by Liz Stevens, writer, Plastics Business
Hacks, security breaches, ransomware attacks – these are becoming more and more common in our technology-dependent world. Every manufacturer would be wise to take these potential threats seriously and apply resources to protect assets and fortify cyber security. If cyberattacks can happen to school districts, casinos, farm cooperatives, hospitals and pipelines, no business is immune.
Duane Dunston, associate professor of cyber security at Champlain College, Burlington, Vermont, has 20+ years of experience in education and government as a cyber security expert. Dunston outlined the contours of cyber security, the basics of conducting a cyber risk assessment and implementing security controls, and the ongoing tasks required to keep a company’s assets and cyber network as safe as possible.
The need for cyber security
While it may seem as if hackers and internet criminals are unstoppable, Dunston said that “if we take some very basic, well-known best practices in cyber security and put those in place, it greatly reduces the likelihood of a cyberattack.”
Dunston stressed that company executives must understand that even a single attack can cause great harm to an organization, and execs must wholeheartedly support the adoption of risk management strategies to safeguard their organizations. Robust security, however, hinges on involvement from everyone. “Cyber security is the responsibility of the entire organization,” he said.
Dunston advised companies to perform a thorough initial risk assessment and implement a security practice, with regular monitoring and updates. “It also is wise to ensure that security and risk are considered any time a new system is brought online” he said. “That means any new project that is going to involve the company’s technology or computers.” Cyber security merits very serious attention. “We need this because of the expanding complexity and increasing entry points into the IT assets of our organizations. Plus, employees and visitors may bring in their own devices – mobile phones, laptops, tablets – which allows even more potential access to those assets.”
In addition to recommending that companies conduct a company-wide review, assess their cyber threats and develop an awareness of potential risks from people bringing in devices, Dunston repeated the IT professional’s mantra: make backups. “The one thing that kills a lot of organizations,” said Dunston, “is they don’t have backups of their data. Or they think they have backups, but they are wrong.” He urged companies to not only make regular backups but also to test them. “It can cost a lot of money to recover a company’s data in the event of a system crash or a destructive hack,” said Dunston.
The bad actors who can threaten a plant’s cyber security are varied, and so are their motivations. As Dunston explained, “Some try to hack in for fun to see if they can do it and get away with it.” Many cyberattacks are carried out by opportunistic criminals; like car thieves who vandalize an unlocked car or steal one that has its keys left in the ignition, cyber attackers often strike when they stumble upon a vulnerability. “Some attacks,” said Dunston, “are malicious; these perpetrators are out to destroy information.”
Cyber crooks also might attack in order to steal or extort money from a company. Criminals who breach a company’s cyber security also may be doing so as a springboard for attacking other companies. “They hack into multiple computer systems, leapfrog style,” said Dunston, “until they get to their real target, in the hopes that their criminal trail will be lost along the way.”
Conducting a risk assessment
An internal cyber assessment aims to identify and mitigate a company’s risk. The participants involved in a company risk assessment may include executives, IT managers, system and network administrators, key personnel from each department, and employees at large. The first task, said Dunston, “is to identify the scope of the assessment; that is, what the company wants to protect.”
The scope of a typical assessment will correspond to the system boundary, essentially, the edge of a company’s network and everything within it. This includes the software inventory, all interconnections (including connections that can be established by third-party contractors, vendors, suppliers, etc.), as well as all of the company’s hardware devices, assets and sensors. “If it has an IP address or is a piece of equipment attached to a computer system with an IP address, include it,” said Dunston. Manufacturers also should include robotics systems and machinery that are being controlled via a central controller.
Once all of the cyber assets and their locations have been identified and documented, the next step is to categorize each asset as to the type of information it contains, the value of this information to the company and the impact on the company if the asset were to be compromised by a cyber threat.
Cyber safety programs pay off
“A thorough risk assessment and a very strong risk management program,” said Dunston, “go a long way to help mitigate the most common threats.” He acknowledged that it takes time and company buy-in to inventory one’s cyber landscape, identify risks and implement a risk management plan. “However,” he said, “in every single project I have seen, at the very end, everybody was happy that they went through the process.” Dunston stressed that a company’s best allies for cyber security and quick response to threats are its employees, who are in the unique position of knowing the organization’s inner workings and being able to spot anomalies or suspicious activity.
“Going through this process is really good for a company,” Dunston said, “because, for one, you start to understand what is actually going on in your organization. And with that knowledge, you can prevent malicious people from harming cyber assets or gaining access to valuable, vital information.”
Resources to Help with Cyber Risk Assessments
With the assessment scope described, the system boundary defined, and the software and data characterized, the company can plan, implement and maintain a set of security controls. Dunston offered several sources of cyber security control information and recommendations:
National Institute of Standards and Technology (NIST) Special Publication 800-30 Revision 1, “Guide for Conducting Risk Assessments.” This document includes an introduction to risk assessments and enterprise-wide risk management, the fundamentals of the risk management process and risk assessments, and step-by-step guidance for assessing cyber security risks. www.nist.gov/privacy-framework/nist-sp-800-30.
“Workforce Management Guidebook” from NIST’s National Initiative for Cybersecurity Education (NICE). www.nist.gov/itl/applied-cybersecurity/nice/workforce-management-guidebook.
NIST 800-171, a list of security controls for private industry and a document that explains the most common controls to have in place to mitigate and prevent the most common cyberattacks. https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171r2.pdf.
Critical Security Controls from CIS (Center for Internet Security), information on a set of controls that can help prevent common cyberattacks. www.cisecurity.org/controls.
Publications and resources from the US Cybersecurity & Infrastructure Security Agency (CISA). www.cisa.gov/cybersecurity.
CISA’s Security Tip (ST18-007) “Questions Every CEO Should Ask about Cyber Risks.” https://us-cert.cisa.gov/ncas/tips/ST18-007.