Manufacturers are the lifeblood of the American economy. They make up 11% of the country’s gross domestic product (GDP) and cement the United States' place as the second largest manufacturer in the world.
But, due to their importance to the US economy and money-generating potential, manufacturing companies are also high-risk value targets for hackers.
As a Managed Security Service Provider (MSSP), we know how crucial it is to keep unethical hackers out of IT infrastructure. So, in this article, we'll go over the following:
- Basic Cybersecurity for Manufacturers
- Cybersecurity Laws Manufacturers Should Know
- Industry Resources for Cybersecurity
By the end of this article, you'll know how you can start protecting your manufacturing company's cybersecurity.
Basic Cybersecurity for Manufacturers
According to the National Institute of Standards and Technology (NIST), Small to Medium Manufacturers (SMMs) are at the highest risk of cybercrime. Luckily, manufacturing businesses can lessen their breach risk by following different frameworks and regulations.
NIST Cybersecurity Framework
The NIST Cybersecurity framework is a fundamental guideline for cybersecurity. It breaks down the cybersecurity process into five steps:
1. Identify
Manufacturers need a complete understanding of the systems already implemented in the business. It goes beyond knowing the IT equipment in your network and evaluates the entire digital landscape through questions like:
- Who uses what device?
- What are the typical user behaviors?
- What programs commonly interact with each other?
Many SMBs and SMMs conduct network assessments to get a complete picture.
2. Protect
SMMs need to guard their data like they guard their product secrets. Establish protocols to protect your network using endpoint security, firewalls, and updated security systems.
Now's the time to ask questions like:
- What safeguards will you use?
- Who is allowed into your system?
- How do you maintain your level of security?
- Are your employees aware of ways to keep the data safe?
Remember that the three components of a security network are critical in this step, as each element needs to be adequately protected.
3. Detect
It's essential to identify what tools you'll use to detect malware if your network is breached; after all, every system has a chance of getting hacked, even if you follow all the cybersecurity guidelines. It's impossible to completely mitigate the risk in the cyber environment we have now.
4. Respond
Decide how your IT department will react during a real-time attack. If a threat gets through your system, how are you going to respond? What tools do you have to minimize the damage they can cause?
5. Recover
It's a nightmare to lose your data. But you can do your best for your business by deciding how to deal with a complete business compromise and recover critical information.
Manufacturers of all sizes can apply the NIST framework. While there are more technical requirements in its implementation, having the proper perspective is the start of keeping your IT infrastructure safe.
NIST Privacy Framework
The privacy framework provides guidelines for protecting, collecting, and storing user data. If you interact with suppliers or are a creator of IoT (Internet of Things) devices, the privacy framework is an important tool.
It's similar to the NIST Cybersecurity Framework but has the following steps:
1. Identify
2. Govern
3. Control
4. Communicate
5. Protect
The main difference between the two frameworks, beyond the clear difference in the type of data protected, is the emphasis on communication with users. The privacy framework requires an explanation of the data processing a user's information will undergo.
SMMs are encouraged to implement the privacy framework when collecting user and customer information.
Factory Floor Cybersecurity
Multiple attack points exist in today's factor floor that didn't exist in previous years. Manufacturers need to adapt and evaluate the following parts of a factory floor:
1. Computers
They should have an automatic session lock after a period of inactivity.
2. Removable Media
Removable media refers to devices like thumb drives and external hard drives. They're easily lost or stolen and should not store any sensitive information. Only removable media dedicated to business purposes should be allowed on the factory floor.
3. Hard copies
Printed security protocols can serve as a gateway into your IT infrastructure. Keep all hard copies in a dry and secure location.
4. Training
Ensure your staff knows the most common cybersecurity threats and stay alert when using company devices. They should also know how to respond to any cyber threats that come their way.
5. Mobiles
Mobile devices are easy to compromise and can damage your IT security if your employees can connect to your internal network through their phones. Ensure your staff regularly install security updates, keep complex PINs, and avoid connecting to public Wi-Fi networks.
Read: "Mobile Device Management: What Is MDM and Who Needs It?"
6. Network
Your potential vulnerabilities grow as the factory floor makes more room for automation. Any device that has an IP address and internet connection is a door hackers can bust open if you don't keep it protected.
7. Access
Limit access to your factory floor to authorized staff. Any visitors should be accompanied.
Cybersecurity Laws Manufacturers Should Know
The United States requires manufacturers to follow strict laws and regulations from multiple entities, depending on their products. Here are some of the most common rules and guidelines manufacturers should follow.
- Defense Federal Acquisition Regulation Supplement (DFARS): for manufacturers in the defense supply chain
- The International Traffic in Arms Regulations ("ITAR," 22 CFR 120-130): for manufacturers that export and temporarily import defense products and services
- Payment Card Industry Data Security Standard (PCI DSS): for manufacturers that use credit card data for transactions
- Sarbanes-Oxley (Pub L. 107-204): for publicly traded manufacturers
- State privacy laws: for manufacturers in specific states.
- The Children's Online Privacy Protection Act (15 USC §6501 et seq.): for manufacturers collecting information about minors
- The Federal Trade Commission Act (15 USC § 41 et seq.): for all manufacturers' awareness regarding the FTC's ability to sanction organizations failing to follow cybersecurity & privacy best practices
- The General Data Protection Regulation (GDPR): for manufacturers using, collecting, and transmitting data from EU residents
If you are a US government manufacturing supplier, you must follow the minimum cybersecurity standards set by FAR 52.202.21. If you provide DoD products, you'll also be required to get a CMMC (Cybersecurity Maturity Model Certification).
Ready to begin improving your company's cybersecurity?
Overall, manufacturing companies must follow cybersecurity and privacy frameworks and all relevant products and services regulations.
But that's easier said than done.
Luckily, as an MSSP, we've made it easy for companies to take the first step in the NIST cybersecurity framework. Learn about how we can help you with your journey towards a more secure IT environment by reading our article How ITS Cybersecurity Can Help Your Growing Business.