Mitigating Manufacturing Security Risk with Access Control

Ryan Spurr

We’ve all been there. The business has asked you to improve its security posture due to a recent cybersecurity incident—or perhaps you’re being asked to comply with controls from ISO27001, NIST 800-171, or CMMC. You’ve successfully rolled out modern authentication, cloud-based identity and access management, and multifactor to IT-managed assets. You’ve now made significant progress to 80% of all company computing assets. It’s then you realize you must solve the same challenges in factories full of production equipment, shared devices, kiosks, and an audience of managers and operators who grimace at the thought of change and slower login processes—and who also don’t like the idea of security getting in the way of business.

The OT Authentication Challenge

What worked in the traditional IT domain doesn’t always work in the factory. The equipment is different. There is a frighteningly sizeable heterogeneous domain of devices and machines, including industrial control systems (ICS) with programmable logic controllers (PLC). The list goes on and on. How will your business ever bring secure authentication to this environment?

I like to call this the “last mile.” It’s an ode to the challenge of bringing high-speed Internet to the far reaches of the residential world. It’s not just the equipment but also the kinds of job roles, shared equipment (where people interchangeably log in using credentials plastered to the monitor or keyboard for all to see), and—dare I say it—the reaction from asking factory employees to take an extra 60 seconds to log into a machine that never required a username and password before.

Managers will start barking about how it used to take them zero minutes, and now operators are spending minutes or hours a day logging into computers, adversely impacting factory productivity numbers. You will quickly find yourself in a business change debacle where the simplest of technical changes are drowned out by employees’ frustrations, and the loudest voices always outlast yours.

The Reality

There are actually two truths in this situation. And the solution can be found by understanding each side’s perspective. The first truth is that it is essential to consider the way factories work. Productivity does matter, and adding burdensome login procedures is not always a good fit for frontline workers. The other truth is that we must also mitigate security risks. In the past, this security avoidance behavior might have been accepted. In today’s world—where OT and IT systems are deeply interconnected and the threats against manufacturing have never been higher—security must be a shared risk with practical solutions implemented.

Unlike before, manufacturing was the #1 most attacked industry globally in 2021 and 2022.1 When Connection surveyed IT and OT leaders across manufacturing organizations, 27% cited poor credential management and 34% bypassed security controls due to a lack of awareness or workflow needs that fit their environmental requirements. This is alarming, but perhaps more frightening than leadership perception are the facts. Regarding actual security threat vectors, one of the top three vectors has consistently been the lack of end-user authentication or stolen credentials, accounting for 20% of all successful cybersecurity incidents. Worse are the business outcomes, with 61% of cybersecurity incidents targeting OT2, and the top two most successful business event outcomes include extortion and data theft.1

A Better Path

Imagine finding an access control solution you could consistently apply across OT equipment and de-risk 20% of likely security incidents in the most heavily targeted and at-risk technology domain. Imagine how this could help you close several standards or regulatory-based controls, including access control, least privilege, audit and logging, and integrated monitoring. Imagine doing this with something all employees already possessed, and it was simple and quick enough that there might be little or no reason to complain.  Such a solution might certainly help with business change adoption and get the business on a better and more secure path.

Well, there is a better way! By leveraging modern secure badges, it’s possible to improve security access for buildings and factories and help organizations deploy access control to a wide range of OT use cases.

Let’s take a look at some of the most compelling applications to shore up OT access control.

Simple End-user Authentication

One of the most significant value propositions of modern secure access badges is leveraging a physical badge—something you possess—to access any number of physical or technology domains. These devices can securely host multiple certificates allowing an organization to reuse a badge beyond traditional physical building access use cases and any number of electronic access control use cases.

Why not use traditional access control credentials and passwords? Well, most industrial workers don’t sit at a desk or perform traditional tasks compared to knowledge workers who spend their whole day on a computer. It’s rare that a knowledge worker’s computer times out because they are constantly using their computers. On the other hand, frontline workers may sit, stand, or move from station to station. They typically need to log in and out of devices dozens or hundreds of times throughout their shift. 

Reusing your security badge to access traditional computers within the plant (IT- or OT-managed) simplifies the process for access control, and it creates a foundation for access across the OT technical estate.

For example, consider an assembler who uses a computer to view digital work instructions. The assembler is busy assembling products and may not actively interact with keyboards or mice during this time. Each time a terminal times out, it requires the worker to log in, and unlocking the session takes time and diverts them from their core responsibilities. This might sound trivial to IT, but it impacts these individuals, their productivity, and their workflow.

Even if traditional terminals utilize the latest standard devices and operating systems, consider how employees actually work and tailor the authentication process to improve their work outcomes and security posture.

Authentication for Shared Devices and Kiosks

Another widespread use case is that of shared devices. These can exist in various flavors, support process equipment, test stands, kiosks, and other factory equipment multiple individuals interact with during a typical shift.

In this scenario, the use case is a bit more complicated because the machine often utilizes a shared administrative account as it runs uninterrupted 24/7. Because of this, the shared device credentials may be known to all employees and openly visible on keyboards or monitors. It doesn’t allow workers to be validated for active employment, least privilege, nor audit which employees accessed the equipment and when.

Combining shared device software and secure badges makes it easy for OT employees and security to have the best of both worlds. Administrative accounts run in the background. By leveraging secure badges, multiple employees can access the shared device while ensuring multiple security controls are met and help you align with your corporate security goals.

Authentication for ICS and PLCs

And then, there are industrial control systems. These devices are the farthest away from the IT domain expertise you can find. That said, more and more of these platforms are being connected to networks, integrated with Industrial IoT platforms for data and automation, and may be at more risk than any other endpoint in the corporation.

These devices are also fit for purpose and tend to lack the additional capacity for security software or access control tools with integration to identity and access management (IAM).  This means anyone with physical access to a HMI or PLC may have access to industrial equipment. And forget about getting any logging or auditing—it just doesn’t exist.

Now imagine how the same security badge could be integrated with the PLC and provide a level of access control that verified employee status, ICS permissions, access level (think standard operator vs. supervisory or administrative) and provide logging and auditing where compliance is required.

Let’s Make It Happen

We understand that manufacturers have a diverse range of equipment and roles in their factories, and it’s essential to meet both cybersecurity best practices while ensuring a highly productive environment. This calls for solutions that meet the needs of IT, security, and operations.

Our Manufacturing Practice regularly works with manufacturing organizations to help them meet security requirements while ensuring operational excellence, a great workplace, and applying the right fitting technology to enable better outcomes.

Our Manufacturing Practice has a team of experts from trade, an evolving portfolio of manufacturing solutions, and assists IT and OT teams by augmenting their existing skillsets with complimentary advisory services to help your business accelerate technology adoption where it matters most.

If your business is interested in learning more about our OT security solutions, engage Connection’s Manufacturing Practice to learn more about this technology, available services, and the many use cases that may benefit your organization.

1. IBM, 2023, IBM Security X-Force Threat Intelligence Index 2023
2. IBM, 2023, IBM Security X-Force Threat Intelligence Index 2022

Ryan Spurr is the Director of Manufacturing Strategy at Connection with 20+ years of experience in manufacturing, information technology, and portfolio leadership. He leads the Connection Manufacturing Practice, go-to-market strategy, client engagement, and advisory services focusing on operational technology (OT) and information technology that make manufacturers more digitally excellent.