By: James Ringold, Chief Security Advisor, Microsoft
Advanced cyber threats may have come late to the door of manufacturers, but they have arrived in full force. Manufacturing is now among the top three targets for ransomware, according to the Microsoft Digital Defense Report. Intellectual property theft, supply chain attacks, phishing, and Internet of Things (IoT) attacks also plague the industry. And along with a sharp spike in the number of attacks, some of the most damaging attacks, such as those on the Colonial Pipeline and beef supplier JBS, have targeted manufacturing and industrial concerns.
Focusing on cybersecurity represents a significant change for manufacturing leaders, many of whom still think in terms of physical risks—they’re not yet used to the idea of advanced persistent threats from foreign governments targeting a manufacturer.
Nevertheless, manufacturing has adopted a lot of new technology, moving industrial control and other systems out of air-gapped isolation from the internet and into a connected, cloud-based environment. In manufacturing today, you could be managing an operations floor halfway across the world, or have a dynamic team split among four different quadrants across the U.S. Not everyone needs to be in the same room anymore.
Cybercriminals and nation-state actors have noticed, and that calls for a new approach to security, with a renewed focus on data protection, data security, and data governance, as well as application security. Manufacturing organizations need to combine physical and logical security and update their approach to deal with the current threat landscape.
Steps to better security
Manufacturers should start by taking a full inventory of their assets, including operational technology (OT) and IT. This can help determine which systems need to be connected and which don’t. It will also help when making risk assessments of the highest-priority systems to protect.
When operating in a distributed cloud environment, the approach to securing physical and logical systems—of managing OT and IT—needs to converge. Cybersecurity decisions are business decisions, so while it’s important that a company’s leadership understand cyber threats and defenses, it’s equally important that IT security teams understand the business implications of what they’re doing.
Organizations can take advantage of guidance such as the Cybersecurity Maturity Model Certification (CMMC), which includes controls for least privilege, as well as guidance from NIST, such as its Cybersecurity Framework and special publications like SP 853.
Some other crucial steps manufacturers should take include:
Maintain tight control of identities
A key element of improving security for any organization, and particularly one operating in the cloud, is identity management. All organizations should be using multi-factor authentication (MFA), an essential but often ignored step toward improving security.
They also should be enforcing policies of least privilege, ensuring that users don’t have privileges they don’t need. When an attacker enters the network through phishing or another advanced threat, they use compromised credentials to move through the network in search of intellectual property or other information worth stealing. Limiting privileges can slow them down or even stop them, especially if an organization adopts just-in-time privileges with no standing permissions for authorized users, which Microsoft offers through Azure Active Directory. Highly privileged access is granted only for a specific task and for a set period of time, which eliminates any value that a stolen identity would have for an attacker.
Microsoft tools can enforce access controls such as multi-factor authentication and policies based on device platform, and the state and location of the device, which enables organizations to better evaluate risk. Microsoft Defender protects sign-in tokens and identities by isolating credentials away from the OS.
Microsoft’s Zero Trust model further provides a framework for implementing a “never trust, always verify” approach.
Trying to completely lock down everything in the environment would simply cost too much, so an organization needs to clearly define its goals, prioritize its systems and data, and recognize where its cybersecurity investments should be focused. Microsoft’s analytics takes data from administration, authentication, and authorization to enable better risk management and Identity and Access Management (IAM), allowing an organization to be both proactive and reactive concerning risks.
Consider the attack lifecycle
Both external and internal threats can affect any part of the network, so it’s crucial to apply protections to the full range of the environment, including endpoints, and account for the lifecycle of an attack. An employee who’s leaving the company in two weeks, for instance, could exfiltrate data before heading out the door. Defender also provides a capability across that attack lifecycle, while including an extended detection response (XDR) component that provides protection out to the endpoints.
Microsoft Azure Sentinel, a Security Information and Event Management (SIEM) and Security Orchestration Automated Response (SOAR) solution, enables proactive response capable of mitigating a threat as it happens.
Even more important than stopping threats, whether internal or external, is protecting data assets and being prepared to recover from an attack such as ransomware. No defense is perfect, so cybersecurity teams have to assume that they’ll be compromised at some point, and compensate by maintaining a resiliency mindset. Backups need to be kept protected from access, so they can be used to restore systems after an attack. Versioning control can also quickly restore some key systems to pre-hack status.
The Colonial Pipeline, for example, did not have a resiliency plan and had to shut down production, losing a couple of weeks of business and negatively impacting a lot of downstream companies. Being prepared to recover from an attack is critical.
Manufacturing operations are no longer just physical plants. They are cloud computing infrastructures, subject to the same cyber threats that target every other business. Because of this, manufacturers’ approach to cybersecurity needs to reflect that. Cybersecurity can no longer just be an IT consideration. It’s a critical business decision that can potentially make or break an organization and all of its operations.
To learn more, visit https://aka.ms/SecureYourFuture