Tabletop exercises with senior leaders, evaluating employee reports of risk and engaging training programs should be part of plants’ regular safety procedures.
The manufacturing industry has a strong culture of evaluating risks to human safety and managing those risks by deploying controls, such as safety procedures and employee training.
Yet cybersecurity has historically been held apart, based on a belief that it is somehow different. As the world moves to Industry 4.0, it’s time for manufacturers to remove the artificial wall between risks to safety and risks to cybersecurity and take a comprehensive approach towards managing business risk.
It would be unthinkable for a manufacturing company to not have policies and safety procedures to effectively reduce the risk and impact of a fire that could lead to the loss of human life and a plant shutdown. These compliance operations include regular safety inspections, teaching employees to follow equipment safety checklists and providing employees with a means to report risks, such as near misses.
However, consider that earlier this year, an industrial leader was forced to shut down its manufacturing plant due to a fire caused by a piece of malfunctioning equipment. This was not due to a physical defect or a lack of safety inspections; rather, it was due to a successful cyberattack. While these kinetic cyberattacks have often been the stuff of Hollywood films, they are real, and cause significant material physical and financial damages.
Fortunately, there are several steps that manufacturers can take right now to better secure their plants – and people – against future attacks.
1. While preventing cyber accidents could be stated as every employee’s responsibility, meaningfully incorporating this new behavior into a company’s culture must start with senior leadership. C-suite executives can model good cybersecurity by not only conducting risk assessments that incorporate cyber risks, but also by taking part in tabletop exercises designed to test an organization’s incident response procedures across the entire company. These tabletop exercises will often find communications breakdowns between organizational silos, where leaders, counsel and incident responders may all have vastly different views on an incident.
2. Managers and individual contributors should have a way to report cyber incidents and risks, which is a similar process to reporting workplace accidents and near misses. Although the terms vary, this behavior is a cultural touchstone for manufacturing businesses. By evaluating employee reports of cyber risks, organizations can both identify new and emerging risks as well as evaluate the effectiveness of their cybersecurity training programs. This should also be as simple as possible: a quick email, or a form to complete with the results sent to the risk management committee to consider and process.
3. To be effective, cybersecurity programs need to be engaging, appropriate to the audience’s job roles and avoid victim shaming. While there is no right way, doing an annual hour-long monotonous PowerPoint presentation is just as ineffective as sending test phishing emails to users once a day and publicly posting a list of who clicks on the most links. Training instead should focus on the risks identified by both senior management, employee reports and industry or company-specific threat intelligence. For example, if USB sticks are in common use, training should incorporate USB sticks. Similarly, if the manufacturing process involves using virtual desktops or remote desktop viewing to access control systems, those employees should learn how to safely access remote systems and how to use identity controls like multifactor authentication.
4. Finally, to close the loop on these cultural changes, manufacturing companies should evaluate the effectiveness of their security controls regularly, much as they perform regular safety inspections. Regular evaluations of cybersecurity control operation and effectiveness can be automated to a greater degree than physical safety inspections. For example, companies that face a risk of phishing attacks can evaluate the effectiveness of their training program – a common mitigating control – by counting how many people have finished the training within 30 days of it being assigned, or behavior changes, such as how many phishing emails are reported by employees. Almost all cybersecurity platforms can produce reports that are machine-readable and can be automatically validated for proof of control effectiveness.
Cultural change takes time and is a journey, not a destination. Senior leaders, managers, and individual contributors all have a role and responsibility in ensuring that manufacturing companies stay safe from cybersecurity risks. Elevating cyber risks to the same level as safety risks will help companies to comprehensively understand and manage their risks now and in the coming years.
Kayne McGladrey, CISSP, is the field CISO for Hyperproof and a senior member of the IEEE. He has over two decades of experience in cybersecurity and has served as a CISO and advisory board member, and focuses on the policy, social, and economic effects of cybersecurity lapses to individuals, companies, and the nation.