Shore up your shop cybersecurity in 10 steps

Almost every shop has an active directory—start there by cleaning it up. Then move on to your network and do the same. Nutthaseth Vanchaichana/iStock/Getty Images Plus

There are many buzz words out there related to cybersecurity – phishing, hacking, ransomware, data breach, and encryption. Every time you turn on the news there is another story of bad actors attacking individuals, businesses, and critical infrastructure. Security is a real concern when it comes to the digital world, and while threats continue to grow and evolve, there are ten easy steps that all machine shops can take to help ensure they have done everything possible to mitigate risks.

“In a lot of ways, investing in cybersecurity is like insurance,” said Colin Gregor, channel sales manager, Canada at Moxa Americas, Brea, Calif. “You certainly hope you never have to use it, but if something comes up, you sure hope you have enough coverage ¬¬in place.”

1. Take It Seriously

It’s not unusual for some companies to write off cybersecurity as not their problem, thinking that they are not a target because of their size and reach. But the truth of the matter is that small to medium-size shops are just as much targets for cyber criminals as anyone else.

“Bad actors don’t care about your size,” said Michael Maxwell, IT manager, Horn USA, Franklin, Tenn. “They will hold you for ransom, just for less money, and that can still be a big amount for a small shop. And while smaller machine shops may not be able to address cybersecurity in the same way that large corporations can, taking it seriously can make all the difference.”

For the second consecutive year, the manufacturing industry was the most attacked sector according to IBM Security X-Force Threat Intelligence Index 2023. The report cites that the manufacturing industry's low tolerance for downtime makes it an easy target for cybercriminals’ extortion attempts.

“Understand, as a manufacturer, you are the biggest target right now,” said Maxwell. “When bad actors gain access to your system, it’s exciting for them because they know they’ve got you and can disrupt your business. They can ask for money knowing that if you don’t pay, it can halt business and ruin your reputation with customers.”

2. Just Start Simple

The first step any shop can take when it comes to cybersecurity is to do a business and security assessment.

“Determine if you have the expertise or not to ensure your company is secure,” said Gregor. “If you don’t, then you need to talk to someone with that expertise. From there, you can develop and plan, looking at both your risks and needs, which will constantly change and evolve over time.”

It’s important not to get too complex too quickly. Don’t add unnecessary complexity to the process, at least at the beginning.

“Focus on the core of your business and ensure it’s secure,” said Maxwell. “If its unorganized or unsecure, then it will be really hard to build a good foundation for a cybersecurity posture. You don’t need a master plan to start. Your cybersecurity is not going to be perfect, it never will, but simplicity makes it easier to secure. You just need to start.”

Whether its customer and project information, employee records, or manufacturing process data, make sure that the data is securely backed up. TU IS/iStock/Getty Images Plus

3. Understand Your Budget

Not all manufacturers are going to have the same amount of capital to put towards cybersecurity. In starting simple, your budget will help determine your investment level.

“Small machine shops don’t necessarily have the knowledge, personnel, or budget available for big, fancy systems,” said Gregor. “Right now, with unemployment being as low as it is, especially in the IT and programming space, it can be challenging to find qualified people. And when you can, starting salaries can be rather high. Do you have the budget to pay someone to be a full-time employee? The more important action is to develop a security action plan with goals which can monitored and assessed.”

Having a budget line dedicated to cybersecurity should encompass both systems and personnel to ensure that there is an ongoing effort to thwart risks.

4. Look at Paid and Free Tools

After the budget is set, it’s important to explore different cybersecurity tools, not all of which come with a steep price tag. In fact, there are many great open-source, free software options available.

“Take advantage of the free tools,” said Maxwell. “These are sometimes the most valuable tools in your arsenal. For example, NetFlow Analyzer tools will help you analyze network traffic and let you see what is going in and out of your network. These tools will give you a base line and a snapshot of what’s going on day to day.”

5. Partner With a Security Firm or VAR

For those shops that don’t have the budget to hire a full-time cybersecurity expert, there are no shortage of companies and experts out there willing to offer their services. Just be sure to choose one that aligns with your needs.

