Perhaps no other industry is fueled by its supply chain in the same way as the manufacturing sector. Third parties provide not only the parts and components necessary to maintain reliable production processes but also the software and services that ensure devices and machines are available and behaving as expected.
It’s incumbent upon the enterprise to manage these relationships with cybersecurity as a foremost priority, in particular locking down access to critical systems and adequately managing and assigning privileged access to third parties. Many third parties require remote access to process control systems for routine maintenance, system upgrades, and security issues. Enterprises without proper visibility and controls into remote access are exposed to attacks that could impact productivity and put worker and public safety at risk.
This risk has intensified since the COVID-19 pandemic, when remote work was normalized. The pandemic prompted a flurry of new reliance on cloud-based management systems, web-based applications, access to industrial processes, and third-party portals. Attackers recognized the opportunity, and in parallel saw an opportunity to cash in with ransomware and extortion-based attacks. The hardest part, it seemed, was finding a target intolerant of downtime whose hand would be forced in terms of paying a ransom or extortion demand to restore full access to systems and/or prevent a public leak of stolen data and company information.
Since the manufacturing industry—one of 16 critical infrastructure sectors as deemed by the Cybersecurity Infrastructure & Security Agency (CISA)—has numerous dependencies within other critical sectors, including water and wastewater, energy, chemical, and transportation, the ripple effect of a successful cyberattack against a supplier, for example, could have devastating impact downstream.
What follows are a handful of best practices meant to soften the risks posed by third-party access within the manufacturing supply chain.
Manufacturers are supported often by dozens of partners, service providers, vendors, and others who provide necessary resources and services to keep operations running smoothly. The efficiencies brought on by connected cyber-physical systems allow these third parties to remotely troubleshoot production systems, for example. In these remote sessions, vendors and service providers can manage configurations and configure devices from anywhere. Devices such as programmable logic controllers (PLCs), human-machine interfaces (HMIs), and other systems capable of influencing a manufacturing process should never be directly exposed to the internet.
Manufacturers should deploy secure remote access capabilities—a virtual private network tunnel at a minimum—as a go-between for third parties and manufacturing networks. Directly exposing these systems to the internet exposes companies to undue risk; attackers can use internet-scanning services such as Shodan to enumerate devices directly communicating online. Armed with exploits for any known vulnerabilities in a particular PLC or other industrial control system, an attacker can try attacks at scale that can deliver at least an initial foothold onto the industrial network.
From a governance perspective, manufacturing enterprises must rein in privileged access for suppliers, third parties—and employees. Traditional remote access technologies such as Microsoft’s remote desktop protocol are a favorite for remote administration of systems; RDP is largely an open specification and allows connections from almost any operating system. Cobbling together a remote access strategy from legacy or freely available technology is troublesome because RDP and other remote access solutions can be by default too permissive. Policies should demand and enforce:
Regular audits of permissions
Define roles and determine necessary permissions based on those roles
Prevent the sharing of credentials among admins and others
Implement multifactor authentication for any remote access to control systems, devices, and the manufacturing network
Attackers are refining their capabilities in order to target manufacturers. Overly permissive third-party access designed to simplify the job of internal admins or supply chain partners are prime targets for attackers looking to access networks and move laterally in order to steal data or drop additional malware and exploits.
A zero trust security model assumes anything attempting to access a network or system cannot be trusted. Access must be validated for each attempt, and privileges must be minimal in accordance with a third party’s or employee’s role. For manufacturing environments, zero trust is an optimal strategy, one that includes not only strong access controls, but also network and system monitoring to ensure prompt response to any incident.
John Kindervag, a longtime cybersecurity analyst who coined the term zero trust, advises that organizations prioritize critical and dependent systems, i.e., the data and systems most valuable to the services your business provides, and then map out who needs access to those resources. Enforcing the principle of least privilege is a must, he said, and all of this must be complemented by adequate network monitoring in order to understand traffic and strengthen connections to those critical systems.
The National Security Agency (NSA) echoed this approach in a 2021 paper on the zero trust model, in which it advises organizations to “architect from the inside out,” meaning identify critical data, assets, applications, and services and secure all paths that may access them. The NSA’s guiding principles for zero trust should also be familiar:
Never trust, always verify: Not only users, but application workflows and data should be considered untrusted; least privilege is applied here
Assume breach: Deny by default and monitor all requests for access while assuming you’ve been breached
Verify explicitly: Grant access to resources only after multiple, varying checks that apply a confidence rating to a request for access to a resource
Third-party access is a foundational requirement for manufacturing environments as supply chain partners, including vendors and service providers, require access to critical systems for updates and routine maintenance.
Manufacturing organizations can take steps to prevent costly breaches and unauthorized access to these critical systems.
First and foremost is the implementation of a secure remote access solution that allows organizations to audit access requests and limit privileged access based on roles.
Role-based access control, meanwhile, must be a strategy to consider given that it allows for enforcement of the principle of least privilege; by policy, manufacturing organizations must also lock down sharing of credentials and implement multi factor authentication.
All of this supports a zero-trust security model for manufacturing, one that includes not only strong access controls, but also complements those with network monitoring to alert against anomalies in the event of a breach.
Jim LaBonty is the retired Director and Head of Global Automation Engineering for Pfizer's Global Engineering & Technology division. In this role he primarily focused on establishing the strategic direction and harmonizing control system solutions across 42 manufacturing sites globally, including securing the development of Pfizer's COVID-19 vaccine. Previously, LaBonty held senior engineering and system architect roles at Rockwell Automation, Eli Lilly & Company, and Eastman Kodak Company. He now leverages his decades of experience to help firms with their corporate OT cyber strategy and global program execution, with the goal of protecting manufacturing.
