Podcast: Keeping industrial cybersecurity simple with up-to-date password practices

Joe Anderson is senior cybersecurity analyst at TechSolve. In his current position, Joe helps small manufacturers identify security risks, provides remediation guidance, and helps the companies meet compliance objectives. Joe is an IT and info security professional with over 25 years of industry experience, and he holds an array of cybersecurity certifications, including PNPT, CISSP, CMMC-RP, and more. Joe recently spoke with Smart Industry managing editor Scott Achelpohl about how robust cyber defenses can start with up-to-date password practices and policies.

Below is an excerpt from the podcast:

SI: For manufacturers on the shop floor, cybersecurity and secure OT and IT require constant vigilance. One of the most common-sense strategies for this is password security. And for lots of companies, to put in mandatory policies relating to passwords often becomes necessary. Look at examples like Clorox. A breach, any breach, can cost millions in ransom to cyberattackers and in production downtime, and it is passwords that are often hacked. Better password practices often are part of a larger zero-trust approach against cyber threats. According to several studies, manufacturers are at the top when it comes to attacks. Nearly half of them experienced a data breach within the last two years, according to one researcher. And what's one of the top defenses against breaches? Better and stronger passwords on machines that hold or have access to company data.

Another note, a Georgia Tech University cybersecurity study last year shockingly found that more than half of all websites they've examined accepted passwords with six characters or less, with 75% failing to require the recommended eight-character minimum. You simply can't let your systems, internal supplier, or public facing be this easy to breach, and better password policies are among the easiest to implement company wide. And I should mention that not only is it Manufacturing Month, but October also is National Cybersecurity Awareness Month. So make sure your company is aware and is or has raised its shield, so to speak, to borrow a line from Star Trek, in this regard. But our expert here is Joe. So let's see if he wants to weigh in with his two cents before I ask him some specific questions.

JA: I'm glad that we have a month dedicated to information security because we, as a society, need everyone to understand that this is a team sport. Everyone plays a part, and we need to have a general security awareness for the risks and the challenges that we face. You cannot turn on the news or read an article without seeing this site was hacked, that company brought down, or sensitive records were released to the public. We definitely have our work cut out for us, that's for sure.

SI: Now I've got some questions for you about our topic today of password practices and policies. I'll try to be gentle; I promise. Here's the first question. Joe, tell us about the current threat landscape and how password policies of protection matter more than ever. Is it mostly a matter that there are more devices than ever and therefore more risk?

JA: First off, I appreciate you saying that I'm an expert, but it's really difficult to be an expert in this field, as you can imagine. There's so much to learn, lots I know, lots I don't know, and I'm not sure if we can truly master all of the things that we need. I will say that I've had some great opportunities to help others and that I'm a lifelong learner, so that helps.

To answer your questions, I would say yes, to an extent, but there's more to it than that. A bit more about the current threat landscape first. As you know, our modern world relies on this interconnectivity and exchanging of information. If we could just unplug our systems from all the networks, then there would be less risk overall. But we would also not be able to function. There's something like 50 to 100 vulnerabilities discovered every day in the systems that we rely on. Security researchers work hard to find these vulnerabilities and responsibly disclose them to all of the different vendors so that they can be patched. This is a challenging task for all involved, especially for IT personnel who have to apply the patches while minimizing downtime or causing some unintended issue resulting from an improper patch, let's say. We often say that our job has to be performed without making a mistake because all it takes is for our adversary to find that one mistake that we made, which completely upends everything we were trying to prevent.

As far as passwords are concerned, this is an area where the general user base has an active participation within. They have an aspect of organizational security where they often get to select the passwords they want to use. Their credentials are used to obtain access to the various systems, the services, and data to do their jobs. In some cases, this access is available remotely. Unfortunately, opportunities to obtain unauthorized access is available to the bad folks as well. What we're trying to do is to protect user accounts from an unauthorized access. As more companies had to pivot more towards remote work during the pandemic, remote access was critical. Now more than ever, companies are migrating more things to the cloud and access is available in that way. All of this drastically increases the risk level.

SI: With any company password policy, what do you tell employees? What's the forward-facing dialogue a company CIO or a chief information security officer must have with staff?

JA: In some cases, it's simple. If there's some compliance requirement that forces them to do it, then that is the motivation to implement a proper policy. Compliance requirements may come from cyber insurance carriers, or it may come as a requirement from a strategic partnership. We're seeing more small- to mid-size manufacturers come to us saying we are a supplier to another large company, and they're requiring us to improve our security because we have access to their systems or data. If that is not the case, then I have to break down the risk, explaining to them that people are not great at picking strong passwords or unique passwords, for that matter. All it takes is for one set of credentials to leak out and that may provide access to a system and all of the sensitive information that may be contained within it. One of the biggest ones is access to e-mail accounts. The wealth of information contained within it is staggering.

About the Podcast
Great Question: A Manufacturing Podcast offers news and information for the people who make, store and move things and those who manage and maintain the facilities where that work gets done. Manufacturers from chemical producers to automakers to machine shops can listen for critical insights into the technologies, economic conditions and best practices that can influence how to best run facilities to reach operational excellence.