HLS.Today – NIST – This article is the second installment in a five-part series outlining best practices when it comes to “Cybersecurity for Manufacturers.” (PDF Below). These recommendations follow the National Institute of Standards and Technology (NIST) Cybersecurity Framework.
This article is the first installment in a five-part series outlining best practices when it comes to “Cybersecurity for Manufacturers.” These recommendations follow the National Institute of Standards and Technology (NIST) cybersecurity framework, which has become the standard for the U.S. manufacturing sector.
According to a 2018 IBM-sponsored study by the Ponemon Institute, the global average for a data breach is $3.86 million. That breaks down to almost $150 per stolen record. If you’re a small or medium-sized manufacturer, you may not think statistics like these apply to you. But out of 17 industries represented in the report, the most impacted sectors were financial, service, and wait for it — manufacturing.
Because manufacturers often put fewer resources into information security, they’re a popular target for cyber criminals. And it only takes one cyber attack to devastate a smaller manufacturer’s entire operational system. Networked machinery, suppliers, distributors, or even customers could all be hacked via one computer/device in a manufacturing facility.
Other risks include:
- Loss of information critical to running your business
- Negative impact on customer confidence
- Regulatory fines and resulting legal fees
- Decreased or stopped productivity.
Fortunately, you can learn to protect your operations with the help of the National Institute of Standards and Technology (NIST), which has developed a five-step framework for cybersecurity that can be implemented by a business of any size. Available online, the NIST Cybersecurity Framework can be further explained by your local representative of the MEP National Network, the go-to experts for advancing U.S. manufacturing. You can also view the Manufacturers Guide to Cybersecurity (add link once we know document’s location) which provides manufacturers with basic practices and tools needed to develop a cybersecurity program.
Ready to take your first step toward data security? The process begins by identifying your risks.
Control Who Has Access to Your Information
Make a list of employees with computer access and include all of your business accounts, the type of access (physical or passwords), and physically secure all laptops and mobile devices when not in use. Have your employees use a privacy screen or position the computer’s screen so people walking by cannot see the information on display, and have them set the screen lock to activate when the computer is not in use.
Do not allow physical access to computers or systems by unauthorized personnel, such as:
- Cleaning crews or maintenance personnel
- Unsupervised computer or network repair personnel working on systems or devices
- Unrecognized individuals that walk into your office or shop floor without being questioned by an employee
It only takes seconds for a criminal to access an unlocked machine. Don’t make it easy for them to steal your sensitive information.
Conduct Background & Security Checks for All Employees
Background checks are essential to identifying your cybersecurity risks. Full nationwide searches should be conducted for all prospective employees or others who will have access to your computers and company’s systems and equipment.
These checks should include:
- Criminal background checks
- Sexual offender checks
- Credit checks, if possible (some U.S. states limit the use of credit checks)
- References to verify dates worked for previous employers
- Education and degree verification
You may also consider conducting a background check on yourself, which can quickly alert you if you have unknowingly become the victim of identity theft.
Require Individual User Accounts for Each Employee
If you experience data loss or unauthorized data manipulation, it can be difficult to investigate without individual accounts for each user. Set up a separate account for each employee and contractor that needs access. Require them to use strong, unique passwords for each account.
Limit the number of employees who have administrative access, especially if it isn’t required for them to perform their daily job duties. Consider guest accounts with only Internet access for visitors or customers at your facility.
Create Cybersecurity Policies & Procedures
While creating your first cybersecurity policy may seem like a daunting task, there are plenty of easy-to-follow tips from the MEP National Network that can help you get started. You may also want to consult with a legal professional familiar with cyber law to review your policies to make sure you’re complying with local laws and regulations.
Your new cybersecurity policy should include:
- Your expectations from your employees for protecting company information
- Essential resources that need to be protected and how you expect your employees to protect that information
- A signed agreement from each employee to confirm they’ve read the policy and understand it.
Keep the signed agreement in each employee’s HR file. Review the policy at least once a year and make updates when you make any changes to your company’s technology. You can then use your cybersecurity policy to train your new employees on their information security responsibilities and set acceptable practices for all your business operations.
In part one of the MEP National Network five-part series on “Cybersecurity for Manufacturers,” we covered how to spot infrastructure weaknesses that open the doors to cyber attacks. Mitigating these threats takes more than a single anti-virus upgrade; it requires ongoing vigilance. But protecting your systems doesn’t have to be complicated. Here’s how to begin.
Limit Employee Access to Your Data & Information
Limiting access to your valuable company data reduces the chance for human error, which is the number-one information security threat. Employees should only have access to the systems and specific information they need to do their jobs.
If an employee leaves your company, or transfers to a different company location, take protective action immediately, including deleting passwords and accounts from all systems and collecting company ID badges and entry keys.
An ounce of access prevention can equal a pound of protection when it comes to limiting the impact of a disgruntled ex-employee.
