Cyber-Security for Job Shops
Small and medium-size machining job shops can take steps to protect computerized or networked assets such as CNC machines from cyber-attacks.
Managers of small and medium-size machining companies often wonder what precautions they can take to protect their computer networks from hackers and other online threats. Even with limited resources and capabilities, they should follow the following steps to create a workable cybersecurity plan:
Educate Your Workforce
A plethora of government resources are freely available and can provide a good overview of cybersecurity for manufacturing companies. A good document to start with is the National Institute of Standards and Technology (NIST) publication SP 800-82 Rev. 2 Guide to Industrial Control Systems. NIST provides other resources for shops through its Manufacturers Extension Partnership.
Another wealth of readily available information is provided by the Department of Homeland Security’s (DHS) Industrial Control System Cyber Emergency Response Team ICS-CERT program for addressing cybersecurity. DHS provides a series of online training resources that can be accessed at no charge through the ICS-CERT virtual training portal.
Assess Your Facility
Start by mapping your existing computer networks and their infrastructure in the shop. Use both the operations technology (OT) and information technology (IT) networks and their integration. Identify the components of the system and its different subcomponents. Once the map is completed, physically validate the “architecture” shown in the map. Include searches for wireless networks and access points that may not be on the map. Look for smart devices, virtual private networks (VPNs) and public access points that may be used for reporting, troubleshooting by supply-chain vendors and remote services (access and response). This search will help determine the boundaries of the system and the system resources (people, processes, and technology components) it involves.
Implement Security Measures
Once you have a clear picture of system components, review vendor documentation and support systems to evaluate their cybersecurity claims and capabilities. The best place to begin this process is with your newest acquisitions.
It’s best to use vendors that offer products that have been tested and validated for their security claims. UL’s Cybersecurity Assurance Program (CAP) and its certification process based on the UL 2900 series of standards verifies the vendors’ cybersecurity claims and provides assurance that their products meet industry standards. Other basic steps should also be implemented:
- Keep system architecture drawings, network diagrams, and system maps in a confidential location with secure and limited access.
- Remove any functionality, components, and connections not needed for system operations.
- Check the ICS-CERT portal for products in your system that have known weaknesses and vulnerabilities. Until you can patch them, check for ways to mitigate the weaknesses.
- Take steps to prevent any circumvention of access controls that you have defined in your system. Remove or disable any remote connections that are not necessary for safe operations.
- For any wireless technology that may have addressing and naming capabilities, change the names using a nonstandard naming convention that does not indicate the nature of the technology or its location. Document and secure your naming conventions in the same location as the architecture designs and network maps.
- If you are using remote access and gateways for daily operations, ensure that the vendor’s technology uses authentication and encryption schemes that are robust and capable.
- For user accounts and credentials for your system, remove any temporary or shared accounts and their passwords. If components have credentials and accounts that you cannot change to your facility’s specifications, contact the vendor and request alternatives, or seek solutions for your own site-specific accounts.
- Develop a strict policy for visitors and the digital technology they may bring, including any kind of computer or device such as USB sticks, laptops, or diagnostic tools. The parts of your system that require remote troubleshooting should be controlled by your site.
- Develop a policy for detecting and disabling malware as recommended in the ICS-CERT portal.
These preliminary steps will create a basic level of cybersecurity that can be strengthened over time. Audit these practices regularly to keep them current and effective. Revise your procurement guidelines to be sure new equipment such as CNC machines are in line with security practices. Use third-party services such as UL’s CAP to ascertain that a baseline of security is in place.
For more information about this program, the UL 2900 series of standards, or how to get your systems and components UL certified, visit ul.com/cybersecurity.
Written by: Ken Modeste, Leader, Cybersecurity Services, UL LLC, for Modern Machine Shop.