“Searching for a security value-added reseller (VAR) is a great option for shops that don’t have the budget space to hire a full-time employee,” said Gregor. “A security VAR is often a cybersecurity expert with the technical knowledge to help support cybersecurity efforts. Once you find a VAR or system integrator that fits your needs, you would hire them as a service contract. Getting a referral from other businesses in the area can help ensure that the person you are working with is right for the job.”

Gregor noted that it’s important to go into the process with an idea of what you want. Select three areas that you want to improve or three risks that need to be mitigated. This way, you can narrow down the best candidate based on his or her answers to your specific needs and questions.

6. Clean Up Existing Processes

Evaluate existing processes and find ways to clean them up so good cybersecurity practices can be built upon them.

“For example, almost every organization has active directory,” said Maxwell. “Start there. Active directory manages the computers and users. Clean that up, make it as secure as possible, and then move to your network and clean it up, and then expand from there.”

What's most important to you? What makes the most money? What hurts the most when it's not working? Is there intellectual property that, if leaked, would be detrimental to your organization? Document those things. It’s all about understanding your business and what’s really important to keep it functioning.

7. Silo Your Departments

In the past few decades, there has been an effort to integrate and connect various aspects of a business– whether that’s connecting the front office with the shop floor or bringing certain aspects of the business online or connecting them to a larger network.

“There is a concept in the IT world called Zero Trust,” said Maxwell. “It's a set of principles and a framework that can help with cybersecurity.”

According to Microsoft, Zero Trust is a high-level strategy that assumes that individuals, devices, and services that attempt to access company resources, even those inside the network, cannot automatically be trusted.

“This means that when something is accessing the system, it can’t immediately do whatever it wants,” said Maxwell. “It calls for a siloing of your business segments, like separating the front office and manufacturing production. Those two areas really don't need to talk a whole lot. Following this model, shops should silo those as much as possible. That way, if the front office is hit by a bad actor, it doesn’t automatically mean manufacturing will be affected. It’s a great way to build your IT infrastructure.”

8. Talk to Your Service Providers

Another area of opportunity comes from service providers. Many manufacturers work with a number of different service providers, whether it’s their internet, cloud services, ERP/MES, or the like.

“We are seeing more and more service providers moving in the cybersecurity space,” said Gregor. “Check in with yours to see what is available to add on to existing systems. Many of today’s internet providers will sell you a security portfolio package with it. It’s an easy way to secure certain aspects of your business.”

9. Have an Updating and Patching Plan

Any size company needs a great patching and updating plan and policy. If you miss a month, that could be the month that bad actors take advantage of the security lapse.

“Whether you have 10 or 10,000 employees, you need to rethink the systems you have in place and find out how you can automate them as much as possible,” said Maxwell. “It doesn’t have to be complicated but it's important to take care of the highest-priority items.”

For example, without upgrading and patching, criminals can gain access to and encrypt shop data. They can even lock up everything so that the manufacturer no longer has access. In order to regain access, the company would have to pay the ransom demand.

“We are seeing more and more bad actors change their behavior,” said Maxwell. “Instead of going in and gaining control immediately, they get in, wait there for several months, and they slowly exfiltrate data from the systems, slowly get as much as they can so as not to alert anyone. And then when they're ready to attack, they encrypt everything. It’s a serious problem, and ensuring that systems are up to date with the latest patches can limit the risk.”

10. Backup Your Data

No matter what you are doing, if it’s important, back it up. This is especially true in manufacturing, where data drives the process. Whether its customer and project information, employee records, or manufacturing process data, make sure that the data is securely backed up.

“There is a 3-2-1 backup rule that everyone should follow,” said Maxwell. “Have three copies of your data: a production copy, backup on site, and a backup in the cloud or on a different type of media, like an external hard drive. If things go bad, that’s how you can get back up and running. It’s also essential to test your backups and have a documented process.”

Associate Editor Lindsay Luminoso can be reached at lluminoso@fmamfg.org.

Moxa Americas Inc., www.moxa.com

Horn USA, www.hornusa.com