Nine Simple Steps to Machine Security

9 Steps to Machine Security - May 2021 Newsletter

You and I have heard plenty over the last 18 months or so about manufacturing security. Recently, Honda was subject to a ransomware attack that made it difficult to access servers, emails and affected Japanese production. Norsk Hydro, a metals manufacturer, was a victim of a ransomware that caused it to halt production at its 170 plants, eventually costing $71 million. In 2018, TSMC, an Apple supplier, had a virus attack that disrupted production and resulted in $170 million of losses. There are many more examples.

Before you start looking at cybersecurity appliances and complicated software systems to protect yourself, you can AND should do a lot to protect yourself long-term. Here are some simple and inexpensive actions you can take today.

#1—Lock your doors

I shouldn’t have to mention this, but there are too many places where anyone can walk directly onto the manufacturing floor from the parking lot. Too many places where the back doors are all open on a nice summer day to let fresh air in. This is really simple. Start by improving your physical security. Know who is on your factory floor. Everyone must wear a badge that identifies who they are and what they are doing in the plant.

#2—Block all USB ports

If you do nothing else, adopt one hard and fast rule: NO USB PORTS ON THE FACTORY FLOOR. Many attacks are perpetrated using USB drives. You can order your computers without USB drives or disable USB drives for current machines. You can do this in the Windows registry, using the device manager or using third-party freeware. Even if a knowledgeable person could reenable a USB drive, you’ve stopped the accidental introduction of a virus into your manufacturing system.

#3—Disable Autorun

Autorun is the Windows feature that allows removable media such as CDs, DVDs, and USB drives to open and run automatically when they are detected. By disabling Autorun, you can prevent malicious code from infected media from opening and running automatically.

#4 Keep everyone paranoid about phishing attacks

Phishing attacks get better and more sophisticated all the time and are a huge threat to your manufacturing system. Millions of these messages are sent everyday masquerading as legitimate emails asking to open some document or click on a link. One popular method is to create slightly different domain names. For example, substitute an ‘rn’ where an ‘m’ would be in the domain name. The attackers rely on our eyes to see what we expect to see. In another attack, you get a message that you’ve been mentioned in a social media post with a malicious URL for you to click on.

These attacks change all the time, and automated prevention is difficult to achieve. The best practice is to continually remind your staff about how benign these emails look and how deadly they are. One company I know has their IT team send out semi-regular phishing emails themselves, and then see who in the company opened it.

Remind your staff that social media posts are used by hackers to impersonate them and as keys to guessing passwords and answering security questions. How many people post pictures of their pets and use their pet’s name as a password or part of a password?

#5—Turn off unused switch and router ports

There isn’t any need to make it easy for anyone to plug into your manufacturing network. Disable or lock every unused switch and router port. And don’t forget about the last RJ45 port at the end of a linear segment. Of course, your technicians will need access to troubleshoot PLC or network issues. Keep those access ports in your locked PLC cabinet, or add a special access enclosure for that “convenience port” for your technicians to use. Everyone else that needs access to your manufacturing network should come through your IT network where they can be subjected to authentication and authorization by your firewalls and security processes.

#6– Validate any changes to your managed switches

One of the biggest cybersecurity attacks was conducted against a company with an open firewall port. Managed switches are complex, difficult-to-configure devices and it’s easy to misconfigure one. Anytime there is a change to a VLAN, a firewall or a NAT table, make it a practice to have it approved by a second person on your manufacturing or cybersecurity team and, of course, make sure that the change is documented.

#7—Use complex and ever-changing passwords

I toured a manufacturing plant last year with a very large and impressive control room containing about a dozen terminals providing access to all their different manufacturing systems. Every single one of the monitors had a Post-It note with the password for the system. Without any effort, I could have easily stolen those passwords. And they weren’t passwords like “KoF9hM!Q2wrqJ$wi” either. “Boathouse”, “Ford Ranger” and “watersys” wouldn’t have been hard for me to recall later. Unfortunately, this isn’t unusual. The most common password is still “123456.” Using simple, never changing passwords is like putting milk and cookies out to welcome Santa Claus.

#8– Disable Remote Desktop on your manufacturing servers

This should be another hard and fast rule; don’t use Remote Desktop. Over time, it’s proven to be an open door to attackers to access your manufacturing system. It’s insecure. Disable it.

#9– Don’t share user accounts

We’ve come a long way since the early days of the internet when many organizations shared a single email account. Today, there is no reason for anyone to share login credentials, let alone the credentials to access a manufacturing system! Those account credentials represent all the company resources that you are personally authorized to access. Enforce the rule against ANY sharing of user accounts or login credentials.

There are many different approaches, tools and mechanisms to counter the nation-states, profiteers, and hackers in their mothers’ basements probing your manufacturing system. Some manufacturing cybersecurity systems require adding devices throughout your manufacturing system. Some require upgrading every single device on the manufacturing floor. Others simply monitor messages and send out alerts on suspicious activity. But before investing in any of these complex and costly options, take the no cost, simple actions outlined above. These practices will go a long way to securing your manufacturing plant floor at nearly zero cost.