How to uncover blind spots in manufacturing’s IAM strategies

Southeast Asia has quickly risen through the ranks to become one of the top manufacturing capitals of the world. Driven in part by rising labour costs and supply chain woes, international businesses are more motivated than ever to diversify their manufacturing.

In fact, since 2015, annual manufacturing exports from Southeast Asia have been outpacing the global average by at least two percentage points each year. While the growth has been led largely by labour-intensive assembly work, Industry 4.0 initiatives will likely spur the region’s higher-value exports in the future.

With that said, even great empires fall. Well-built, properly designed things fail. Reliable, well- manufactured products break. The numbers in Southeast Asia might look rosy for now, but change is the only constant. It’s important to recognise this reality to ensure we can mitigate catastrophes even before they happen – and the same applies to Identity and Access Management (IAM) programmes in manufacturing.

IAM is a hallmark of operational technology (OT) security that manufacturers in Asia rely on to protect their production processes. It is a framework of security and data management that controls who can access systems and what different users can do once inside. It’s vital for manufacturing outfits with complicated networks to have such deterrence in place – but is IAM the be-all and end-all of OT security? What if it, too, fails?

Fortifying your defences

Research indicates that manufacturing is the second highest targeted industry for cybercrime across Asia-Pacific. Considering that cybercrimes are on a meteoric rise, manufacturers need to implement strong credentialing to actually plan and minimise the risk of failure.

If the network firewalls fail to protect company resources, manufacturers typically leverage passwords as the next line of defence to prevent intruders from gaining deeper access to systems.

Within the common controls used in IAM, manufacturers are leveraging this tactic at a deeper level. They expect a simple, dictionary-based password to fail, so they now enforce complexity requirements, such as adding numbers and special characters to passwords. However, they are also planning for the secrecy of these passwords to fail so that risk is further mitigated, leveraging tools and features like password management, two-factor authentication, and password-less access. This final layer usually requires a separate device, email, or app for verification.

While these IAM programmes are implemented often, there is no absolute guarantee that they will not fail. When it comes to network access, practitioners within the IAM space need to ensure they’re planning to fail, otherwise they’re failing to plan.

Planning to fail

In manufacturing – especially as IT and OT security systems converge – failure in IAM could lead to grave consequences. This goes far beyond the inability to log in to systems. If left unchecked, it could pose a risk to system availability, and subsequently, the operational metrics of a manufacturing operation. Worse, it could even put the livelihoods of people at risk.

Rather than planning to ‘not fail’ in any aspect of an IAM program, we should be planning to fail – and there are several considerations and approaches to do just that. 

First, start with failure detection and identify if the organisation has the ability to detect IAM bypasses or failures before the consequences become dire. Build resilience into your industrial control systems so that, if parts of the system fail, the rest can go on and business continuity is maintained.

Another key consideration is how an organisation’s cloud security posture would impact operations. Additional systems must be in place to monitor for misconfigurations, such as stolen credentials and firewall bypasses. A good rule of thumb is to adopt a zero-trust model: Never Trust, Always Verify.

If these considerations have not crossed your mind, you’re not truly planning to fail, and the penalties could be prohibitively expensive.

Security as a competitive advantage

As Asia-Pacific’s manufacturing industry rebounds and evolves following the upheaval of the pandemic, it is vital for manufacturers to embrace consequence-reduction tactics as part of a greater cyber-resiliency strategy. Doing so will bolster confidence and reduce risk across the industry, as well as the economy.