For many companies today producing the end product is often a team effort with a mix of integrated suppliers, outside contractors and strategic partners all playing instrumental roles. So much so that granting these third parties with access to everything needed to keep production environments running with smooth efficiency has become a norm for many manufacturers.
In many instances the multifaceted process is a perfect example of seamless collaboration. However, as manufacturers grant greater levels of access – including privileged access to third parties – it quickly intensives the risks.
"As supply chains grow, it doesn't take long for the scale of the problem to become massive. In many instances there are exponential ratios of third parties to employees," David Pignolet, CEO of Fall River, Mass-based SecZetta tells IndustryWeek. "Unfortunately, when granting third parties with access, they often do so with a fraction of the checks and balances on the individuals receiving access."
The potential risk? Exposing confidential information, unauthorized disclosures, jeopardizing physical assets, along with high costs and tarnished brand reputation come with these incidents.
"Companies need to embrace a concept that always asks whether people or things are worthy of the access granted. This requires a well-defined system to focus on their worthiness," he says. "Manufacturers need a mindset of zero trust unless it's consistently proven that they should be trusted. Instead of tackling it from an account or access first perspective, you really need to tackle the problem from a human first perspective and use that context to drive appropriate access methodologies."
The same is true when diving into operational technology (OT). Although there is often talk of air gapping OT devices, reality rarely aligns with the theory, explains Pignolet. "From a security perspective granting permission is not much different from what a human is granted,” he says. “However, monitoring access and avoiding the temptation to tie it together with the IT environment in a meaningful way is crucial because during a breach in that OT network, a bad actor could take over operator rights."
According to Pignolet, manufacturers need to better track who the third-party individuals are they are granted access, mostly because they lack a direct contractual relationship with those individuals. This is where zero trust makes sense including timely termination of accounts for third parties.
“Often times, what organizations do is they do a cleanup effort, which is usually an inactivity report. Unfortunately, it doesn't fix the problem because when account has continued use the third-party individual doesn't show up on the report,” he says. “If a manufacturer depends on access certifications, which might be by annually, at best, sometimes annually, is really important to apply those practices to mitigate risks.”
The other consideration is privileged access, especially when it comes to RPAs. Far too often organizations lack awareness around how many third parties, bots and RPAs have access. “When you actually think about scale, it is terrifying, especially when the goal is to get the access needed whether it’s a device or a person that needed access,” says Pignolet.