Manufacturers have long lagged behind the curve on cybersecurity. Not only do many have antiquated systems and weak security measures, but they also fail to do penetration testing to identify vulnerabilities.
According to Sikich’s 2016 Manufacturing Report, only a third of respondents said they conduct annual penetration testing on their IT infrastructure. Jim Wagner, partner-in-charge of the manufacturing and distribution practice at Sikich, said that manufacturers need to “do much more to protect their patents, designs and formulas, as well as their private company and employee information.”
The first big IoT security problem is “just around the corner.” And as these devices gain more adoption by consumers and enterprises, they’re going to create bigger security headaches for IT professionals, according to James Lyne, global head of security at Sophos. Lyne said we’re “building up to the moment” when hackers will start exploiting the devices en masse.
And they often can put a whole organization at risk. In 2014, for example, Target’s largest data breach was traced to an IoT hack through the HVAC system. And a mass global Internet outage in October 2016 was partly launched through Internet-enabled devices such as CCTV video cameras and digital video recorders.
“IoT devices are coming in with security flaws which were out-of-date 10 years ago that you wouldn’t dream of seeing on a modern PC,” said Lyne.
While some would say the benefits outweigh the risk, organizations should proceed cautiously and update their security protocols before deployment. Preston Futrell, an executive at NexDefense, suggested that manufacturers start with a strong emphasis on network security monitoring of industrial control systems (ICS).
Futrell said ICS network monitoring technology can reduce security risks in a number of ways. First, it offers real-time visibility into network communications. It also better enables the manufacturer to maintain an accurate inventory of dynamic devices and can mitigate malicious behavior earlier, reducing the impact of such attacks.
He added that such monitoring also can allow control engineers to identify poorly performing equipment and devices that are in the process of going offline. ICS monitoring can allow control engineers to quickly identify the source and intent of unusual activity to determine if it is human error or criminal activity.
“Manufacturers, no matter their mission or objectives, must be proactive and vigilant in safeguarding their ICS networks from the cyber risks introduced by maintaining a connected infrastructure. Networking monitoring is the best place to begin,” said Futrell.
Quentyn Taylor, director of information security at Canon, said manufacturers also need a solid incident response plan that shifts more focus from prevention to mitigation. He said organizations need to stop believing that “total defense is economically viable or even possible” and that they need also to have plans for how to deal with it when it happens. “Accept that you have been compromised and learn to deal with it. If we all accept that compromise is inevitable then the next step is having a response plan,” said Taylor.