Install Surge Protectors & Uninterruptible Power Supplies
Uninterruptible power supplies (UPS) can give you enough battery life and time to save your data in the event of a power disruption. Check to ensure the UPS type and size meets your company’s standards and requirements.
Every computer and networked device should be plugged into a UPS. For less-sensitive electronics and non-networked equipment, standard surge protectors should suffice. Be sure to test and replace each UPS and surge protector as recommended by the manufacturer.
Patch Your Operating Systems & Software Regularly
Every new app can open the door to a cyber attack if you don’t regularly patch and update all software on every device used by your employees.
Always check for updates when purchasing a new computer or installing a new software system. Be aware that software vendors are not required to provide security updates for unsupported products. For example, Microsoft® will stop supporting Windows 7 in January of 2020, so if you haven’t upgraded yet, now’s the time to do so.
Don’t delay downloading operating system updates. These updates often include new or enhanced security features.
Install & Activate Software and Hardware Firewalls
Firewalls can thwart malicious hackers and stop employees from browsing inappropriate websites. Install and update firewall systems on every employee computer, smartphone, and networked device.
Include off-site employees, even if you use a cloud service provider (CSP) or a virtual private network (VPN). You may also want to install an intrusion detection/prevention system (IDPS) to provide a greater level of protection.
Secure All Wireless Access Points & Networks
For secure wireless networking, use these router best practices:
- Change the administrative password on new devices
- Set the wireless access point so that it does not broadcast its service set identifier (SSID)
- Set your router to use WiFi Protected Access 2 (WPA-2), with the Advanced Encryption Standard (AES) for encryption
- Avoid using WEP (Wired-Equivalent Privacy).
If you provide wireless internet access to your customers or visitors, make sure it is separated from your business network.
Set up Web & Email Filters
Use email and web browser filters to deter hackers and prevent spam from clogging employee inboxes. You can also download “blacklist” services to block users from browsing risky websites that pose malware risks.
Caution your employees against visiting sites that are frequently associated with cybersecurity threats, such as pornographic websites or social media. This may seem like a no-brainer; but it only takes one employee to visit the wrong website to inadvertently download malware onto your company systems.
Use Encryption for Sensitive Business Information
Use full-disk encryption to protect all your computers, tablets, and smartphones. Save a copy of your encryption password or key in a secure location separate from your stored backups.
Email recipients typically need the same encryption capability in order to decrypt. Never send the password or key in the same email as the encrypted document. Give it to them via phone or some other method.
Dispose of Old Computers & Media Safely
Before donating or trashing old computers, you need to wipe all valuable hard drive information. Delete any sensitive business or personal data on old CDs, flash drives, or other old media. Then destroy these items or take them to a company that will shred them for you. Destroy sensitive paper information with a crosscut shredder or an incinerator.
Train Your Employees
Cyber-vigilant employees are your best protection against information security threats.
Every employee should know:
- What business and personal use is permitted for emails
- How to treat business information at the office or at home
- What to do if a cybersecurity incident occurs
Train every new employee to protect valuable data and have them sign your information policy. Use newsletters and/or ongoing training to reinforce your culture of cybersecurity.
Now that we’ve covered the key steps to protect your valuable data and information, we’ll show you how to install mechanisms for detecting and recognizing a cyber attack in part three of our series on “Cybersecurity for Manufacturers” from the MEP National Network.
NSA Cybersecurity prevents and eradicates threats to U.S. national security systems, with an initial focus on the Defense Industrial Base (DIB) and the improvement of the nation’s weapons’ security.
At its core, NSA Cybersecurity aims to defeat the adversary through the seven core missions and functions:
- Provide intelligence to warn of malicious cyber threats and information U.S. Government (USG) policy
- Develop integrated Nuclear Command & Control Systems threat, vulnerability, risk, and cryptographic products & services
- Release integrated threat, assessment, and mitigation/protection products for the Department of Defense (DoD) and USG customers
- Execute high-assurance cryptography and security engineering
- Offer combined defense/offence operations with key government partners
- Enable the defense of the agency’s networks in coordination with NSA’s Chief Information Officer
- Promote information sharing to support the agency’s cybersecurity mission
By leveraging our elite technical capability, we develop advisories and mitigations on evolving cybersecurity threats designed to defend the nation and secure the future. As we release new advisories and technical guidance, we archive all releases to ensure anyone who needs the information to protect their systems has access to them.
Education is the backbone of building strong cybersecurity professionals and informed citizens.
At NSA we employ some of the best cybersecurity professionals around the world, offering them unique access to classified and unclassified environments to help solve the nation’s most critical cybersecurity challenges. For more information on how to join our team, visit our NSA Careers page.
Our cybersecurity professionals also contribute to developing the talent and tool to make the nation safer through science, technology, engineering and mathematics outreach programs at all levels of education. To see how we contribute to prepare future leaders and cyber warriors, visit our Academics page.
HLS.Today NIST Framework for Improving Critical Infrastructure Cybersecurity