IT Security: Best Practices for Manufacturing Companies

Simply Having an IT Security Plan is Not Enough

Manufacturers of all sizes institute best practices across a broad spectrum of categories, covering people, places, products and processes. And information technology (IT) is typically inherent in each of these to one degree or another. In this series, we have explored many aspects of IT security. Now, our focus turns to best practices for manufacturers in this regard.

There are five functional areas that manufacturers should address for IT security best practices. These are Identification, Protection, Detection, Response and Recovery. Each of these primary areas includes a number of detailed objectives as well as defined risk levels ranked Low, Moderate, and High, according to acceptable risk levels. Threat impact is defined as Low if there is a limited adverse effect on a manufacturer’s operations, products, assets, brand, reputation, the environment or the public. Potential effects may be deemed as Moderate if there are serious adverse effects on these same criteria. Finally, if there is considered to be severe or catastrophic adverse effects, then the risk level is ranked as High.

At C4CS, we recommend identifying IT security risks evaluated according to the likelihood something will occur as compared to the impact the event would have on an organization. A comprehensive list of threats can be referenced for this purpose in our previous article “IT Security Risks: Addressing the Scope and Variety of Threats.” Threats can be plotted on a chart that is unique to each manufacturer’s perceived and defined risks and corresponding tolerance.

The National Institute of Standards and Technology (NIST) also offers IT security cybersecurity resources and best practices specifically geared to manufacturer needs, particularly given the interconnectedness of IT, controls and critical business missions.

  • Maintain Human Safety – ensure that all team members understand the interdependencies between IT security and human physical safety in a manufacturing environment.
  • Maintain Environmental Safety – risks must be managed in order to prevent accidental or deliberate environmental harm given the interdependencies between systems and the environment.
  • Maintain Quality of Products, Services and Operations – protect IT assets where the effects of IT risks, manufacturing procedures, and associated data are concerned.
  • Maintain Production Goals – especially during this time of supply chain shortfalls, IT security must protect sustainable production output to minimize threats as much as possible.
  • Maintain Trade Secrets – Intellectual property and sensitive business data are often the life’s blood of an organization. Ensure that trade secrets are protected from hackers and cyber criminals.

The human element and insider threats (whether innocent or otherwise) are often the doorway into any organization and compromise of IT assets. Leaders in manufacturing organizations must pay attention to what employees are doing with information technology. Ongoing training to recognize threats and avoid them is essential to maintaining a healthy IT environment. Additionally, involving employees in IT security plan exercises (e.g., tabletop discussions, drills) is an effective method of raising awareness and understanding.

Best practices should also include the following.

  • Ensure that the IT security plan is thorough, current and well tested for vulnerabilities in the interest of continuous improvement.
  • Include helpful and relevant tools in the plan to facilitate decision making and actions as quickly and effectively as possible.
  • Consider all possible causes and worst-case scenarios to comprehensively define the potential range of threats and their impacts.
  • Objectively gather facts to determine root causes, document and ensure chain of command of IT assets.
  • Know that certain IT security issues may actually involve multiple types of events. For instance, a Trojan may have gained access via an innocent click on a phishing link.
  • Documentation is critical to the entire process. Actions and outcomes not only capture the response, but they also point the way to refining future preparedness.

Perhaps the most important best practice is to fully debrief once a threat has been successfully neutralized. All relevant team members must be part of a completely objective discussion for fact-finding purposes. An after action report captures who, what, when, where, why and how the IT security breach occurred as well as what was done to remediate. The totality of this vital information should then be factored into refining the IT security plan as well as identifying training and plan testing needs.

Just having an IT security plan is never enough. To be truly effective, it must be viewed and utilized as a living document that guides employee behaviors as well protocols concerning IT assets.

Check out these other articles in the IT Security series:

In partnership with Catalyst Connection, Pittsburgh-based C4CS® (https://c4cs.com) provides customized crisis management and IT security consulting and training. Available group training and crisis leadership coaching includes virtual and in-person tabletop and other crisis exercise formats built around realistic scenarios such as industrial accidents, cybersecurity incidents, employee and product crises among other hypothetical situations. To learn more about how C4CS can assist your organization, email: info@c4cs.com.