Enterprise security tips for manufacturers Part 2

In Part 1, we covered three key areas of enterprise security that have the greatest risk potential — the diverse IT environment, the threat landscape, and human error. There are some specific threat areas that manufacturers need to manage. They also need to know how to protect their ERP systems which are critical for a business to run effectively.

Threats in the manufacturing environment

The adoption of smart manufacturing, while being critical for many companies who want to stay competitive, also brings with it some security problems. IoT devices on the factory floor need to be protected; some manufacturers are also installing sensors on products used in a customer’s environment, which can create their own security challenges.

Additional measures that can be taken together with multi-factor authentication, is to subdivide the production network into secure compartments using VLAN (virtual local area networks). A VLAN is a network that groups together a subset of devices that share a physical LAN. It segregates the traffic for each group and provides an additional line of defence. Some manufacturers have gone even further to protect internal production systems. They do not allow any connections to other networks in the business or the Internet, and they operate as a standalone network.

For sensor data that is generated outside the company firewall, ensure that the latest encryption methods are used so that data cannot be intercepted. Sensor data is often transmitted via a public cloud which cannot be ring-fenced behind the company firewall. In this case, using VPN-type secure point-to-point connections will secure the data from being public-facing.

Wherever the sensor data is coming from, it must first be collected in a secure data store. It should then be evaluated and checked for possible risks before transforming it into the business operating environment.

Supply chain threats

When manufacturers create portals for suppliers and partners to access, the first step should be to do a thorough check of those companies’ security practices. Hackers can access the company network via a supplier and then cause disruptions, for example, by adding additional purchase requests or cancelling orders. If the supplier portal has not been set up correctly, the legitimacy of supplier quotes can be compromised.

Companies that are still using EDI to get quotes and invoices from partners need to be aware that EDI data can be intercepted in flight. To make sure that EDI data is secure, a secure point-to-point connection should be implemented.

Role of ERP

An ERP system can offer a company great benefits if it is properly protected. Several steps need to be taken to do this.

1. Centralize access control. Access should be managed from a single place. Access management should use role-based access to make access authority for different staff and departments easier to manage. It also reduces the risk of anomalies between similar user profiles and assists with the right level of segregation.
2. Use data encryption efficiently. This adds another layer of secured access. Encryption uses a cryptographic key that both the sender and recipient agree on. The decryption key must be protected against unauthorized access. The sender can be a person typing something, or an application sending data. Encryption scrambles the data so if it is intercepted in transit it cannot be decoded. Using encryption on the ERP database makes the data unreadable to anyone who does not have the encryption key.
3. Understanding where the ERP system stores its data is also important. The data is typically stored in various places within an ERP, and it is therefore necessary to map it to know how to protect it. By doing this, companies can map how data flows in their system and also identify the interfaces involved.
4. Implementing audit trails within the ERP makes it easier to track and investigate incidents that occur, identify potential breaches, allow for root cause analysis, and then mitigate that issue by putting mechanisms in for the future. For security auditing, real-time monitoring is critical, rather than reporting after the fact,
5. Restrict access to the system through a company VPN connection for ERP systems that are internet-facing. The number of people accessing crucial data points also needs to be limited, to eliminate unnecessary access by employees.
6. Secure third-party integrations. ERP systems are frequently integrated with third-party applications. It is essential to ensure these integrations are secure. Mapping of the integration interfaces and APIs routinely will ensure that customization of the system does not compromise security.

Enterprise security for manufacturers

Manufacturers need to take every reasonable step to protect their operations. Many of the steps are not costly but do require a deliberate, thorough, and consistent effort. The main aim of enterprise security is to protect company data and systems, ensuring its integrity, and how data is processed and examined. Increasingly this has to be done in accordance with regulations around data protection and privacy. Having company data compromised can not only have reputational repercussions but can now lead to serious and costly legal ramifications.