Life isn't easy for IT security workers these days, and it's even tougher for those who work in the manufacturing sector. Due to the expense and a lack of regulatory stimulus, Manufacturing companies have tended to lag behind the financial, health care and energy industries in the area of information security, even though manufacturers clearly have a lot to lose.
"Manufacturers are amongst the most vulnerable to attack because there is a lot at stake in terms of trade secrets and intellectual property," says Rohyt Belani, managing partner at security consultancy Intrepidus Group. For example, he points to incidents of insider theft of critical documents and drawings for sale or transfer to a competitor (as happened recently when Coca-Cola employees attempted to sell its secret formula to Pepsi).
Manufacturers are also at risk to "phishing" expeditions, in which hackers gain access into proprietary networks to obtain sensitive design data by simply tricking a naive user to divulge passwords or other security information.
Phishing is a criminal activity involving the fraudulent acquisition of sensitive information, such as user names, passwords and credit card details, by somebody masquerading as a trustworthy entity in an electronic communication. Phishing is typically carried out via e-mail or instant messaging, and often directs users to provide details at a Web site designed to resemble a legitimate operation.
"The challenges for IT security staff in these industries are a large, low-skilled employee base and extremely distributed, fragmented operations," says Belani. He offers the following suggestions on how to keep your networks -- and your precious IP -- safe:
- Since IP is the most valuable part of a manufacturing environment, it is important that a company's network be segmented appropriately (for example, isolating the R&D department). This requires good network planning and strong network-based access controls.
- Systems housing critical data should comprehensively log all access and the activities performed thereafter to create an audit trail.
- User awareness campaigns and assessment exercises should be conducted to reduce the susceptibility of employees to phishing attacks that may be conducted as part of a larger corporate espionage program.
- There must be a formalized employee termination procedure that entails forensics on the employee's work computer, and that focuses on assessing the probability of proprietary data being taken by the employee either via e-mail or removable media.
- Supervisory control and data acquisition (SCADA) systems, if used, should be segregated from the corporate network, and accessible only at a limited subset of locations and by a known set of administrators.