Much of the focus on cybersecurity has discussed what manufacturers can do to better protect themselves, but OEMs and other suppliers to the manufacturing industry are also targets for cyberattack: They are a repository of valuable data, they have significant IT and OT operations, and they often lack the internal resources needed to adequately address cybersecurity.
Like brand manufacturers, OEMs need to thoroughly assess their cybersecurity vulnerabilities, properly segment networks and manage their access, create and test recovery plans, and properly train personnel. But, since OEMs also serve manufacturing clients who are themselves vulnerable to cyberattack, there are a few extra considerations to be aware of.
According to “2021 Cybersecurity: Assess Your Risk,” a new report from PMMI Business Intelligence, OEMs should consider partnering with a third-party cybersecurity firm to ensure safeguards are adequate and employees are properly informed. Since one of the biggest concerns for OEMs is shielding their client data and client lists from outside observers, a third-party expert can help OEMs avoid being compromised and can quickly implement damage-mitigating measures should a data breach occur, demonstrating to their clients that they take the integrity of their data seriously.
With the securing and segmenting of networks, OEMs have additional responsibility due to their external connections, which could potentially be used as a bridge to reach other targets within the client networks.
Brand manufacturers interviewed list what they need from suppliers to better safeguard both software systems and hardware equipment:
• Risk assessment of supplier operations
• Implementing dual authentication for equipment log-in
• Means to isolate equipment for data/registration codes and inputs/outputs
• Assured security for remote connectivity
• Backup and recovery systems
• Protected updates for hardware and software
To better serve their customers as partners in cybersecurity, OEMs should keep cybersecurity top of mind in their business, carefully monitor their own products in the market to ensure their ongoing security, and strictly regulate the devices they use for external work. Cybersecurity should also be included in the earliest phases of equipment design, with consideration given to how the equipment will be connected to a network, what components will be connected to the machine itself, and how those components can be made more secure, as well as how new equipment will be integrated into operations, and whether or not remote service will be utilized in the future.
Secure Chain of Custody
OEMs that make components or equipment that are modified by other third-party OEMs or suppliers also have a unique set of cybersecurity considerations to manage, because while they can do their best to ensure their products are secure and all cybersecurity precautions have been taken, they have little control over what happens to their products once they are sold. In some cases, OEMs make products that are frequently modified by other third parties and then resold or utilized in other equipment, potentially losing control over the quality of the newly modified product. An OEM’s product might be modified in a way that makes built-in security features less effective, it could be loaded with compromised software, or it could simply be out of date on patches, all of which could fatally compromise the security of the product.
Therefore, OEMs should seek to establish a clear chain of custody of their products, and work closely with distributors, other OEMs, and component suppliers, to monitor their products in the supply chain and determine if they are being modified and kept up to date.
OEMs should also immediately inform all of their partners of any vulnerabilities that have been identified in their products to ensure the vulnerabilities are not exacerbated by third-party actions. This goes for updates and patches too.
Secure Devices
OEMs must also consider all of the devices and technology components that their employees utilize when onsite at a client’s location. Like a connected internal network, OEM employee devices used onsite can potentially serve as a bridge to infiltrate the larger network. This applies for technology that has no external connection capability – even “dumb” devices like a USB stick can have malicious programs hidden on them that can be uploaded when they are plugged in. If the infection goes unnoticed for a period of time, OEMs could accidentally infect a large number of their clients before the mistake is caught.
OEMs should enforce rules such as banning personal devices, regularly updating devices, installing robust security programs, cleaning out and eliminating unnecessary programs/data on devices regularly, and routine cleaning of “dumb” data repositories such as USB sticks. Employees also need to be thoroughly trained on best practices for devices, such as not using work devices for anything other than work (especially on the internet) and limiting direct connections into clients’ networks during a visit or project as much as possible.
Download this FREE report below.
Source: PMMI Business Intelligence, “2021 Cybersecurity: Assess Your Risk”
