The Fourth Industrial Revolution created a new digital world for manufacturers — one requiring greater connectivity, agility, and efficiency than ever before. To keep up with global demands, manufacturers transformed into smart factories. Now, critical operations no longer rely on just legacy applications and perimeter-based security but, instead, complex networks of software, workstations, and devices, in several different locations, accessed by hundreds of people.
But with modernization came unforeseen risks. As organizations work with more third parties to improve collaboration across businesses, they introduce uncertainty to their environment. And if third-party access is not properly secured or managed, uncertainty can turn into vulnerability.
Struggling With Third-Party Security
With multiple vendors connected to a network, it’s impossible to know exactly who is accessing what information without a proper solution. And unfortunately, many manufacturers, especially small to midsize ones, are still managing vendor access the old-fashioned way: manually. But it’s not necessarily working. In fact, according to a recent Ponemon report, 70% of organizations stated they experienced a third-party breach that came from granting too much access.
This isn’t lost on hackers who view critical infrastructure as a major target. Manufacturers that produce fuel, food, or machinery are more likely to pay large ransoms to quickly get operations back up and running.
Because many manufacturers still have complex environments composed of legacy applications and operational technology (OT), it can be a challenge to ensure and verify all access into these systems. Without a solution that provides seamless management and visibility into access of all necessary technology, the risks of connectivity could outweigh the benefits.
Risks of Poor Vendor Management
Consider this: You give the key to your safe to a trusted friend to put something in it. When they put that object in the safe, they also steal the money you had inside. Or they lose the keys to your safe and someone else steals from it.
This is the risk that comes with poor third-party management — and the repercussions can be devastating. The infamous SolarWinds attack that caused thousands of customers to download corrupted software showed us how pervasive third-party connections can be and how long they can go on without proper management. Not to mention the reputational damage caused to the brand after the incident. There can also be financial consequences, if hackers had deployed ransomware through the agent, it could have led to a hefty payout.
There’s also the operational risk of a third-party breach. We saw Toyota halt operations earlier this year after one of its contracted manufacturers experienced a breach. On top of that, there are legal and regulatory implications too. If an organization does not take steps to vet its third parties appropriately, they could expose themselves to compliance risks and security concerns.
A recent Ponemon report found that organizations are now relying more on third parties to do business, compared with previous years. But attacks are on the rise, with 54% of organizations surveyed reporting a third-party cyberattack in the last 12 months. These threats are not going away. As manufacturing embraces more third parties, they need to consider vendor privileged access management.
Securing Third Parties With Privileged Access Management
While these threats are pervasive, they are not impossible to prevent. The most effective way to do so is with an automated solution like vendor privileged access management. More reliance on vendors and more third-party attacks calls for implementing the following best security practices:
- Inventory all vendors and third parties: Before organizations can implement a privileged access management solution, they need to do a thorough audit over who is accessing what information, applications, and data in their systems. While you may have given one login to a vendor, it could be used by hundreds of reps. Ensure you regularly update vendor inventory to have a clearer view into access.
- Minimize movement with access controls: With a wide attack surface, privileged access management is necessary for vendors to prevent an unauthorized user from laterally moving across the network. It provides credential access through a vault, so that a user only has permission to access the resources necessary for their specific task when they need it.
- Monitor and review all privileged session access: Use an automated solution that enables monitoring and session recording of all privileged access. Technology that keeps keystroke logs and indicates any anomalies or suspicious behavior is helpful, but only if they are reviewed regularly.
Alone, a vendor privileged access management solution won’t be enough to protect your entire environment. But alongside other strong principles, like zero trust, it can make a tremendous difference in reducing the third-party risks manufacturing faces.
About the Author
Wes Wright is the chief technology officer at Imprivata. Wes brings more than 20 years of experience with healthcare providers, IT leadership, and security.
Prior to joining Imprivata, Wes was the CTO at Sutter Health, where he was responsible for technical services strategies and operational activities for the 26-hospital system. Wes has been the senior vice president/CIO at Seattle Children’s Hospital and has served as the chief of staff for a three-star general in the US Air Force.
Wes holds a B.S. in business and management from the University of Maryland and received his MBA from the University of New Mexico. Wes is a member of the CHIME & AEHIT Virtual Health Policy Workgroup.