5 Steps to Improved Cybersecurity

Written by Gene Jones, Senior Program Manager, Cybersecurity and Defense

Even though manufacturing is one of the top targets of cyber-attacks, most small-to-medium manufacturers (SMMs) have not implemented basic cybersecurity controls. The answer is usually a combination of:

• There are just a few key people in management, and their time, focus, and resources are devoted to producing a product and making payroll. Their priority is keeping the “main thing,” the main thing!
• Typically, there is not a dedicated IT person. If there is an IT person, their time is consumed by system administrator duties, not network protection.
• SMMs don’t realize they are a “target of opportunity,” meaning the attack is aimed at any organization (opportunity) that is operating with a known operating system vulnerability.

But don’t despair! There are simple, low-cost information security controls that can easily be implemented. Think of these activities like routine processes analogous to your Quality Management System (QMS) routines.

1. Inventory Audits - Conduct and maintain a good inventory of all software and hardware on your network. You can’t protect it if you don’t know you have it! Once you know all of the software and hardware that is connected to your network, you can develop a system to keep those items protected. There are tools that will inventory your applications and operating systems such as Lansweeper, which is free for up to 100 assets. The corollary to “taking” inventory is “controlling” inventory by limiting who can download software on your network with local system administrative rights limited to a few people.
2. Patch Management – Correct software and operating system vulnerabilities as soon as they are published by the developers. Do not solely rely on a “patching application” unless someone is checking that all patches were successfully applied. Major applications such as MS Windows will download automatically. Your external IT support (if you have one) will only patch components in your service level agreement (SSL), but you may have local software installed that is outside of that SSL.

After the inventory, you now know all of the assets on your network and can keep them updated with the latest protection by using a routine patch management process. This is a good start!

3. Train Your Employees - Your best processes and technical efforts to protect your network could be undermined by an unaware workforce. You don’t need to train your employees to be cybersecurity professionals, but every employee needs to understand basic cybersecurity awareness. Train them to view emails with skepticism and send suspicious emails to IT for evaluation. Explain to them why access to social media websites is blocked. Make sure that flash drives used at home are not inserted into company devices. Ensure that they know why each person on the shop floor must have their own authentication for shared devices.
   • This is not a one-and-done training. Make it part of your routine communication!
4. Implement a Routine Back-Up Procedure - Use the 3-2-1 rule when it comes to back-ups. Create three (3) copies of your data - one primary backup and two copies. Save your backups to two (2) different types of media. Keep at least one (1) backup file offsite.
   • If actions/routines 1 through 3 fail to prevent an insertion of malware on your network, access to an unaffected backup could minimize the operational downtime.
5. Employ multifactor authentication (MFA) – MFA helps counter malicious activity if a password is compromised, and Virtual private networks (VPNs) can reduce the risk that malicious actors can intercept or access sensitive information on the internet.

Bonus Tip: Break your network into nodes or segments so that an infiltration in one segment can’t easily migrate to the entire network.

These five steps to improved cybersecurity are not intended to be a complete list, but they are a good start.

If you are ready to do more, see the NIST Small Business Cybersecurity Manufacturing Corner at:  https://www.nist.gov/itl/smallbusinesscyber/guidance-sector/manufacturing-sector. You can also reach out to Purdue MEP at mepsupport@purdue.edu or find us online at www.mep.purdue.edu. 

 

 

Writer: Gene Jones, 765-496-7802, jonesew@purdue.edu