Archive for 2018
10 Tips for Mitigating Cyber Risk in the Manufacturing Industry
This is in terms of financing, labor, industry regulation and numerous other factors. However, the growing reliance on information technology including machine learning, robotics, the Internet of Things and big data, has made cybersecurity one of the industry’s biggest risk factors.
The motivation for cyberattacks on manufacturers are varied. They range from financial fraud to industrial espionage (an example of espionage would be the theft of detailed product or equipment plans to be fed to a pressure die casting machine).
The following tips can help manufacturers reduce the likelihood of a successful attack.
1. Start at the Top
Like any other company initiative, successful cybersecurity is dependent on management buy-in. If the people at the top of the organization do not set the right tone in word and deed, it becomes harder to motivate staff lower down the hierarchy to do the right thing.
Cybersecurity cannot be left to the CIO or the technology department alone. In fact, communication on cyber matters should occasionally come from the CEO’s office. That will get employees to see the seriousness of the issue and align their behavior accordingly.
2. Perform a Broad Risk Assessment
Conduct an exhaustive cyber risk assessment that covers the industrial control systems, ERP systems and any standalone systems. The assessment should be done at least once every six months in order to capture vulnerabilities that have been introduced by changes to the operating environment.
The risk assessment should not only cover traditional cyber risks like password management and firewall configuration but should delve into more manufacturing-related risks such as IP protection.
3. Circulate Cyber Risk Reports
A cyber risk assessment report is of no use if it all it does is gather dust on an office shelf. Instead, enterprise risk reports including remedial action roadmaps should be shared with the board and executive leadership.
There should be a high level discussion of the key sticking points with a view to demonstrating impact and identifying areas of priority in resource allocation. Decisions can then be made that take cognizance of the manufacturer’s risk posture and risk tolerance goals.
4. Built-in Security
All new manufacturing equipment, software and connected products must be evaluated for compliance and coherence with the company’s cyber risk program. Since the acquisition and deployment of major equipment and software will usually be done by a special project team, always confirm that there’s the requisite cyber security talent in this team.
This will ensure security considerations are a decisive factor in the acquisition from the get go.
5. Recognize Data as an Asset
The importance of cyber security can be harder to sell to the management of manufacturing companies than to leaders of service-oriented industries such as banking. Manufacturers are used to dealing with a tangible product built by tangible equipment and may thus not readily see data as a critical business asset.
Yet, treating data as an indispensable asset is at the heart of any successful enterprise-wide cyber security campaign. Making sure management and staff see the business value of data and why it needs to be protected will inform the adoption of best practice on where the data is stored, how it is accessed and who can access or modify it.
6. Assess Third-Party Risk
The success of a manufacturing operation is dependent on the reliable partners including suppliers and service providers. In order to do business seamlessly, such third parties will sometimes need access to enterprise systems or facilities. This introduces a potential loophole for a data leak.
Manufacturers must perform thorough background checks on the third parties they work with and clearly define the rules of engagement including outlining what is off limits. Third parties should be given physical access only to the areas of the facility that they need to do their work.
7. Vigilant Monitoring
Good organizational policies, procedures and action plans are only as good as their implementation. Create checklists, reporting procedures and escalation mechanisms that ensure existing and emerging cyber threats are caught before they spiral out of control.
Regular scheduled monitoring creates an avenue for identifying loopholes that had fallen through the cracks and amend policies and procedures to mitigate against these risks.
8. Recovery Planning
Some of the companies that have suffered massive cyberattacks were doing the right thing and checking all the right cyber risk boxes at the time. A robust cyber security plan is no guarantee that an attack will not occur or that systems will not fail.
A detailed recovery plan is required that includes what actions to take in the event that a cyberattack is suspected to have taken place. Manufacturers can increase their resiliency through war-gaming or table top simulations that envisage the worst case scenario.
9. Clarify Responsibilities
Many organization problems can be attributed to the absence of a specific person assuming full responsibility for a process. It should be clear who is tasked with each component of the cyber risk program including at department level.
Ideally, there should be a cybersecurity champion within each department who’ll ask all the important questions whenever a new project or product is planned.
10. Drive Awareness
Most cybersecurity breaches are less to do with technology failures and more to do with deliberate or accidental human actions. Employees must be regularly sensitized on what their individual responsibilities are in mitigating non-technical cyber risks such as social engineering, phishing and identity theft.
They should also be provided with a clear reporting path whenever they notice suspicious or unusual activity.
These tips can help manufacturers deeply embed cyber risk management, identify areas of improvement and chart a road map towards a more vigilant, secure and resilient work environment.
Are Your WhatsApp Encrypted Group Chats Exposed To Strangers?
A team of security researchers from the Ruhr University of Bochum, Germany has revealed a series of vulnerabilities in the popular instant messaging app WhatsApp.
According to a Wired report, the flaws allow a person with the control of WhatsApp’s servers to add anyone to a WhatsApp group without admin permission.
Once added to a group, the respective encryption keys of all the group members get shared automatically with the new user. So, a newly added eavesdropper can easily read all the new end-to-end encrypted messages exchanged between the members. But not the older messages and the ones for which the stranger doesn’t have the end-to-end encryption key.
The report was quick to ring the bell at the house of WhatsApp’s daddy Facebook. Its chief security officer Alex Stamos made multiple tweets as a response to Wired’s report.
“Read the Wired article today about WhatsApp – scary headline! But there is no a secret way into WhatsApp groups chats. The article makes a few key points.”
“Everyone in the group would see a message that a new member had joined,” he argued. But should that be considered as a safety measure, relying on the alertness of the members to make sure some eavesdropper has not entered their WhatsApp group?
“WhatsApp is built so group messages cannot be send to hidden users and provides multiple ways for users to confirm who receives a message prior to it being sent.”
Stamos said that WhatsApp has seen the researchers’ findings. But preventing a possible attack would require to let go of a popular feature called “group invite links” which allows anyone with a link to join a WhatsApp group. “There may be a way to provide this functionality with more protections, but it’s not clear cut.”
Even if such an attack could be performed, how many people would have access to WhatsApp’s servers except their employees and governments wanting to conduct surveillance? An experienced hacker would first have to compromise the servers before adding an eavesdropper to the group.
According to Maxie Marlinspike, who developed the Signal protocol, it’s not possible to suppress the alerts sent when someone joins the group, contrary to the researchers’ claim. It turns out, it’s not possible for someone to snoop into group chats and hacking the servers is not that easy.
Commenting on the report, Mike said that the article is a better example of the problems associated with security industry and how research is done today. “I think the lesson to anyone watching is clear: don’t build security into your products, because that makes you a target for researchers, even if you make the right decisions,” he wrote.