By Tom Wojcinski, principal, and Michael J. Devereux II, CPA, CMP, partner, Wipfli
While talking with a group of plastics processors, one asked if there was anything a manufacturer could do to ensure its operations are not hacked. But, of course, there is no way that’s possible, especially in today’s connected manufacturing environment. Even if a processor disconnected everything from the internet, it still could be the victim of a technology hack if physical access is available to any bad actors or those working on their behalf.
Cloud-based ERPs, digital transformation and Industry 4.0 solutions are creating efficiencies, customer engagement and business intelligence that are improving operations and profitability, which cannot be duplicated on analog systems. Consequently, however, this increased digitization creates greater risk to plastics processors’ data and operations; and the research has shown that no manufacturer is too small or too big to be safe from cyber-attacks. Leadership often assumes that no one will hack their company because the data isn’t valuable to others. The bad actors disagree, however. Data is valuable, and they would like to put the company in a position where it must pay a ransom to get its data back. And data isn’t just limited to financial information, it could include confidential customer information, bills of material, engineering drawings or mold designs, processing data, sampling results and more.
Wipfli recently conducted a survey of over 200 manufacturers. The survey found that almost half of the respondents experienced three or more network breaches in the past 12 months. That can be overwhelming to leadership, not to mention IT staff or the supporting organization.
Focusing on Manufacturing Resilience
A company’s data isn’t the only thing at risk. Cyberattacks can focus on physical assets, rather than digital assets. Cybercriminals can lock up or seize equipment operations. Not only can this result in a significant amount of unplanned downtime but can also pose a physical risk to employee safety.
For example, consider a plastics processor that stores and recalls processing data for each job within an ERP or MES system. What happens if those digital services are disrupted or the underlying operational data is held hostage? Or a worse scenario, what if the technical specifications are changed, and the processor continues to make parts that don’t meet internal or external specifications? Similarly, vision and quality systems within the plant could be vulnerable and the target of a potential attack. While some of this seems implausible or unlikely, cyber-attacks are becoming more sophisticated and aggressive, and exposure in these areas can cause very real risks to organizations.
Plastics processors can protect their operations by building and implementing resilience strategies to cyber-attacks. In this instance, resilience does not mean “bullet proof.” Rather, it means that a company can resist an attack, to respond quickly and thoroughly when the attack occurs, and to efficiently recover any data or business operations that are compromised. That starts by identifying weaknesses in the digital perimeter and then building a multilayered strategy to protect and respond to the cyberattack.
Common Blind Spots Within Plastics Processors
For plastics processors, there can be multiple physical and digital avenues into operations or data (including financial, operational, technical or front office information). Often, these paths are hidden or are seemingly insignificant. Outdated and unsupported hardware and software on the shop floor are two of the most overlooked sources of vulnerability. While this equipment may not be used like traditional PCs or laptops, it is still connected to the network. If it’s not maintained, it could be a security risk to the organization.
All too often, the IT department is not involved in all IT decisions. With the advancement of software-as-a-service model and cloud computing, it’s easier for employees to purchase new software, download applications or share files using the cloud, without the oversight of skilled IT or cyber professionals. Systems and software that are not vetted against company policies or maintained properly could pose additional, not-so-obvious risks. In addition, they extend the number of vectors a bad actor may use to gain access, often without a company’s knowledge, making it more difficult to protect data and operations.
A lack of real-time cyber monitoring is another common blind spot in plastics processors. Without real-time monitoring, a company has no visibility into attempts to infiltrate its network. Stopping and safeguarding against attacks is harder if a company does not know that they’re happening. For instance, real-time monitoring can protect against the violation of impossible travel rules. In this scenario, a legitimate user logs into the network from his or her home office in Milwaukee, Wisconsin. Let’s assume is the corporate controller of a plastics processor, just outside of Milwaukee. Then, just three hours later, the corporate controller logs in from Dublin, Ireland. This is an impossible travel scenario and clearly a sign that the corporate controller’s credentials have been breached. However, it could go unnoticed for some period of time without proper, real-time monitoring in place.
