Responding To Risk: Invisible Enemies

Manufacturers must find ways to prevent electronic threats to their networks and data.

Spam. Computer viruses. Network worms. Lost laptops. Stolen handhelds. Penetration of wireless networks by unauthorized users.

Manufacturers have always had security risks, but they could be minimized by taking steps to protect the physical plant and equipment. Today's invader sneaks in unseen over an electronic network and threatens a company's computers, data, and information flows -- ultimately, putting the business itself at risk. What's more, the barriers companies put up to protect against online intruders aren't always effective.

"Most companies put up firewalls in the late 1990s," says Greg Fitzgerald, vice president of marketing at Tipping Point, the security division of 3Com Inc. "But the threats are evolving, and the attacks have continued to get through these technologies." Adds Steve Phillips, senior vice president and CIO at electronics distributor Avnet Inc., "I see many of the same issues and challenges, but the threats have changed."

Related IndustryWeek Webcast

For more information on the topics covered here, attend the IndustryWeek Webcast "Identity-Driven IT Security For Manufacturers" on March 22 at 2 p.m. EST. The one-hour program will include speakers from Aberdeen Group and Novell Inc., the Webcast sponsor.
How are manufacturers coping with this new level of IT risk? Most are beefing up their spending on a host of new technologies aimed at providing more and greater levels of security for networks, servers, desktop PCs, and even mobile devices such as the Blackberry.

Better Security, Higher Productivity

One manufacturer hustling to stay ahead of the IT risk wave is Plantronics, a $560 million maker of headsets. "The world of the network perimeter has certainly changed," says Tom Gill, vice president and CIO at the Santa Cruz, Calif.-based manufacturer that operates plants in Tijuana and Shanghai. "We are very conscious of it, and we're doing our best to protect the enterprise."

An effective security strategy, most experts say, should be fluid, constantly adapting to meet the latest form of e-threat to networks and data while striving to stay a step or two ahead of it. "The manufacturer's goal today is to stay ahead of the attacks by putting a process in place that fixes vulnerabilities before they are exploited," says Mark Nicolett, research director in the information security group at Gartner Group, an IT research firm in Stamford, Conn.

Effective security systems to guard against IT asset risk don't come cheaply, judging from how much corporations are spending on security technologies. Worldwide sales of network security appliances and software hit $1 billion in 2005's third quarter alone, according to Infonetics Research. Virtual private network and financial appliance sales accounted for 77% of the total. Sales of intrusion detection and prevention systems composed 14%, and sales of gateway and anti-virus products accounted for 9%.

Corporations spent an estimated $1.9 billion last year just trying to shore up their e-mail security. Plantronics, for instance, contracts with a hosting service from Postini Corp. that effectively cleanses all of its inbound e-mail of viruses and worms, while eliminating unwanted, intrusive and offensive spam. Messages that have a real business purpose but might have been flagged by the security service are quarantined -- i.e., held for possible later use as requested.

"The result is that our employees have a more productive day, and people are not receiving messages that are inappropriate," Gill says. To keep pace with the shifting security landscape, Plantronics conducts periodic security audits.

One big challenge for manufacturers is balancing the need for IT security against the need that employees, suppliers, and customers have to access and interact with company information. "Our suppliers need to interact with us on how to make our products more manufacturable," says Tony Ciorciari, executive vice president of operations at IGT Corp., a manufacturer of slot machines in Reno, Nev.

To achieve the proper balance between security and access needs, the company depends on the combination of a strong firewall and a sophisticated authentication system to ensure that only those who are granted access to various data are able to get it.

"We do need the proper balance," remarks Rayleen Cudworth, vice president of Information Systems at IGT. "You want the most secure environment to protect your information and intellectual property, but at the same time, you don't want to inhibit the ability of employees to do their jobs."

For e-mail, IGT depends on a pair of staff e-mail administrators to manage the company's filtering software and make sure all incoming e-mail is virus-free. "Right now 80% of the e-mail coming into the company is spam," Cudworth points out. "Managing e-mail can be overwhelming for employees, who otherwise would have tons of spam, which is neither productive nor safe."

Monitoring Remote Devices

Managing remote use of company information via networks and the Internet poses another potential risk. For remote access, employees connect using an IGT laptop only. Remote access cards enable employees to connect with secure authentication. For handhelds, remote workers use Blackberrys that are password protected. All remote connections must go through the company's firewalls. Finally, to provide an additional layer of protection for home access, the company sets up personal firewall devices in each mobile worker's home.

On the company's production lines, hundreds of workers use handheld wireless devices for various operations. Each device communicates with the network using an industrial-strength data encryption system. "There are eight steps a worker has to perform to do a transaction," Cudworth says. "We are very tight on security when it comes to the wireless technologies." Adds Ciorciari, "That encryption protection is very critical to our operations."

As far as staying ahead of the risk curve, IGT performs regular security audits and is constantly on the lookout for weak access points. "We have to stay ahead of the game," Cudworth says.

