly reduces your attack surface and helps achieve regulatory compliance. Our solution turns a user’s smartphone into a FIDO token that can participate in a PKI secure exchange that uses multiple factors to provide identity. It’s a frictionless authentication procedure that can integrate with any identity or SSO provider, delivering a better, more secure user experience, increasing productivity and improving uptake. Moreover, HYPR is SOC 2 and ISO certified.
To find out how HYPR can make your organization’s systems more secure, talk to our team or arrange a demo.