Creating a Multi-Faceted Security Strategy
The most effective means to resist an attack is to establish a multilayer security strategy. At its most basic level, the strategy should include:
- Password protocols: Require the use of strong passwords.
Email protections: Technologies that limit spam and spear-phishing attempts will reduce the risk of social engineering. - Multi-factor authentication (MFA): MFA requires users to take additional steps to verify their identity anytime when logging in or accessing a system or company app. MFA should be implemented on all removed access points, as well as internal administrative accounts. This includes email, VPN and all cloud-based applications.
- End-point detection and response (EDR): EDR increases the ability to detect suspicious events by providing real-time visibility into potential attacks. EDR often is confused with antivirus software, which should also be used by all plastics processors. Antivirus software looks for malicious programs running on the computer or network, while EDR searches for malicious activity in the memory of the computer.
- Regular vulnerability scans and penetration testing: If a company is not monitoring its environment, processors can not identify their vulnerabilities or ways to fix them. Monthly or quarterly penetration testing of the external systems and vulnerability scans of the internal systems are critical to identifying weaknesses before they can provide access to bad actors.
- Vulnerability management: Cyber criminals are regularly probing for security gaps. A company can make it more difficult for them by deploying security patches and software updates, removing unnecessary software and disabling unused system processes.
- Air-gapped backups & segmented networks: If an employee can browse directly to the company’s backup files from its primary network, they are not safe from ransomware or other cyber-attacks. Separated backup files on a stand-along network that requires separate credentials often mitigates this risk.
- Recovery testing: What happens if a company is attacked? Have steps been taken to restore the network, files or operations? Are the backups occurring as designed? A network failure or cyber-attack isn’t the best time to find out files haven’t been backed up or do not have the means of restoring them. Processors need to regularly test the backup process to confirm the protocol is working, as designed, and intended.
The Importance of Employee Engagement in Cybersecurity
It’s critical that employees understand the importance of cybersecurity. Many hackers don’t hack systems, they hack people, as they’ve found it’s easier to trick someone into sharing their credentials than to break into a network. That is, if someone gives them the keys, why mess with the lock. It’s for that reason that employee engagement on cybersecurity is just as important as the focus on a company’s perimeter.
To start with, plastics processors must put controls in place to govern how data and information are used, managed and stored. Sensitive data should be limited to those who absolutely require it to perform their job functions.
In addition to understanding where the data is stored and who has access to it, plastics processors’ best practice is to implement a comprehensive training program. Hackers will use a variety of social engineering techniques to steal information, including email (phishing), SMS text messages (smishing) and phone calls/voicemail (vishing). Training employees to be skeptical is key. When employees understand what they need to do and why, company operations will be better protected against cyber criminals.
Regular Cyber Assessments
Finally, plastics processors should engage in regular cyber assessments, whether that’s done internally by IT staff that keeps up with the cyber security trends or by an outside firm. These assessments provide visibility into potential avenues bad actors can access data. From there, processors can develop or modify safeguards and policies that can better protect them from cyber fraud. n
Tom Wojcinski is a principal in Wipfli’s cybersecurity and technology management practice. He leads a variety of engagements designed to help improve organizations’ cybersecurity posture, including cybersecurity risk assessment, control program development and implementation, incident response planning and simulation, vulnerability and penetration testing, security audit, control verification, and managed security services. Wojcinski is a frequent author and speaker on cybersecurity and information technology risk management topics.
Michael J. Devereux II, CPA, CMP, is a partner and director of Manufacturing, Distribution & Plastics Industry Services for Wipfli. Devereux’s primary focus is on tax incentives and succession planning for the manufacturing sector. He regularly speaks at manufacturing conferences around the country on tax issues facing the manufacturing sector.
More information: www.wipfli.com
