Manufacturing

Q: What cybersecurity frameworks or standards should manufacturers follow?
A: Manufacturers should consider adopting well-regarded cybersecurity frameworks as a blueprint for their security program. Two of the most popular are the NIST Cybersecurity Framework and ISO/IEC 27001. The NIST framework provides a flexible, comprehensive approach tailored to identifying and managing cyber risks in critical infrastructure sectors (including manufacturing) and is widely used in the U.S. ISO 27001 is an international standard for information security management systems – achieving ISO 27001 certification can demonstrate to partners that you have strong processes in place. Neither of these is mandatory for all manufacturers, but they serve as excellent guides​.

In addition, there may be industry-specific guidelines to follow. For example, the ISA/IEC 62443 standards are specifically designed for industrial control system security – if you operate a lot of PLCs and SCADA systems, 62443 provides technical requirements for securing those. If you are in the defense supply chain, the NIST 800-171 standard (and CMMC certification) is effectively required, as it lays out controls for protecting sensitive government information. Automotive manufacturers might look at TISAX assessments if working with European automakers. It can seem overwhelming, but the good news is many of these standards overlap in their core requirements (things like access control, incident response planning, continuous monitoring, etc.).

A practical approach is: start with a general framework like NIST CSF to get your basics right. Then identify any specific standards mandated by your customers or sector and address the additional controls they call for. You don’t need to reinvent the wheel for each standard – for instance, if you implement network segmentation and strong identity management, that will help you comply with NIST CSF, ISO 27001, 800-171, and others all at once. Manufacturers should also stay tuned into organizations like the National Association of Manufacturers (NAM) or sector-specific groups that often publish cybersecurity best practices tailored to manufacturing. If resources allow, getting a cybersecurity assessment or gap analysis from a firm like Entre (or another consultant) against one of these frameworks can be a great way to understand where you stand and what to prioritize.

Q: How can we secure our factory’s operational technology (OT) systems from cyber threats?
A: Securing OT systems – things like production line controllers, HMI panels, sensors, and other industrial devices – requires a multi-pronged strategy that respects the operational constraints of those systems. Here are some key steps:

• Network Isolation: As mentioned earlier, keep the OT network as isolated as possible. That means your machines and control systems should communicate with each other and maybe a few essential servers, but they shouldn’t have broad access to the internet or the corporate IT network. Use firewalls or VLANs to create an “industrial network zone”, and only allow specific traffic in and out of it. For example, maybe your quality data needs to go to a database in IT – set a rule for that and block everything else. By doing this, even if malware lands on a machine on the business network, it’s far less likely it can spread into the OT environment.
• Tighten Access Controls on OT: Many OT systems historically have had weak access control (shared passwords, default logins, etc.). Do an audit of your control system devices and ensure all default passwords are changed to strong, unique ones. Implement unique user accounts if the system supports it. If certain machines or control applications support active directory or centralized authentication, integrate them so you can manage permissions in one place. The principle is to know who can log into each device and to be able to revoke access when that person no longer needs it (like when a contractor’s work is done). Also consider physical access – secure the control rooms or cabinets, so that unauthorized personnel can’t plug a laptop into a PLC or controller.
• Apply OT-Specific Security Solutions: Consider deploying OT-specific security tools. These might include industrial firewalls (which can sit in front of a particularly critical controller and enforce rules at the protocol level – for instance, allowing only read commands to a PLC from certain stations, and blocking any write commands from elsewhere) or intrusion detection systems for OT that understand protocols like Modbus/TCP, Profibus, EtherCAT, etc. These systems can alert you if, say, a machine starts getting commands outside of its normal pattern or at an odd time. They can often be deployed in a passive listening mode so they won’t interfere with operations.
• Update and Patch When Possible – With Caution: For OT equipment, you might not be able to patch frequently, but you should have a plan to do firmware updates during planned downtimes. Work closely with equipment vendors – many now release periodic security patches for PLC firmware or control software. When you do get an opportunity (like an annual maintenance shutdown), update everything you can. If something truly can’t be updated (e.g., the vendor no longer exists or it’s proprietary), that’s where you bolster other protections around it. Keep an eye on vendor advisories; subscribe to notifications from your equipment suppliers about security issues so you’re aware of vulnerabilities even if you can’t immediately fix them.
• Monitoring and Incident Response for OT: Establish processes to monitor the OT environment. This could be as simple as operators being trained to note unusual behavior of machines that could indicate digital interference (for example, a machine stopping without an obvious mechanical issue could potentially be a cyber issue). If you have an IT SOC (security operations center) or use a service like Entre’s, feed them data from OT if possible. Some companies send logs from OT workstations or network switches to a central log system. And importantly, have an incident response plan that includes OT – this is often overlooked. It should detail what to do if you suspect an attack on the production line. For instance, who has the authority to shut down a process if it’s being manipulated? How do you isolate a compromised HMI? Having a playbook in advance ensures a faster, safer response.

