Understanding Risk Assessment in the Manufacturing IndustryPublished February 12, 2019 by Karen Walsh • 4 min read
Supervisory Control Data Acquisition Systems (SCADA) communicate with industrial control systems (ICS) to provide manufacturers monitoring and analysis in real-time. However, the SCADA systems, established initially in the 1960s, cannot keep pace with the speed at which cybercriminals evolve their threat methodologies. Understanding risk assessment in the manufacturing industry means recognizing the concerns specific to these technologies.
Risk Assessment in Manufacturing Industry
What is SCADA?
SCADA networks are a combination of hardware and software that control and monitor industrial processes. They allow manufacturers to interact with devices, log data, and control remote and local processes.
What does risk assessment mean for SCADA systems?
SCADA risk management follows the same steps as other risk assessments. The manufacturing industry must focus on asset cataloging, risk identification, risk analysis, risk mitigation, risk tolerance decision-making, and continuous monitoring.
However, since manufacturing compliance relates to industry-specific systems, these activities must have a different focus.
What are the differences between SCADA and traditional IT security risk?
While traditional IT risk can lead to financial loss arising from business disruption, SCADA risks can lead to not only production loss but, more importantly, loss of life. Since SCADA systems control critical infrastructure, cybercriminals increasingly target them more than they do standard business systems.
Because of their importance, SCADA outages are unacceptable and require quality assurance testing rather than in-field beta testing. Moreover, the proprietary operating systems and software used to mean that manufacturers cannot engage in traditional, straightforward upgrades. Finally, SCADA, as a specialized system, comes with a longer lifespan which makes security updates even more critical.
11 Steps to Analyzing Risks in the Manufacturing Industry
Understanding the risks that raw materials pose is straightforward. Manufacturers can review the environmental impact of a chemical compound through their testing. However, due diligence when looking at SCADA cybersecurity incorporates the upstream and downstream supply chain risk. As such, it becomes more difficult to secure the systems because they are often outdated as well as prime cybercrime targets.
Identify All SCADA Connections
The risk analysis for the manufacturing industry starts by reviewing the risk and necessity of each SCADA network connection. These include:
- Internal local area and wide area networks
- Public internet
- Wireless network devices, including satellites
- Modem connection
- Supply chain connections such as business partners, vendors, or regulatory agencies
Isolate the SCADA Network
Any network connections to the SCADA network create risk. Thus, data transfers must be secured by limiting access to business networks such as using “demilitarized zones” (DMZs) or data warehousing. As part of this, manufacturers should review configurations to ensure proper protections.
Manage Remaining Vulnerabilities
After isolating the SCADA network as much as possible, risks remain. Thus, manufacturers need to conduct penetration testing and engage in continuous vulnerability management. Firewall implementation, intrusion detection systems (IDSs), and other endpoint control measures should be reviewed rigorously to maintain strategic security.
Harden SCADA Networks
Removing or disabling unnecessary services is another line of defense. Since SCADA control servers rely on commercial or open-source operating systems, they can be accessed by cybercriminals who exploit vulnerabilities in those systems. Thus, no service or feature should be enabled on the network without a thorough risk assessment.
When incorporating third-party vendors to manage communications between the field devices and servers, manufacturers need to configure these products. Relying on vendor-supplied default configurations creates an information security risk. Moreover, part of due diligence when engaging with vendors is ensuring that they disclose all weaknesses that can lead to a cyber event.
Implement Device and System Security Features
Newer SCADA systems may incorporate security features, but for ease of installation, the vendor often disables them. Older SCADA systems have no built-in security. Thus, manufacturers need to review devices for existing security features and request additional security patches if necessary.
Create Strong Authentication Protocols
Securing vendor connections requires disabling inbound access to modems, wireless, and wired networks used for communication and maintenance.
Network monitoring, system logging, and daily log audits enable better security. Manufacturers need to incorporate continuous intrusion monitoring and incident response protocols for their SCADA networks as a primary cybersecurity feature.
Perform Technical Audits
Manufacturers need to incorporate security tools that enable system administrators to effectively identify active services, patch level, and common vulnerability. By prioritizing alerts, companies can strategically work towards better security that secures these exploitable vulnerabilities.
Secure Physical Access
Cybercriminals not only seek entrance through networks and communications but also through physical access. Manufacturers should engage in a physical security survey in conjunction that focuses on SCADA connection access. Additionally, manufacturers need to focus on physical connections such as cables that can be tapped, exploitable radio or microwave links, computer terminals, or local area wireless network access points.
Establish “Red Teams”
Red teams are white-hat hackers hired by an organization to test the current defenses. They also create attack scenarios that can highlight weaknesses in networks, SCADA systems, physical systems, and security controls. Thus, to protect the SCADA environment from external intrusion or internal malicious activities, manufacturers need to incorporate this information as part of their risk management process.
How ZenGRC Enables Manufacturing Compliance
Analyzing the risks and documenting the risk mitigation strategies for manufacturers requires time-consuming manual data input. From internal communications to external vendor monitoring, the information security risk in the manufacturing industry can become overwhelming.
Maintaining an effective SCADA risk management program requires an efficient workflow tool to coordinate communication and task management across internal and external stakeholders.
ZenGRC enables manufacturers to prioritize tasks, from alerts to vendor reviews, so that everyone knows what to do and when to do it. This eases the burden of records retention and audit preparation.
With our workflow tagging, a manufacturing cybersecurity professional can assign roles and tasks to the individuals who are responsible for the activities involved in cyber risk management.
Finally, with our audit trail capabilities, companies can document corrective actions and response activities to prove that they maintained SCADA security by continuously monitoring the myriad of threat vectors.
For more information about how ZenGRC can streamline your GRC process, contact us for a demo today.