The team discovered, documented, and prioritized cybersecurity risks. Based on its prioritization model, West Monroe then helped the company remediate high-risk vulnerabilities in 2,500+ PCs over a 10-week period.
Manufacturing facilities unprepared for cybersecurity threats
Today’s manufacturing networks are increasingly connected and integrated with real-time inventory and analytics platforms to provide centralized insights into revenue and efficiency. Like many digital evolutions, the technology demands have outgrown management and governance frameworks that support them. Many manufacturing facilities run on small deployments of personal computers (PCs) rather than a specialized operational technology (OT) environment where threats, management, and security concerns are considerably different than those facing the IT side of the organization.
With this evolution, manufacturing organizations— like this client—face growing cybersecurity threats, such as ransomware and other business-disrupting attacks, that can halt production or have safety impacts on the manufacturing facility floor. These attacks are often not targeted at industrial control systems, such as a manufacturing environment, but rather random infections. Nonetheless, organizations with manufacturing environments need to gain a better understanding of the OT systems in their environment, determine how to achieve cybersecurity maturity without negatively impacting production, and work toward securing that environment, just as the IT side of the organization has done.
With more than 2,500 PCs across 30+ sites, this client needed a coordinated effort and program management office (PMO) to identify risks and remediate them in a short timeframe. In addition, it needed the buy-in of two entirely different stakeholders: manufacturing-level personnel, who must accept the value of the work they would be asked to perform instead of their normal day-to-day jobs; and the board of directors, which must approve the business case for cybersecurity investment within the manufacturing environment.
Focused assessment and plan enabled rapid remediation of high risks
For assistance, the client turned to West Monroe, which provided a team with manufacturing, IT, and cybersecurity expertise. To accelerate discovery, the West Monroe team created a strategy for defining common risk areas across the lines of business. Because manufacturing environments often don’t have a reliable and consistent inventory of IT-related equipment in their facilities (e.g., workstations, servers, network switches, etc.), sizing the effort required to remediate risks meant addressing inventory and discovery items prior to beginning any remediation activity.
Based on initial assessments, the team was confident that many of the risks identified existed at other sites, allowing it to help the client transition to remediation activities sooner. The assessments highlighted the types and frequencies of observed risks.
The team then developed a scoring system to rank the risks and prioritize areas of focus for remediation. The scoring system included a few different lenses of risk, such as likelihood, scope, and impact—all of which produced a weighted score for grouping risks into high, medium, and low categories.
The client’s board of directors asked the organization to focus on three top risks that could be remediated quickly:
- Systems that bridged the manufacturing network and the corporate network
- Unsupported remote access software solutions used by vendors and employees
- Endpoint protection system
Like many manufacturing environments, many of the client’s systems are vendor owned or had not been tested with an endpoint protection solution. As a result, West Monroe planned for challenges and alternative approaches during remediation.
Remediation was an “all-hands-on-deck” situation, with a deadline of just 10 weeks. Two efforts ran in parallel. Site technicians and engineers distributed across all sites updated inventories to focus efforts on where these three risks were present. At the same time, three solution teams—one for each risk—developed approved solutions and associated remediation instructions.
West Monroe led the PMO and provided technical oversight, coordinating efforts of more than 130 people across all sites and in 4 time zones. This effort remediated 2500+ end-points, a significant percentage of the total, within 10 weeks. Some systems required additional remediation time due to ability to take planned downtime, system age (e.g., outdated operating systems), and sensitivity to the performance impacts of the high-speed manufacturing processes that they support.
Immediate risk reduction; momentum for sustaining a strong security posture
With remediation of the initial risk items complete, the client achieved its immediate risk-reduction goals. Additionally, the rapid remediation process increased awareness of cybersecurity risks and served as a catalyst for engaging key resources and forming a team focused on addressing additional risks and sustaining completed work.
The organization’s focus has now shifted to broad and longer-term security remediation, including implementing the key systems and processes to support ongoing cybersecurity hygiene as well as the governance and organizational change to sustain the improved posture and react to the evolving threat landscape.
The initiative was a catalyst to shifting the culture and mindset for the business to think proactively about approaching security and becoming a secure operation. Consumer and industrial product organizations typically have physical safety as a key element of their culture and norms. Positioning cybersecurity as a similar cultural tenet helped the client think about how they drive training, communications, process compliance/reporting, and other norms that should include cybersecurity principals. This proactive mindset sets the organization up for risk reduction, improved resiliency, and therefore higher reliability of production facilities.