Securing OT is indeed challenging, because you must always weigh the risk of downtime. However, by incrementally implementing these protective measures and working in tandem with your operations team, you can significantly reduce the likelihood of a successful attack on your factory systems. Remember that cybersecurity for OT is a continuous process of improvement – it’s okay to start with small but impactful steps (like network segregation or password changes) and build from there. Over time, these incremental improvements lead to a much more secure manufacturing environment.

Q: What are the most common cyber threats to manufacturing companies?
A: Manufacturing companies face a variety of cyber threats today, but some of the most common ones include:

• Ransomware: This is arguably the number one threat in manufacturing now. Cybercriminal groups target manufacturers with ransomware because they know downtime is costly and firms may be willing to pay to restore operations. In a ransomware attack, malware will encrypt files and sometimes even take down industrial PCs or servers, demanding a ransom payment (often in cryptocurrency) for the decryption key. We’ve seen cases where production is frozen for days or weeks, and even instances where physical equipment was damaged due to sudden shutdowns. Ransomware can enter through phishing emails, infected USB drives, or by exploiting exposed remote access points.
• Phishing and Social Engineering: Not all attacks directly target machines; many start by targeting people. Phishing emails might trick employees in finance or procurement to click a link or open an attachment that installs malware. Or a scammer might impersonate a vendor or executive to get a fraudulent payment (sometimes called Business Email Compromise, BEC). In a manufacturing context, an attacker might phish an engineering manager with an email that looks like it’s from a machine supplier, containing malware disguised as a firmware update. Social engineering could also happen via phone – e.g., someone calls pretending to be IT support and convinces an employee to reveal their password. These human-focused attacks are often the gateway that attackers use to get into the network, after which they can deploy ransomware or other exploits.
• Intellectual Property (IP) Theft / Industrial Espionage: Manufacturers often invest heavily in R&D and have proprietary designs, formulas, or processes. Sophisticated adversaries – sometimes even nation-state sponsored hackers – may target manufacturing firms to steal this intellectual property. For example, there have been cases of hackers targeting pharmaceutical manufacturers to steal drug formulas, or targeting electronics manufacturers to steal schematics. These attacks might be quieter; instead of deploying noisy ransomware, the attacker infiltrates the network and slowly exfiltrates design files, CAD drawings, or trade secrets, possibly over months, without disrupting operations (since they want to remain undetected). The result, however, is a loss of competitive advantage if that IP leaks to competitors or foreign markets.
• Supply Chain Attacks: Manufacturers are part of a larger ecosystem, and attackers know this. A supply chain attack might involve compromising one company to indirectly get to another. For instance, an attacker might breach a smaller parts supplier that has lower security, then use that connection to pivot into a larger manufacturer’s network (especially if there’s trust and data exchange between them). Another scenario is tampering with software or equipment that the manufacturer uses – for example, planting malware in an update from a software vendor (like the notorious SolarWinds incident) or delivering equipment with firmware backdoors. When the manufacturer installs that software or equipment, the threat is inside their network. Given how interconnected supply chains are, this is a serious concern. It’s why more companies are asking their suppliers to beef up security – the chain is only as strong as its weakest link.
• Insider Threats: While less common than external attacks, insider threats do happen in manufacturing. This could be a disgruntled employee or a contractor with knowledge of the systems who intentionally causes harm or steals information. Insiders might, for example, plug in a rogue device on the network to create a backdoor, or they might download sensitive customer lists or product data to take to a new job. In a worst-case, an insider could alter a production process (sabotage) or shut down systems. Mitigating insider risk involves not only technical controls (like monitoring for unusual access patterns, Data Loss Prevention software to catch large file transfers, etc.) but also HR and management vigilance on employee behavior and morale.
• IoT/IIoT Vulnerabilities: As manufacturers deploy Industrial IoT sensors and smart devices for monitoring and efficiency, each of those devices can be a potential entry point if not properly secured. Many IoT devices have had known security issues – like default credentials or outdated firmware. An attacker might exploit a vulnerability in a smart sensor or a connected camera on the factory floor to gain a foothold in the network. Once in, they could pivot to more critical systems. So, threats in this area include botnets (malware that co-opts IoT devices) or simply unauthorized access through an insecure IoT node.

