Managing Cyber Risk and Threats: Returning to Foundational Principles

Every day there is news of another cyberattack. There was the SolarWinds hack earlier this year that affected major companies, including Microsoft, Intel and Cisco; the Colonial Pipeline attack that disrupted oil and gas supply due to precautionary operational shutdown; and the LockBit ransomware attacks that have most recently impacted global consulting firm Accenture, and the list goes on. Revelations of hacking from independent criminal organizations and state-sponsored groups are causing increasing levels of concern within company boards, government directorates and legislative bodies.

These cyberattacks are not necessarily using new attack techniques, and they are unfortunately becoming more severe and more frequent. While no manufacturing organization can guarantee it will never be affected by one, there are foundational actions business and cybersecurity leaders can take to remove silos, operate holistically and implement best practices to reduce risk from these types of threats.

We know these concerns are top of mind for the industry and work with customers every day to help create a strong foundation and minimize risk. Here is the basic guidance we most frequently recommend our manufacturing customers put in place.

Engage in Business Operations Mapping
Manufacturers must map their business and manufacturing systems to each function, revenue stream or mission. This will help provide understanding and ownership of each process and achieve business continuity and resiliency objectives around cyberattacks, much like business crisis management scenarios. Typically, business operations mapping requires executive sponsorship for cross-functional stakeholders, including manufacturing operations, plant cybersecurity, IT security, manufacturing systems and enterprise systems, to participate. This can be a heavy lift, so be prepared to learn a lot and seek guidance to assist with implementing a framework approach.

Thoroughly Analyze Threats
Manufacturers should also perform a thorough threat analysis. It’s best practice, as part of this process, to review the MITRE ATT&CK matrices, specifically the recently developed MITRE ICS ATT&CK Matrix, which is based on a global knowledge base of adversary tactics and techniques used in real-world attacks.

Assess Cybersecurity Protection
It’s important to determine and evaluate the cybersecurity controls and operations currently in place through a cybersecurity assessment or audit. This should include evaluation of three main pillars: people, processes and technology, with a focus on people and upskilling for new technologies and processes. Technology works, but people drive success. For the assessment, it’s better to work with an automation vendor, like Emerson, which has expertise in the area and is familiar with industrial control systems and operations.

Develop A Defense Strategy
Using learnings from the threat analysis and cybersecurity assessment, companies should develop a defense-in-depth strategy to address weaknesses and mitigate risk in all operations that could be impacted by direct cyberattacks, indirect cyberattacks or loss of operational capabilities. This strategy should include a risk-based prioritization of any gaps or threats to ensure the major risks are addressed first, ensuring controls resiliency.

Evaluating those same three pillars of people, processes and technology, we often see customers find value in seeking outside resourcing, training or upskilling their people, or changing certain processes, technological controls, systems or architectures to ensure a robust defense. The action plan should also be aligned to the organization’s business continuity and disaster recovery plans – just like an operational outage from errant systems or failed hardware, cyberattack response plans need defined, active processes with objectives focused on containment and recovery time objectives.

This defensive strategy should include planning for worst-case scenarios. For a manufacturing facility, for instance, having a clear backup plan for computer systems failing, plus hard copies of orders, labels and contacts, can be vital to keep manual operations going if computers go down. This may not be possible in every scenario, but having frequently reviewed backup and continuity plans will put companies in the right position to remain operational even in the event of a cyberattack.

Regularly Review & Update for Efficacy 
Once the defense-in-depth strategy is in place, it should be tested and reviewed methodically, purposefully and regularly to ensure it is effective and does not jeopardize ongoing operations or introduce other risks. Roles, responsibilities and employee trainings should be updated when any new practice and technology is implemented.

Manufacturers should take action now to understand the magnitude and types of cyber threats their companies are facing. The threats and cyberattacks are real and are growing at a significant pace. Cybersecurity should be top of mind for manufacturers and all companies to ensure appropriate proactive and defensive cybersecurity operations and controls are in place to protect important data, processes and business operations. Business leaders should contact their cybersecurity leaders to find out what they really need to be successful, then establish urgency and support from the board level to assess, understand and manage these risks.