The Cybersecurity Checklist for SMB Manufacturing is a straightforward guide for small and mid-sized manufacturers to tighten up their cybersecurity.
Introduction and Purpose
This checklist is designed to assist C-suite leaders and IT teams in manufacturing facilities to implement essential security controls that safeguard their infrastructure and data. By following these recommendations, organizations can significantly reduce their risk of cyberattacks and data breaches. The checklist is categorized into three tiers to cater to varying levels of maturity within manufacturing organizations:
Level 1 - Fundamentals: Basic security controls that every manufacturing organization should implement.
Level 2 - Mature: More advanced controls recommended for organizations with a solid security foundation.
Level 3 - Advanced: Highly specialized controls often required for organizations dealing with critical infrastructure or highly sensitive data.
Governance and Compliance
Create IT Security Policies
Fundamentals
Set up and keep updated IT security policies that explain how the organization manages and protects sensitive information and systems.
Mature
Ensure that security practices align with relevant industry standards (e.g., NIST 800-171) to foster a culture of compliance and accountability.
Regular Risk Assessments and Audits
Conduct regular risk assessments to identify potential vulnerabilities and threats.
Fundamentals: Yearly audit
Mature: Quarterly audit
Advanced: Monthly audit
References:
Asset Management
Build an Inventory of IT Assets
Fundamentals
Maintain an up-to-date inventory of all IT assets, including hardware, mobile assets, and software, to ensure visibility and control over resources. Include information like MAC address, Static IP or DHCP, location, and owner.
Implement a process to regularly update the inventory. Set a reminder to check and update the inventory monthly.
Mature
Follow an onboarding/offboarding checklist to manage employee and contractor access.
Maintain a comprehensive inventory of operational technology (OT) assets, including production machines, cameras, and sensors, with hardware and software details.
Advanced
Classify assets based on sensitivity and criticality to focus security measures and response strategies more effectively. This can be used to create a Purdue analysis of your assets.
References:
Access Control
User Account Management
Fundamentals
Establish procedures for the creation, modification, and deletion of user accounts to ensure that access is managed effectively and promptly.
Require Multi-Factor Authentication (MFA) for all user accounts, particularly for accessing sensitive systems, to enhance security and reduce the risk of credential theft.
Mature
Use a password manager to ensure strong, unique passwords for every system.
Implement Role-Based Access Control (RBAC) to ensure users have access only to the information and systems necessary for their roles, minimizing the risk of unauthorized access.
Network Security
Implementation of Firewalls
Fundamentals
Deploy firewalls to monitor and control incoming and outgoing network traffic based on predetermined security rules, effectively acting as a barrier between trusted and untrusted networks.
Mature
Implement network segmentation to separate environments, reducing the attack surface and preventing lateral movement in case of a breach. Define segments based on specific use cases and legitimate reasons to communicate.
Avoid sharing Wi-Fi networks with guests or neighbors. Instead, create a separate and dedicated guest Wi-Fi network. Set a calendar reminder to change the password every month.
Advanced
Enforce authentication for connections between assets based on the "zero-trust" strategy. Record communication between assets in your network using your switch, firewall, or router tooling. Store logs in a log sink (filesystem or SIEM).
References:
Media Protection and Endpoint Security
Regular Backups and Restoration Testing
Fundamentals
Set up a regular backup schedule and test restoration procedures to ensure data can be recovered if lost or compromised.
Employ encryption for sensitive data in your filesystem (on-premise, cloud, or SaaS) to protect against unauthorized access and ensure data confidentiality.
Mature
Establish a framework for categorizing data based on sensitivity and importance. A tiered classification (Confidential, Sensitive, None) is usually a good starting point.
Encrypt USB keys and flash drives with sensitive data. Keep them stored in closed compartments if possible.
Advanced
Develop and maintain a comprehensive disaster recovery plan outlining the steps to restore operations after a significant security incident or disaster.
Ensure data is stored across separate physical locations.
References:
Endpoint Security
Fundamentals
Ensure that all endpoints have up-to-date antivirus and anti-malware software installed to detect and mitigate threats.
Encrypt all employee laptops and phones to protect both the company's assets and employees' private files.
Maintain a schedule for regularly updating and patching systems to protect against known vulnerabilities.
Mature
Implement a solution to log security information from endpoints into a centralized sink, with the ability to query this information (filesystem, log sink, or SIEM).
Implement policies governing the use of mobile and remote devices, including security configurations and acceptable usage guidelines. Define what data can be accessed on these devices.
References:
Industrial Security, Monitoring, and Training
Industrial Security (OT Security)
Fundamentals
Use VPN capabilities to enforce encryption and authentication when remote access to an industrial asset is required. Log connections and commands done through remote access.
Mature
Accustom your team to locking their machines while away. Each user should have their account to access different machines. Maximum session length on computers should be 30 minutes.
Harden your devices by limiting available options as much as possible. For instance, tape over USB ports if they're not needed, remove internet browsers if they are not required, or other unnecessary applications.
Advanced
Implement a solution to log security information from OT assets into a centralized sink, with the ability to query this information (filesystem, log sink, or SIEM).
References:
Security Monitoring and Incident Response
Fundamentals
Create and refer to an incident response plan detailing what to do in case of a cyber incident. Save past incident responses into a filesystem you can refer to.
Mature
Centralize and archive your logs and make them meaningful. Logs are necessary to trace what happened after an incident, find where the attacker came from, and possibly even who they are. Ensure the system time configured on each machine is in sync for easy cross-correlation of logs.
Advanced
Implement a procedure for reporting security incidents to external stakeholders (customers, suppliers). This will help build trust from external stakeholders in your organization.
Security Awareness and Training
Fundamentals
Provide cybersecurity training for all employees to educate them about potential threats and safe practices.
Fundamentals: Once a year
Mature/Advanced: Quarterly and office hours
Mature
Take special care of non-tech employees. They are less used to technical tricks and can be deceived more easily than others, opening the door to ransomware or confidentiality issues. Train and empower them to be distrustful and to preserve the company's assets.
Hold training sessions that help everyone spot and handle phishing attempts and social engineering tricks. 80% of cyber attacks start with phishing emails, and it's better to address this early.
Other Reports From Trout