All-Encompassing Approach

Some large manufacturers are taking a more offensive tack toward tracking down potential security problems that could arise on their networks. Toyota Motor Europe is a case in point. The company is using 3Com's Tipping Point Intrusion Prevention System to assess whether network traffic is posing any threat to undermine the system's availability or confidentiality. The system uses network devices to provide detailed analysis of the network's status with almost no delay, a capability not available just a few years ago.

"Any network traffic that is going to pose a security problem is just blocked," explains Richard Cross, corporate security officer at Toyota Motor Europe in Brussels. "It's just as if the network traffic is purified before it passes on to our networks -- attacks are blocked and prevented from spreading. We just get the reports about how much. It's simple and effective, but we don't trust anything to be foolproof."

The notion of setting up layers of security, in fact, instead of relying on a single firewall or a lone preventive system, is widely accepted as the only way to go. "In Sun's view of systemic security, the goal is a reinforcing security architecture," says Glenn Brunette, distinguished engineer and chief security architect at Sun Microsystems, a leading manufacturer of computer servers and workstations. "That way, if you experience one point of failure, you are still protected."

Sun recommends to its corporate customers that they adopt a policy that everyone on the outside of their network is "untrusted" until it's proven otherwise. "You can keep certain user communities away from your IT infrastructure, but still provide services such as portals that will connect them," Brunette explains. "This way, you are not providing them with total access to your network."

In other words, while a key customer could be allowed access to check basic information regarding the status of a shipment, a different set of rules and access requirements would be needed to cancel a shipment.

Not surprisingly, most computer hardware and software vendors have beefed up the security capabilities of their products. Dell, for instance, has embedded support in most of its consumer and notebook computers for an optional security package called Computrace from Absolute Software, which enables customers to protect sensitive data and recover lost or stolen machines. Most Dell business notebooks such as the Latitude and Dell Precision mobile workstations also include an integrated Smart Card reader.

Similarly, Sun's Solaris 10 operating system has a variety of security features built in. Likewise, software firm Novell's Zen network management suite of applications includes security for authentication purposes for servers, desktop machines and mobile devices.

"People seem to lose PDAs the most," notes Justin Taylor, chief strategist for digital identity and security at Novell's engineering center in Provo, Utah. Novell's Zen system for handhelds enables companies to disable or wipe a PDA clean of all data if the security authentication is not completed correctly within three tries.

Despite all these efforts, the best technologies by themselves aren't enough to reduce the level of risk facing most IT infrastructures. Employees have to do their part as well to make the technologies effective. "We have found that people sometimes do not understand the relevance of security to their job or the role they play in making company security effective," says Sun's Brunette. "Everyone needs to understand how to protect information, both company information and customer information."

Brunette recalls an incident involving a customer who called in a panic regarding a system outage. A disgruntled systems administrator had quit, leaving behind a "time bomb" that would erase the discs at 180 company servers all at once. "A single person destroyed their entire environment, and the company didn't even know who it was until they did an investigation," he says. "This organization had failed to have a security administrator whose role is to monitor all actions being taken on the system."

The company also failed to have an effective backup and disaster recovery system in place in the event of such a failure. Having these kinds of checks built into the system is a basic security management issue, not a technological one. "Someone could have noticed, through basic audit controls, that this person had made these changes to the system," Brunette adds.

One company that monitors all activity on its company systems is Avnet Inc., a $13 billion distributor of electronic components and computers. "We have a dedicated director of IT security, and we monitor our systems 24/7, looking for any unusual activity across all platforms," says Phillips of Avnet, which is based in Phoenix. "If we get updates or patches for our systems from the software vendors, we track our ability to apply those patches in minutes."

IT asset risk, of course, also extends to the natural realm, where earthquakes or weather-related catastrophes can wreak havoc on a company's systems and ability to do business. "You need to make sure that if a disaster happens in one of your operational hubs, that you know what to do," Phillips says. "Our systems are able to recover to a failover system, and we can resend data messages to our trading partners."

Production Floor Challenges

With the advent of the Internet, manufacturers have had to come to grips with a new risk -- the systems on the production floor. While in the past, these systems were self-contained, today many production control and other shop-floor systems are connected to the company network and the outside world.

"As manufacturers upgraded their equipment and systems on the shop floor, they were more likely to have network connections and to be remotely controlled," observes Gartner's Nicolett. "That exposes the production line in a way it hasn't been exposed in the past."

"Process control networks used to be running on their own, but not any more, and this new connectivity brings with it some vulnerabilities that our other systems have," agrees Rich Mogull, research vice president in the information security and risk group at Gartner Group.

Mogull suggests manufacturers avoid intermingling the process control system with other networks that are more exposed to the outside. "Manufacturers have the option to keep their process control system separate," he says. "We do not recommend giving a manager a desktop machine to do e-mail while that person is managing the production network, because one slip up and you can give somebody outside the company control of the system."

Another way to limit the risk of a process-control system intrusion is to lock it off from the rest of the network with a "virtual air lock." In effect, this means placing a third system in the middle that allows one-way-out flow of communication for data reporting. "That way, you have no communications coming into the system from the outside," Mogull says.

Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish