Why some SMART devices won’t be observing World Password DayMay 9, 2018
Recently, I’ve had the privilege of meeting with a number of people who work in the aerospace industry. Since the occurrence of a high profile security breach at Lockheed-Martin in 2011, I had assumed that security practices among manufacturers, suppliers and customers in the industry must have seen some improvements over the years. The incident apparently involved the compromise of technology from a supplier to Lockheed-Martin. The obviously high potential costs – and even public safety risks – highlighted by this incident should have prompted key stakeholders to tighten security policies.
Some disturbing indicators
In conversations I’ve had recently with people in the aerospace industry, it seems that partners often do not have sufficient security protocols or safeguards for communications between manufacturers, service companies and customers. Online systems are used regularly between partners, to report statuses and process orders. But while they often have good physical security practices, there is still less emphasis on cybersecurity controls for personnel accessing those online systems.
I doubt that there is much of a difference when it comes to partner communications in other industries. Aerospace happens to have a lot of partner organizations that interact with each other. But I would bet that the situation is similar in any situation where a business has external partners accessing information systems that integrate into their workflows.
This should be cause for real concern. If an attacker was motivated to target any organization in the supply chain, it may be hard to prevent or limit damage such as sabotage, extortion or even fraud. Such attacks may even weaken the integrity of production systems – which could be life-threatening, in the case of aerospace, medical, transportation, and even utilities.
Managers of major “downstream” or customer organizations should recognize that their supply chain’s online connections could have vulnerabilities that expose their business systems to significant risks, as can be seen from past industry incidents. Adoption of standards and risk assessments, appropriate training and enforcement of strict security requirements with supplier interactions are the key to addressing these vulnerabilities.
Employees should identify any systems they rely upon that are used by suppliers, which may not have sufficient security controls to limit the risks for hacking or abuse from external entities. Sometimes management can forget about external threats, and it is helpful if employees are able to point them out.
There are emerging standards and training programs that are designed for small businesses to help them align with large partners’ or customers’ security policies. These can be implemented at a reasonable cost, and can reduce risk, as well as demonstrate due diligence.
Please let us know if you think your organization would benefit from learning about cybersecurity standards and training for business systems that are exposed to partner interactions.