In summary, the threats range from broadly opportunistic (ransomware gangs casting a wide net) to highly targeted (industrial espionage by skilled attackers). Manufacturers should assume that both financially motivated criminals and potentially well-resourced adversaries have an interest in breaching their defenses. By understanding these common threats, companies can prioritize their security measures – for instance, focusing on strong backups and incident response to handle ransomware, and on network monitoring and strict access controls to handle stealthy IP theft attempts.

Q: We have older legacy machines that can’t be easily updated. How can we protect them from cyber attacks?
A: Protecting legacy machines – which are common in manufacturing – is a challenge, but there are several tactics you can use to mitigate risk around them:

• Network Containment: Treat the legacy system as if it’s potentially vulnerable (since it likely is) and isolate it as much as possible. Put it on its own subnet or VLAN with a firewall controlling what goes in and out. For example, if the machine only needs to communicate with one server or controller, create firewall rules so it only talks to that server on the required ports and nothing else. By doing this, even if an attacker gets onto your main network, that legacy machine is not broadly reachable. And conversely, if the legacy machine gets compromised, the damage it can do or who it can reach is very limited.
• Use Virtual Patching/Compensating Controls: Virtual patching means using other security controls to compensate for the fact that you can’t patch the device’s own software. This could involve an Intrusion Prevention System (IPS) that sits on the network and is configured with specific rules to block any traffic trying to exploit the known weaknesses of that legacy machine’s OS or protocol. Another compensating control might be running the legacy application in a more controlled environment – for instance, if it’s a legacy Windows XP machine that only runs one application, remove or disable any software and services on it that aren’t absolutely needed (like web browsers, unused network services, etc.) to reduce its attack surface. You might even restrict the machine’s network access schedule if possible – e.g., only power it on when it’s needed for production runs.
• Application Whitelisting: For some legacy systems, you can use application whitelisting or lock-down software. This is a security approach where the machine is configured to only run a specific set of executables (the ones it needs for its task) and nothing else. If malware somehow gets on the machine and tries to run, the whitelist agent will block it because it’s not an approved application. Microsoft has tools like AppLocker for newer OS, but for older ones, there are third-party solutions that can sometimes be installed. Not every legacy system can accommodate this, especially if the performance is tight, but if it can, it’s a powerful defense since the machine essentially refuses to do anything out of the ordinary.
• One-Way Communication Gateways/Data Diodes: If the legacy machine only needs to send data out but doesn’t need inbound communication, consider a one-way communication device or data diode, which allows data to flow out but physically/optically prevents any data from flowing back in. This is used in some industrial settings for critical systems – for example, a sensor network might send data out to the IT network, but nothing from IT can reach back into the sensor network. This can be an expensive solution and overkill for some situations, but it’s worth mentioning for high-criticality legacy equipment.
• Active Monitoring: Keep a close watch on the legacy machine’s behavior. Even if you can’t install modern security agents on it, you can monitor it via network traffic or by logging. For instance, mirror the network port of that machine to a monitoring system that will alert if it suddenly starts communicating with an unknown IP or if it sends significantly more data than usual (signs that it could be hijacked). Also, check the machine itself periodically – review any system logs if available for strange events.
• Plan for the Future: While protecting now, also develop a long-term plan. Can the legacy machine be upgraded or replaced in the next few years? Sometimes budget or technical processes delay this, but keep pressure on vendors if it’s a commercial product to provide an upgrade path. In some cases, if hardware allows, you might be able to sandbox the legacy software – for instance, running that Windows XP application inside a virtual machine on a modern host that is more secure, and interfacing with the hardware through that VM. These scenarios can be complex, but worth exploring with your engineering and IT teams.

In essence, for legacy systems your approach is to encircle them with protections since you can’t fix them internally. It’s like putting the valuable but vulnerable asset in a safe room: heavy door (firewall), security camera (monitoring), allowing interaction only through a small window or intercom (strict network rules). While not foolproof, these measures can significantly reduce the risk that an old machine will be the downfall of your broader network’s security.

Q: How can we minimize downtime from IT or cyber incidents in our production line?
A: Minimizing downtime from IT or cyber incidents is all about preparation and having robust safeguards. Here are some key strategies:

• Implement Redundancies: Identify any single points of failure in the production line’s IT dependencies and see if you can add redundancy. For example, if you have one industrial PC that, if it fails, stops the whole line – can you have a hot spare imaged and ready to swap in? If your production relies on a network connection, consider redundant network paths or switches, so a failure in one doesn’t take everything down. For critical servers, use clustering or failover setups so that if one server fails, another automatically takes over. Redundancy can also mean power – using uninterruptible power supplies (UPS) or backup generators for your control systems to handle power blips without shutting down systems (which can cause lengthy restarts). The idea is to eliminate single failures that could cause major downtime.
• Regular Backups and System Images: We discussed backups in depth, but specifically, maintaining full system images of critical production PCs or controllers can greatly speed recovery. If a control computer gets hit by ransomware or just suffers a hard drive crash, having an image means you can restore that computer to its exact previous state on new hardware often within hours. Without an image, you might have to reinstall the OS, then the control software, then reconfigure everything, which could take days especially if you need vendor support. Test these backups too – occasionally perform a test restore on a spare machine to ensure the backups are valid and you know the restoration steps. Knowing that you can recover a system quickly can let you be more decisive in responding to an incident (e.g., you won’t hesitate to disconnect or wipe a system if you know you can restore it from an image cleanly).
• Incident Response Plan and Drills: Develop a clear incident response plan that includes roles and procedures for handling different scenarios like a ransomware outbreak, a malware infection, or a detected network intrusion. The plan should detail immediate steps to contain the issue (isolate affected systems, perhaps shut down certain connections), communication protocols (who needs to be informed – IT, plant managers, executives, possibly external responders), and recovery steps (like using those backups). Once you have a plan, conduct drills or tabletop exercises. For instance, gather your IT team and some production reps and walk through a mock scenario: “What if we come in one morning and half the HMIs have a ransomware message, what do we do first? Who calls whom? Do we halt production or try to keep running manually?” Practicing scenarios will reveal weaknesses in your plan and also train your people to respond more calmly and effectively if something real happens. The faster and more organized the response, the shorter the downtime.
• Continuous Monitoring and Early Detection: Employing good monitoring (as previously described) often means you catch issues early – sometimes before they cause full downtime. For example, detecting a malware infection on an office computer and responding immediately might prevent that malware from reaching the production network at all. Or noticing that a certain machine is behaving oddly might let you address a developing issue before it causes a crash. Early detection is especially key for cyber incidents; the sooner you can contain an attack, the less systems it can impact, which translates to less operational disruption.
• Plan for Manual Operations: Depending on your manufacturing process, consider what can be done manually or via workaround if IT systems go down. This isn’t always possible (you can’t manually run a complex CNC machine), but in some cases you can have a fallback. For example, if your automated scheduling system goes down, do you have a way to continue scheduling jobs on paper or a whiteboard temporarily? If your digital sensors fail, can operators take readings manually (even if slower)? It might also involve inventory – keeping a small buffer stock of critical goods so that if production stops for a day you can still supply customers from inventory. This crosses into business continuity planning more broadly, but it’s important. Having these contingency plans can reduce the immediate pressure if an IT incident occurs, because you know you can keep some level of output or safety while systems are being restored.
• Work with IT Partners for Quick Support: Ensure that you have agreements with any key IT partners or vendors for quick support in emergencies. For example, if you rely on an outside vendor for maintaining a particular control system, have an SLA (service-level agreement) or understanding of how fast they can assist if that system fails. Similarly, if you work with an MSP like Entre, know the after-hours contact procedures so you don’t lose time figuring out how to get help at 3 AM on a Sunday. Speed is essential in incident response, so anything that streamlines getting the right expertise on the problem will cut downtime.