BRAMPTON, Ont. — Few Canadian manufacturers make every part of their products. Instead, they rely on a large number of suppliers. But criminals and nation states also see those third party suppliers as a big opportunity to slip into the computer systems of manufacturers, and from there get into the bigger companies manufacturers sell to.
That was one of the big messages from a panel at a cyber conference for the manufacturing sector hosted here by the Canadian Cyber Security Centre, the federal government’s central authority for advising businesses, and Ryerson University, which is about to open a cyber innovation hub in this city just west of Toronto.
Adversaries “have got tools such as Google and Linkedin, and they’re going to find out who’s your transport company, what’s your property company, where do you buy your toilet paper — and that’s who they go after, because they’re easier targets” than manufacturing parties themselves, warned Simon Conant, principle researcher at Palo Alto Networks’ Unit 42 threat research team,
So important manufacturers know how many third parties have access to their IT systems, he said, and whether there are security controls to limit access. Some third parties access IT systems for maintenance, for example. But, Conant said, “it’s not okay anymore to say [to a supplier], ‘Here are the keys to the kingdom, you can do anything you want.’ “We need to limit that access.
“You need to go back to your office at this and say ‘Who has access and how do we eliminate it?'” he told conference attendees.
Conant was on a panel discussing the wide range of cyber threats Canadian manufacturers face.
One way to reduce third-party risk is by having a basic third-party risk management program, said Ira Goldstein, senior vice -president of field operations and corporate development at the consulting firm the Herjavec Group. Formal programs can be extensive, involving complex tools. But, he added, a basic assessment of a supplier can be assembled by having it answer security maturity questions often found online.
(For example, see the Cloud Security Alliances’ Consensus Assessments Initiative Questionnaire v3.0.1 for cloud service providers; a questionnaire from the Vendor Security Alliance; this questionnaire from NIST; use third-party risk tools from an organization called Shared Assessment ; or put one together from the Center for Internet Security’s top 20 security controls.)
Establishing third party risk management program at least allows a company to have a list of suppliers, Goldstein said. With more detail, a company can rank suppliers by risk (who has remote access, which supplies critical components, how good is their cyber security) and then incorporate that into the firm’s overall cyber risk strategy.
On one earlier panel someone wondered whether a manufacturer has clout with its suppliers, Goldstein said. Here’s a way to find out: Will the supplier identify who on its staff has accessed your IT system in the past month, and do they have individual login credentials or shared?
Above all, Goldstein said, any firm needs to create an overall cyber risk management strategy. Start by identifying IT and data assets and then assess the company’s cyber risks using a framework (Several are available from NIST, the Centre for Internet Security. One that might suit manufacturers is from the Industrial Internet Consortium. The Canadian Centre for Cyber Security just issued one for SMBs.)
After than, create an incident response plan. Finally, do regular tabletop exercises to practice the plan.
Buy secure products
Adam Schieman, BlackBerry’s director of security solutions, argued that to increase their security manufacturers can make sure they buy secure IT products and services.
Wendy Young, director of operations for technology, data and security at NGen, Canada’s advanced manufacturing supercluster, said small firms should start with teaching employees cyber security awareness. This should include all staff, including those on the shop floor, she said.
When creating a team to determine the firm’s risk management make sure there’s broad representation as well as IT staff, she added.
“You are never going to protect everything,” she said. A key to meeting cyber threats is having a response plan. “If you have that plan in place you can continue the business when something hits.”
“Information Security technology is a tool — the ability to detect, prevent — and you need proper policies on top of that,” warned Conant. “There is a limit to what technology can do … at the end of the day you need the proper business processes” as well as technology.