Manufacturing Council meeting stresses preventive steps to guard against hacking of IT systems.
The results can be disastrous.
Stolen financial information. A complete plant shutdown. Intellectual property theft. A hefty ransom for recovery of an IT system.
Yet many manufacturers do not have systems or protocols in place – call it cybersecurity – to prevent the hacking of their computer systems. And that could be a very costly mistake according to a panel of cybersecurity specialists who presented at the Buffalo Niagara Partnership’s Manufacturing Council meeting recently.
Panelist William Prohn, CISSP, CISA, Managing Director of Systems Consultants at Dopkins & Company, brought expertise in cyber threats and IT security from the accounting firm’s point of view. Anna Mercado Clark, Partner with Phillips Lytle LLP, shared her knowledge and experience as an attorney specializing in digital forensics and data security. Steve Zenger, President & CEO of Zenger Group, Inc., detailed some of his firm’s experiences with cybersecurity as a leading print company with multiple locations in Western New York.
It can’t happen to me.
The panel opened by pointing out that many manufacturers do not think they are a prime target for hackers. In fact, Anna Mercado Clark said the manufacturing sector is on pace to become the second most targeted industry next to financial institutions. So it is more important than ever for manufacturers to have preventive systems in place.
Bill Prohn explained that hackers are not necessarily looking for manufacturers specifically, but rather are trolling in cyberspace looking for vulnerabilities. Think of your building where a thief might bang on the door to find one that is open. Once hackers find a way in, the threat is not always just stolen information; it is the shutdown of the manufacturer’s IT system, followed by a ransom demand in order to get it back up and running. In such a scenario, production capability could be shut down for weeks while the problem is resolved.
Steve Zenger shared his company’s experience with the challenges of cybersecurity for manufacturers. Zenger Group operates $5 million Heidelberg presses with PC’s running Windows XP embedded in the equipment. There are no longer patches or updates available for Windows XP, leaving the PCs vulnerable to hackers. Adding in other controls and rewriting software for the presses is an expensive proposition. In order to protect the operation from hackers, Zenger has isolated the presses and pulled them off the main network, using internal systems for sharing and utilizing data for the presses.
All three panelists agreed there are not always easy answers to preventing hackers and every manufacturing business is different. But there are some general rules to follow and basic preventive steps any manufacturer should have in place. These include:
- Isolate key systems that are not necessary for production – for example e-mail systems, employee data, etc.
- Limit outside vendor access – retain data and work with vendors through outside systems where possible. Assess the risk management of the vendors you work with. (The hacking of Target that was in the news recently occurred through an HVAC company that had access to the retailer’s system.)
- Manage data – know what data you have and minimize the data you maintain.
- Have a business continuity plan – prepare a plan as if you will be cyber attacked. Have printouts of key data so that production can continue, especially during a ransom ware attack.
- Create an internet response plan – delegate responsibilities to employees, including PR people, the legal department, and IT team in case of a cyber attack. Know who to call first –attorneys, etc.
- Perform a risk analysis – evaluate your IT system from your perspective to identify vulnerabilities that may be specific to your company.
- Back up offline – while this may seem obvious, the panel noted how often a backup system is part of the overall IT structure. Use off-site backup if possible.
In concluding the panel discussion, the specialists advised that IT should not be looked at like a copy machine or other piece of equipment. It is often the lifeblood of the operation. What’s more having an IT team does not necessarily mean you have an IT security team. By all means, listen to your IT people, but turn to outside security experts when you need to.
Get your entire organization – from the CEO and board members to customer service personnel – to understand the value of IT security. If your IT system is vulnerable, address it in phases – look at what can you do now and what can you do down the road. Like fire or theft, hackers can put a company out of business. Take steps now to prevent damage from cybersecurity threats.
Thank you to the following sponsors of our Manufacturing Council: