IoT and manufacturing: Is your network cybersecure?

Protecting the business from cybersecurity vulnerabilities is a top-of-mind issue for manufacturers. We sat down with David Van Dorselaer, AVP of Channel Marketing – Manufacturing at AT&T Business to discuss the challenges business leaders are facing with adopting a cybersecurity solution, how they can begin their journey, and how to continue to protect their organization as technology continues to advance for the industry.

Q: IoT isn’t new to manufacturing, yet many companies struggle to find the balance between having a highly secure network in place and expanding their use of IoT to take advantage of its benefits. Is it possible to expand the use of IoT without implementing cybersecurity solutions?

A: IoT solutions need to be built and deployed with security top of mind. IoT devices communicate with so many disparate systems, that there are risks with deploying broad IoT solutions without a security plan solidly in place.

It’s important to compare what you know about your network against devices that are connected, but unidentified. This will remain a key factor in the challenge of maintaining effective cybersecurity for IoT.

Navigating the complexity of IoT within the context of cybersecurity is a huge undertaking: from traditional firewall and endpoint protections to IDS/IPS (intrusion detection systems/intrusion protection systems), WIDS/WIPS (wireless intrusion detection system/wireless intrusion prevention system), mobile device management, more complex Network Access Control, and analytic solutions to enforce policy and mitigate attacks. Leaving these complexities to industry experts can help ease the burden and overcome the many challenges for IoT and cybersecurity.

Q: “Phishing” is a common way that hackers gain access to sensitive data. What about anti-virus, anti-malware, and spam filters? Are they adequate protection for companies that are not ready to invest in additional cybersecurity protections?

A: As a manufacturing organization, the types and amount of information you deal with on a regular basis make you an attractive target for cybersecurity attackers. From intellectual property to customer lists and production secrets, your data can be extremely valuable to them.

It’s important to have the basics of antivirus, antimalware, and spam filters in place, as well as to perform regular internal phishing tests. Your strategy can’t stop there, though, because companies need to have a multi-layered approach to cybersecurity.

For example, implementing concise learning programs and training can help those who access the network become more aware of key cybersecurity risk behaviors, trends, and cyberthreats. This training—online and in the classroom—equips employees with the ability to recognize threats and to be accountable for their activities.

Q: AT&T Business released Volume 8 of its Cybersecurity Insights Report in 2018. It states that 58% of IT leaders surveyed believe their security risk management strategy needs work. This is especially so for those with in-house management. Could you speak a little bit about why an in-house strategy isn’t sufficient?

A: The security landscape is changing quickly as new technologies and subsequent threats emerge. In most cases, an in-house approach to cybersecurity can’t adequately prepare for vulnerabilities and the sophisticated ways attacks can occur. New technologies are being brought into legacy environments, and they require a comprehensive security approach.

What tends to happen is companies look to point solutions to solve security gaps. Using an industry leader with a comprehensive view of the latest security protocols provides a framework that can integrate, automate, and orchestrate your business’s security needs.

With all of the endpoints in the factory—not to mention if there are several locations, field employees, and third-party vendors—consistent monitoring and system updating is also needed, not just to keep up, but to stay ahead of attackers.

Q: What are some of the key areas that should be considered in a comprehensive risk assessment?

A: First, make sure risk assessments are actually performed. It’s easy to make assumptions about where your company stands in its risk and readiness. After that, establishing a cross-functional team of key stakeholders in the cyber program, including IT (information technology), OT (operational technology), R&D (research and development), finance, and risk management is key to (1) identifying and socializing the risk framework to define mitigation strategies, and (2) clearly identify ownership for implementation.

From there, organizations should prioritize risks, define policies, and automate assessment processes such as IT governance, risk management, and compliance that span all of your IT and OT/ICS (industrial control systems) environments.

Q: Okay, so a framework is in place, then there’s a risk assessment process…now what?

A: Well, now business leaders can focus on enforcing the implemented IT policies. The good news is that adopting a cybersecurity solution doesn’t have to start from scratch. A basic risk assessment formula should consider the impact of the risk and the likelihood of it becoming a risk.

Compliance can be automated based on ISO 27005, which provides a basic structure for security risk management. It’s important to include built-in automation and workflow to not only identify threats, but also remediate incidents as they occur or anticipate them before they happen. Also, once the risks are determined, communicating the IT- and OT-risk in business-related terms helps business leaders understand the impact of your strategy.

Q: It’s good to know that it’s not necessary to start from scratch to implement cybersecurity. On to implementation then. What does that look like?

A: It’s no secret that IT and OT often have different priorities in any industry, but with the complexity and technology involved in manufacturing, this is certainly the case. The expansion of IoT sensors and devices makes convergence between IT and OT more necessary. They may also view the approach to cybersecurity differently. But there are steps you can take to address this.

First, initiate a formal risk management process with the needed tools in place to manage the security involved with the convergence of IT and OT. Then you want to make sure everyone is on the same page for what you’re protecting. Create a holistic inventory of all connected devices attached to network segments to know exactly what you’re trying to protect.

While “defense in depth” is an important consideration with relation to ICS, trends in the manufacturing space are moving toward a “zero-trust network,” that is, a “never trust, always verify” approach that extends to all layers of the enterprise. This helps reduce the exposure of vulnerable systems while decreasing the likelihood of lateral movement in the event of a breach. This, in turn, decreases the risk of significant production downtime, detrimental impacts to production quality, and the loss of IP and/or safety events.