Securing the production environment: protection against cyber attacks
“To get suitable insurance cover, a company's IT security should always be up to date. In addition, insurers have further current requirements that should be observed,” says Abdullah Keser, cyber expert. The expert explains the various requirements that insurers check.
Segmentation of the network
One requirement of the insurers is that the production environment or the production network is segmented from the rest of the network. The best case would be if the production network were not combined into one large network. Instead, it should be clustered and then separated into individual networks if at all possible. Two aspects in particular must be considered here: The importance of the production facilities for the company must be evaluated. In addition, care should be taken to ensure that the machines are not directly accessible from the internet.
To guarantee strong network segmentation in the company, rules and authorizations must also be defined. It should be defined who has access to which segments and which authorizations the respective user then has in these segments. Identity management must be tougher and stronger in this area of the production network than in the IT network. “If a company segments its network, but anyone can get into the network and do whatever they want there, then segmentation is useless,” the insurance expert emphasizes.
Controlling remote access in the production environment
In addition to segmenting the networks, remote access must also be regulated. The company managers must define which of their own employees and which third parties have access to the production facilities and in what way. It is possible to secure remote access using multi-factor authentication. In this case, entering a username and password is not enough. Users must use a second factor to verify themselves. “A solution that is frequently used at the moment is that before third parties can access the production systems, they must first be activated by an internal employee. This ensures that there is no permanent connection to these service providers and that hackers cannot ‘jump’ from the service provider to your own company,” explains Abdullah Keser.
Logging the connections
To track who has been working on the network and what they have been doing, the connections should be logged. “This is also important from a liability perspective and not just for cyber security. Because if a service provider has caused an error during maintenance, the company can trace it via the protocol,” says the insurance expert.
Do not connect production systems to the network
One way to avoid the need for segmentation and multi-factor authentication is to not connect the production systems to the network. “In this case, an attack is not possible because the machines are not on the network. They are best protected. But of course this is only possible when standard products are being produced and for companies whose orders don't change constantly,” explains Abdullah Keser. If maintenance is required in such a case, then these systems can be connected to the network for a short time for this purpose only. They are then disconnected again immediately afterwards. However, it is not possible to check the systems in real time and to monitor whether everything is running properly.
Developing a contingency plan and establishing an emergency management system
In most cases, customers have connected their production systems to the network. In this case, organizational safeguards must be put in place. Customers should be aware that there is a risk of attack. To be prepared for a cyber attack, every company should have a contingency plan and ideally even install an emergency management system that also covers the risks to the production environment. The following considerations, among others, should be made in advance:
- Which systems do I disconnect from the network in an emergency?
- How do I prevent a loss of production? Can I switch to alternative production facilities?
- How quickly can I get the production facility back up and running in the event of an attack?
- Is it possible to carry out production manually – separate from the rest of the network?
- Are my backups of the production facilities protected separately?
- How quickly can I access these backups?
“When creating an emergency plan and setting up an emergency management system, I recommend working with a partner,” says the expert. In most cases, companies already work with IT service providers who can help set up an emergency management system. ‘However, we also have partners in our network that we are happy to recommend,’ says Abdullah Keser.
Establishing a patch management system
Security updates should be installed immediately, even on production systems. “However, this is easier in IT than in operational technology (OT). Since most companies run their production systems 24/7, they cannot produce during an update,” says the expert. Patch management often involves a test environment. This allows security updates to be tested before they are installed on the production system. This makes it possible to identify faulty updates in advance.
Structure of a security operations center (SOC)
“Insurers also require larger companies to set up a security operations center,” says Abdullah Keser. This means that an internal or external IT security team monitors the company's IT infrastructure around the clock to detect and effectively counter cyber security incidents in real time.