Read part 1 here.
In the first part of this series, we laid out the importance of cybersecurity for critical infrastructure. Each year, as cyberattacks increase in both frequency and sophistication, the goals of cybersecurity become more difficult to achieve. However, the National Institute of Standards and Technology (NIST)’s cybersecurity framework was developed to improve cybersecurity risk management for critical infrastructure, and it can be used by organizations in any sector of the economy. Below, we’ll assess how to minimize these risks and improve your overall cybersecurity Although, it may be impossible to eliminate cyberattacks, with proper preparation and committed oversight, the harm from these attacks can be greatly minimized.
HOW TO REDUCE CYBERATTACKS
Even minor mitigations with secure defenses can dramatically improve resiliency and accelerate the return to normal operations after a cyberattack. The appropriate level of security is highly dependent on the criticality of operations, information, or equipment to be protected, balanced with the cost of measures taken to prevent access and acquisition. Small and medium enterprises should conduct an evaluation of the overall production to understand each subsystem’s dependencies, both in operational technology (OT) and information technology (IT), should it fail. This information can be used to drive security decisions, compared with the cost to implement each protective measure.
Furthermore, security must be separated between IT and OT systems. Many times, these systems are linked at various points within an organization’s infrastructure, such that business information can drive operational information and vice versa. While convenient, these connections must be carefully monitored to prevent contamination should one half fail.
Small and medium enterprises should also evaluate points of failure in safety systems, especially when evaluating the security risks of heavy equipment. Breach of digital systems may be powerful in a financial or IP sense, but malicious control of manufacturing systems such as laser-based processing units, motion equipment, or chemical handling pose clear risks to operator health, potentially resulting in fatalities.
Small and medium enterprises should consider these common questions during evaluations, to decide how much risk they are willing to tolerate:
- Can you accept zero compromised systems?
Why? - Can you accept a few compromised systems? If so, which ones?
- How much can you spend to duplicate systems? Which are the top priorities?
- How long can you withstand reduced access to existing systems?
Additional methods to reduce cyberattacks include:
EMPLOYEE TRAINING
Use ongoing training and newsletters to reinforce your organization’s culture of cybersecurity. Topics should include:
- Creating strong passwords
- Multi-factor authentication
- Secure internet browsing
- Identifying phishing emails
- Protecting sensitive information
- Avoiding suspicious downloads
- What to do if a cybersecurity incident occurs
In addition to these training and newsletter topics, be sure to limit access to your company data; employees should only have access to the systems and specific information they need to perform their jobs. If an employee leaves your company, define a process to delete their passwords and accounts from all systems and collect company ID badges and entry keys.
SECURE ALL WIRELESS ACCESS POINTS AND NETWORKS
One tip is to change the administrative password on new devices as well as password-protect access to the router. Set the wireless access point so that it does not broadcast its service set identifier (SSID), and set your router to use WiFi Protected Access 2 (WPA-2), with the Advanced Encryption Standard (AES) for encryption. Also, avoid using WEP (Wired-Equivalent Privacy).
If you provide wireless internet access to your customers or visitors, make sure it is separated from your business network. If you have employees working remotely, use a Virtual Private Network (VPN) to allow them to connect to your network securely from out of the office.
INSTALL, ACTIVATE, AND UPDATE FIREWALLS
Make sure all of your business computers are equipped with antivirus software and are updated regularly. Install and update firewall systems on every employee computer, smartphone, and networked device. Of equal importance, regularly update software associated with operating systems, web browsers, and other applications.
PROTECT SENSITIVE BUSINESS INFORMATION
Another key step is to prevent access of business computers by unauthorized individuals. Regularly back up data on all of your computers. If possible, institute data backups to cloud storage on a weekly basis. Frequently audit the data and information your organization is housing in cloud storage repositories such as Dropbox, Google Drive, Box, and Microsoft Services. For cloud storage drives, designate administrators to monitor user permissions and give employees access only to the information they need.
Additionally, use encryption to protect all your computers, tablets, and smartphones. Save a copy of your encryption password in a secure location, separate from your stored backups. When sending an encrypted document, never send the password in the same email. Call the person to give them the password. Work with your bank and card processor to ensure you are using the most trusted and validated tools and anti-fraud services.
DISPOSE OF OLD COMPUTERS AND MEDIA SAFELY
Before throwing away or donating old computers, make sure you delete all valuable hard drive information. Delete any sensitive business or personal data on old CDs, flash drives, or other old media. Then destroy these items or take them to a company that will shred them. Destroy sensitive paper information with a shredder.
CONCLUSION
Organizations new to the problem of protecting information assets will find this paper useful for internal discussions about a growing problem that could have serious impacts. Cybersecurity is especially important for firms that have government contracts. There are a variety of countermeasures that a firm can take, depending on their risk management program as well as their budget for implementation. All firms must be aware of the risks and evaluate their own situations.
CYBERSECURITY RESOURCE: CMMC
The Cybersecurity Maturity Model Certification (CMMC) program is designed to safeguard sensitive national security information from frequent and increasingly complex cyberattacks. CMMC 2.0 simplifies compliance by allowing self-assessment for some requirements, applies priorities for protecting DOD information, and reinforces cooperation between the DOD and industry in addressing evolving cyber threats.
CYBERSECURITY RESOURCE: CRR
The Cyber Resilience Review (CRR) is a no-cost, voluntary, non-technical assessment to evaluate an organization’s operational resilience and cybersecurity practices. The CRR may be conducted as a self-assessment or as an on-site assessment facilitated by DHS cybersecurity professionals.
CYBERSECURITY RESOURCE: ISO
The International Organization for Standardization (ISO)/International Electrotechnical Commission has the world’s best-known standards for information security management systems (ISMS) and their requirements.
The National Center for Manufacturing Sciences (NCMS) has been working with our partners for several years to develop appropriate and cost-effective methods to protect information assets. Obtaining the appropriate level of Cybersecurity Maturity Model Certification (CMMC) is increasingly required for government contractors. For more information, visit www.ncms.org.