The digitization of the production process is no longer the near future. Now it is the reality for any modern enterprise. Cybersecurity has become an integral part of the manufacturing industry. The use of contemporary IT solutions is a must to gain a competitive advantage. However, increased cybercriminals’ activity often accompanies industry leaders.
“Manufacturing is rapidly entering the 4th industrial revolution where the old, complex and formerly closed environments, solutions and systems meet new, connected and more open ones. This offers immense possibilities for the manufacturing industry, and every manufacturing company should harvest the benefits of these innovative solutions to power performance and make their business more successful.”
Predicting the future of Cyber Security in Finnish Manufacturing
Cyber Secure Manufacturing in 2021
Being a complex mechanism, any production lays high claims to information security solutions. Often there are no two alike solutions for the production within even one industry. Each new Indeed Identity client asks to customize the solution according to specific tasks to get a particular result.
The EEF’s 2018 Cybersecurity Report found that while 91% of manufacturers are investing in digital technology, 35% said they are inhibited from fully investing due to cybersecurity concerns.
More frequently today’s world manufacturing is called the Smart Factory, which interlinks it with all known cyber attacks. Cybercriminals’ main goals are:
- Steal data – with client details stored on CRM systems, hackers might look to take this information and hold it to ransom.
- Disrupt access systems or operational systems – hackers can take control of manufacturing processes to interfere with production or even tamper with the products.
- Gain intelligence for a competitive advantage – industrial espionage sees hackers steal intellectual property or information for the advantage of competitors.
Thus, it is obvious that сybercriminals’ main goal is access to information or a technological and production process.
Using RFID cards to access information systems. To avoid unauthorized access to CRM and ERP systems, Indeed Identity team suggests using the full range of 2FA capabilities. For example, Domodedovo International Airport chose Indeed AM to access corporate resources. In most of the modern enterprises, employees use proximity cards (passes) to gain physical access to the business centre, office, plant territory etc. Such cards are often used as identity cards – they have employee photo, name and position printed on them. Using such cards is a common practice today. So it is quite consistent to expand this practice also to logical access to the company information systems.
Supported proximity card formats:
- EM Marin
- HID Prox
- HID iClass
The Indeed AM Windows Logon can operate in one-factor authentication mode when it is sufficient to place the card on the reader to authenticate. It also supports two-factor authentication mode when it is required to place the card on the reader and enter the PIN code. The proximity card can be combined with other authentication factors upon request, e.g., with a fingerprint.
Access to enterprise target applications and databases can be provided by installing special kiosks. It will keep time spent on access to a minimum.
Fully control and track usage of privileged accounts. Another task was to control the actions of information system administrators. To do so, the companies deployed a solution to manage privileged access based on Indeed Privileged Access Manager product. The solution allowed switching from the obvious use of administrative passwords to gaining access through a single control system. Administrative staff no longer knows privileged credentials and cannot compromise them. All administrative sessions are recorded in the video and text format which makes it possible to conduct investigations in case of any violations.
Control of using the smart cards and digital certificates in ERP, MES and PLM system. Many companies make it a common practice to use digital certificates and smart cards. The certificates can be issued either by the company’s own certification authorities or by external organizations.
Connected industrial IoT devices interact with physical environments that introduce new forms of risk. Safety, security, privacy, data integrity and reliability are top concerns. Public Key Infrastructure (PKI) provides mutual authentication, data encryption and system integrity for Industrial IoT, creating a foundation for systems, devices, applications and users to interact safely. That is why a special task for Smart factory is the efficient management of certificates in industrial IoT.
The management of a distributed population of smart cards becomes a complex task, which is to be solved by special systems. The Indeed Certificate Manager offers a centralized and effective solution for the task.
The special client agent is implemented in the Indeed CM to solve the task of controlling the usage of smart cards, tokens and certificates. The agent is installed onto the user PC. It allows for a number of operations to be performed remotely:
- To send smart card’s data to the Indeed CM server – what PC the token is connected to and who exactly is working on the PC
- To block Windows session or smart cards, if usage rules are violated. E.g., a smart card can be assigned to a user account or PC. If the user or PC does not correspond to the present one, the agent might lock the smart card.
- To change PIN code upon administrator request
- To lock a smart card at the administrator request
- To update certificates on the smart cards
- To delete data from the smart cards
Thus, the agent allows the administrators to audit smart card and token usage, as well as to perform operations with smart cards remotely on user PC. The agent also can prevent unauthorised use of the media.
In addition to the agent, the Indeed CM can track the user account status in Active Directory catalogue, and suspend the certificates of users with deactivated accounts. This allows suspending the certificate for the duration of employee leave or in case of dismissal.
As a result of Indeed AM deployment, employees of several enterprises were able to access company information resources without leaving the industrial site. Employees used kiosk as a single and common access point and did not get distracted from work. It became a simple and highly protected solution at the same time.
Indeed Privileged Access Manager made it possible to switch to the access model without using administrative passwords explicitly. It significantly reduced the attack area in this segment and increased the transparency and security of privileged access.
Deployment of a lifecycle management system for electronic signatures and certificates has protected vital manufacturing processes from illegal breaches. Simplifying the investigation of incidents involving misuse of targeted applications directly related to production increased the attack price.