The role ISO 27001 plays in IT security for manufacturing companies

What management challenges do companies face in IT security?

First and foremost, companies need to create and maintain, now and going forward, a level of IT security that is appropriate for their individual needs. This is not an easy task. Everyone will need to pitch in, and it will also entail organisational adjustments. New processes will emerge, responsibilities will change, new resources will be added. Small and medium-sized enterprises (SMEs) in manufacturing have an especially difficult time managing resource-intensive challenges like these on their own.

What risks threaten the IT security of manufacturing companies?

Today, Industry 4.0 and international networking are the name of the game. Against this backdrop, there is a whole range of factors that threaten the IT security of companies in the manufacturing sector:

• Insufficient knowledge among staff:
  Employees in charge of controlling and monitoring machinery can weaken IT security if they do not have enough training. They might, for example, treat their access data carelessly.
• Insecure network and communication protocols:
  Industry 4.0 systems must be networked and integrated into the company-wide IT infrastructure. When networks lack security or use insecure communication protocols, this makes attacks from outside more likely. 
• Inadequate safeguards against malware and ransomware:
  Industry 4.0 systems that have fallen prey to malware or ransomware attacks can impair production processes, resulting in significant financial losses for your company. Companies need to set up safeguards, such as firewalls, antivirus programmes and regular updates.
• Lack of security measures:
  Manufacturing machinery must be adequately protected against unauthorised access or manipulation. Passwords and biometric systems are good ways of doing this. Often times, even if companies have implemented security measures like these, they are insufficient or outdated.

• Insecure cloud solutions:
  In Industry 4.0, companies increasingly rely on cloud solutions to store and process production data and machinery controls. Often times, these solutions are not adequately secured, allowing hackers to gain control of the systems.
• Insecure IoT devices:
  IoT devices such as sensors and actuators are used in Industry 4.0 to collect and process data. Hackers can take advantage of vulnerabilities in such devices to access both the network and the machinery itself.
• Physical access:
  Manufacturing machinery itself might also be compromised if unauthorised persons gain physical control of it. Therefore, companies need to place their machinery in secure areas and control access to it.
• Network vulnerabilities:
  In order to optimise and automate production, machinery is often integrated into a network. Vulnerabilities in the network can compromise security and create potential attack vectors.

What can improve the IT security of manufacturing companies?

• Clear roles and division of duties:

  A company’s Chief Information Security Officer (CISO) is responsible for ensuring that security measures are implemented and adhered to in all areas related to IT. Most larger companies fill this position, but the focus is usually on office IT. Industrial security or the security of product development rarely receive enough attention.

  One approach would be to establish, production in addition to a traditional CISO, a corresponding role, that of an Industrial CISO. This would mean creating two similar roles that cooperate closely and share responsibilities.

  Operationally, the CISO can receive support from department-specific roles, including from office IT, from industrial IT through the Industrial Security Officer (ISO) and finally from product development by the Product Security Officer (ProSO). In implementing this approach, companies must also ensure that the two roles cover all aspects of governance and all related IT security measures.In practice, however, several roles are often managed by one employee, especially in small and medium-sized companies.

• Separation of office IT and industrial IT:
  Where office IT and industrial IT departments merge, attackers often find a direct entry point. Without sufficient segmentation, a single compromised office system can cause major damage to networked production systems. Conversely, an attack on a production division can jeopardise sensitive data in the ERP system as well. That’s why it is crucial to sufficiently separate your office IT and industrial IT departments from each other.
  The first step is to clarify what responsibilities office IT should handle and which zones to form. Ideally, you should begin by analysing the threats so you can assess your protection needs on a risk basis. This will allow you to group components with similar needs together in a zone. For some companies, especially SMEs, such granular attention to detail will not be feasible. In cases like that, zoning can also be based on a rough risk assessment. For example, all office IT computers that access the email system (and are therefore particularly at risk) can be grouped together.
  The second step is to separate the operational zones from the production zones by technical means.

• Identity and access management (IAM):
  In Industry 4.0, IAM means managing access rights and identities for people and systems that have access to networked plants, machinery and systems. Companies must ensure that each user and system can only access the data and resources necessary to perform their individual tasks. IAM includes:
  • Implementing security mechanisms such as password policies, multi-factor authentication and role-based access management
  • Managing identities for networked devices and machinery to ensure that only authorised devices can access the network and production systems
  • Assigning unique identifiers for each device and implementing security protocols for data exchange between devices

• Software security:
  In Industry 4.0, software security means ensuring that the software used by production equipment and systems is secure. This can be achieved through measures to prevent, detect and defend against security threats such as cyberattacks and malware. Companies must ensure that the software used in their production facilities and systems cannot be attacked. Necessary steps include:
  • The use of secure programming practices and security tools such as static analysis tools and scanners that detect vulnerabilities in software early on
  • Measures to secure communication between systems and components in the production environment, for example through encrypted connections and secure protocols
  • Regular software updates and patches so that security gaps can be quickly remedied

• Supplier security or security when purchasing production machinery:
  In Industry 4.0, supplier security means ensuring that suppliers and their products that are integrated into production processes (such as sensors, actuators, control software, etc.) meet IT security and data protection requirements. This way manufacturing companies can ensure that they do not pose a security risk. Companies must ensure that their suppliers implement appropriate measures and comply with security standards, including:
  • Implementing an information security management system or ISMS
  • Regular reviews of the supplier’s security measures
  • Training employees on IT security 

What role does an ISMS play in industrial IT security?

An ISMS (information security management system) defines the criteria and measures that company management uses to manage tasks and activities related to information security. Another way to put it, an ISMS ensures the security of every bit of a company’s information. An ISMS helps your company achieve your goals, minimise business risks and meet regulatory requirements. How does it do this? By incorporating your company’s security processes, resources, staff and management principles, which together form the cornerstones of industrial IT security.

You can read about how IT security and information security go hand in hand in our article “Information security at a glance: Definitions, objectives, tasks, jobs”.

What are the benefits of ISO 27001 certification?

ISO 27001 is an international standard that sets out guidelines, principles and measures for establishing an effective ISMS. It includes specifications for:

• Human resource security 
• Asset management 
• Physical and environmental security 
• Operational security  
• Communications security 
• Supplier security

To get ISO 27001 certification, a company must take a very close look at the security of all relevant information. The process also requires a company to define rules. The upshot is a corporate framework – one that is urgently needed, especially in industrial IT, where security is often woefully neglected.

A certified company demonstrates that it takes information security seriously and has put secure processes in place. This has a twofold effect, strengthening existing business relationships on the one hand and building trust with new customers and business partners on the other. It also helps companies comply with data protection regulations, avoid fines and limit business risks.

How can DataGuard help manufacturing companies?

DataGuard provides priceless help with know-how and consulting services on the topic of information security – for example, our experts can help you establish and run an ISMS according to ISO 27001. Our team of experts has in-depth knowledge and experience with best practices from a multitude of projects so you can be sure you’ll receive advice that is tailored to your company’s individual needs.

The DataGuard platform provides you with access to numerous guidelines for implementing an ISMS. This means you have a valuable foundation that you can use and adapt to your own processes. With the DataGuard platform, manufacturers in the automotive industry, for example, can be sure they comply with the TISAX® requirements.

Another very useful resource is the DataGuard Academy, a platform-based and efficient way to complete courses in information security training – and familiarise yourself with risks such as social engineering in the process.

Do you need advice on setting up an ISMS, getting ISO 27001 certification or training your staff? We’re happy to help! Contact one of our information security experts today.