Why you need third-party risk management in manufacturing

March 3, 2020

Manufacturing is changing. As we enter the fourth industrial revolution, factories are becoming globalized, digitized, and relying more and more on the internet of things to produce goods and services. As this transformation continues and once localized entities become smart factories, they are connecting to more third parties. And inviting in more third-party risk.

How manufacturing is evolving

This change in how manufacturing works is neither sudden nor entirely new, but it is a massive shift and involves three major components:

  • Globalization. No factory exists on its own anymore. They are connecting to other factories around the globe, making products that ship across the world, and are increasingly working in tandem with others.
  • Smart factories. Smart factories are manufacturing organizations that utilize modern technologies and are often self-adapting, automated, and hyper flexible. This means the organization is relying on a variety of third parties (like software companies), and using more digital tools
  • High-value assets. The supply chain crisis of the past year shows how much the world needs fast, smooth, and reliable manufacturing. Their assets, from access points to data to the actual products they are making, have risen in value, which, unfortunately, makes them a target for cyberattacks.

The third-party risks manufacturing organizations face

The three components above all have one commonality: third parties. As factories become more connected and more advanced, they no doubt are connected to more third parties. However, the third party point of access continues to be the highest risk access point for any organization — 57% of manufacturers suffered a third-party related breach in the past year. Just the sheer volume of external players operating on an enterprise’s internal systems should give any company pause. A study by Edge Research showed that the average-sized entity had 67 vendors and each of those vendors has multiple individuals that access an enterprise’s network. For larger companies, this could easily escalate into the hundreds or thousands of individuals who are not employees operating on internal networks and sensitive systems. Each one of these represents a target for a hacker and a vector straight into the heart of your manufacturing operations.  Whether it’s cyberterrorism, cyber extortion, or just plain IP theft, there are a lot of cybersecurity risks for the manufacturing sector. State actors are looking for intellectual property or to cause disruptions in operations. Financially-oriented hackers are targeting manufacturing lines with ransomware and other malware because they know that such companies cannot afford the downtime of critical systems that affect production.  If a hacker can get into a manufacturing company’s network via an insecure remote access line, they often find a treasure trove of exploitable systems. Older ICS and SCADA systems often run on archaic hardware and aging software platforms. Even modern systems, such as IoT and IIoT, are not patched often, if at all. Embedded non-standard operating systems and the critical 24/7 nature of a manufacturing line make it hard to upgrade and patch such systems. Default passwords are common with minimally secured web interfaces to make maintenance easy for nontechnical line workers, which is music to a hacker’s ear since they know that they have many vulnerable targets to choose from. While compliance in the manufacturing industry varies by location, specific production types, and even the corporation's requirements, it shouldn't be ignored. Not managing third parties means an organization runs the risk of not meeting compliance. Compliance standards are put in place to keep an organization and its customers safe, to make sure every product is safe and to make sure everything is running smoothly. As is known from the healthcare industry, not meeting compliance could be costly, both in terms of financial and reputational loss.

Third-party risk management best practices

Managing and controlling third parties isn’t as simple as it is for internal users, where an organization may just employ role-based access. The needs are complicated, the users are often obscured, and the access they need can fluctuate. But when it comes to understanding how to mitigate third-party manufacturing risks, four components are crucial.

Understand all your critical access points

Do you know all the ways into your network? Is there wireless guest access? Are there uncatalogued VPNs coming to vendor devices? Once you have identified all of your possible perimeter access points, review the firewall rules and access control lists on these devices to make sure they do not have dormant rulesets or unnecessary ports open. And on your internal networks, are you fully aware of all the devices on them? Ping scans and other discovery software can help you map out ALL the devices connected and root out any “rogue” IT infrastructure.

Gain visibility into all vendors and third parties

Before you can implement third-party risk management for vendors and third parties, you have to know who is accessing what in your systems. 44% of organizations experienced a third-party data breach last year as a result of having too much privileged access. Interviews with managers and staff, A/P reports from the general ledger, and network monitoring software can help give you a full picture of all the manufacturing vendors accessing your systems. And this is not a one and done proposition. Updating your vendor inventory needs to happen on a regular basis, minimally once per year and perhaps more often if your vendor count is large. 

Minimize access through fine-grained access controls

Don’t give broad-spectrum VPN access to a vendor who only needs to access a few machines; that is just a recipe for trouble. Even if the rep isn’t a bad actor, they can make mistakes. And if their account is compromised, it can be used to scan the network for vulnerable devices. Instead, use Privileged Access Management (PAM) or Vendor Privileged Access Management (VPAM) solutions to vault away administrator credentials and obfuscate them from direct use by vendors. This can prevent a credential from being stolen in the first place. And be sure to follow Zero Trust Network Access, trusting no one (especially third parties), and giving them only the rights and access to the resources they need to do their job. For example, if a support rep for a vendor only needs to access a web interface on their device, make sure you write rules such that those are the only ports and IPs they can access.

Monitor and audit your third parties

Keep detailed logs on third party access, even more so than internal staff. The more granular you can get, the better. Go beyond just username and access times. You will want to know the context around every access session as well as what they did while in the system. Use technology such as VPAM that can keep keystroke logs or video captures of sessions so you know exactly what they were up to in those sessions. And keeping detailed logs is great but if no-one looks at them, they won’t do you much good. Make sure there is a regular review schedule so that you can catch problems before they become incidents. Third-party risk management is not only possible for manufacturing organizations, it’s critical.