March 2003 Mfg.Trust
Mfg.Trust is a monthly feature of the
NCMS InfraGard Manufacturing Industry Association
Infrastructure assurance for manufacturers
Powered by NCMS.
This month – Preparedness for the Small Manufacturing Enterprise,
Ten suggestions you can act on now
See the Resources Page for
this Story
Editor's Preface:
We hope last month’s feature about preparedness in
your personal environment caused you to consider practical plans for first
aid, fire safety, utility failure, and the like. This month we turn to the
small and mid-sized business view of the same issue.
We selected small manufacturing businesses because they are least likely
to have security professionals already at work on these issues.
Organizations that operate primarily in an international environment,
large manufacturers who are nationally symbolic, or those operating in
defense sector have specialized help and have already selected security
measures to protect their employees, their interests and their
environments. This article is for the rest of us. We can learn from their
expertise.
Gartner Inc. said (see resource page) in two survey reports that security
is the top IT priority for manufacturing industry in 2003, but one-third
of the 250 businesses it surveyed recently face the loss of critical data
or operating capability in the wake of a "severe calamity."
Emergency preparedness is well understood – not so well practiced. Simple
proactive measures now improve our reactions when necessary. There are
excellent web resources available on emergency preparedness. We sifted
through many and offer our opinion of the best in this month’s
resources page.
Editor
Preparedness for the Small Manufacturing Enterprise
As we mentioned last month in a personal context, there are three
factors that should influence your preparedness planning:
- Incidents that occur frequently
- Incidents where prompt response is important
- Outcomes that you can influence
Businesses must also manage the cost of preventing disruptions to
operations. This feature will focus on low cost - no cost things you can
do now to produce a better outcome to an unforeseen situation where prompt
response is important. No rocket science here - just an ounce of
prevention through planning and sound execution.
Planning and a Clear Chain of Command
In a military context, the value of a chain of command concept is
self-evident. However, in a commercial context it is quite possible that
the boss may be far away on travel when an emergency demands prompt
action. You’ll want to find an affordable approximation to the
person-independent smooth functioning military goal in your contingency
planning. Significant security vulnerabilities accompany crises. In fact,
a crisis may be used to create a security vulnerability. Plan through this
in advance. You’ll need some practice to ensure that everyone understands
their emergency response roles. Suggestions:
#1 Develop a business continuity plan (see July-August
2002 Mfg.Trust Special Feature)
#2 Nail down an integrated security plan and exercise it. (June
2002 Mfg. Trust)
#3 Appoint and train emergency response teams (see OSHA,
resources page), including a cyber
incident response team.
Know Where Your People Are.
Be able to communicate with them, even when things go wrong.
This may require a little leadership. You may need to reach your
employees / contractors / associates at any time to ask them to come in,
or stay away, or provide important information. This includes
“non-critical” employees. This includes employees on travel. You should
not rely on one system (eg- mobile phones) as your only means of contact
with an employee. You may use existing tools better to accomplish much of
this without spending a cent. Suggestions:
#4 Right now is the time to update employee records (see note below). You
may wish to record employee mobile phone as well as home phone numbers. If
consistent with your privacy policies, you may ask employees for home
email address and spouse work phone numbers. These privileged data will be
held by (hopefully) more than one HR person. Managers may have contact
data for critical personnel, but it is difficult to anticipate all
circumstances. You need more than one way to reach those (hopefully more
than one) HR persons – 24x7 – to communicate to all your employees.
Privacy norms and sensitivities vary widely. Devise a plan appropriate to
your organization.
Note: The above is written with American norms in mind. In some other
countries it is not normal for employers to have employee home address
data.
#5 People who travel on business must be caused to leave explicit records
of where they will be, including flight details, hotels, business
contacts, and for some, vacation destinations. Your corporate calendar
(Outlook, Lotus Notes, a white board, whatever) can fulfill this function
at no additional cost. Insist that employees post travel contact
information on their calendars. You will want to make employee calendars
visible to supervisors and admin support staff, or visible to all
employees, depending on your norms.
#6 You and your employees may need to assess the necessity of some travel
in view of world events. Communicating expectations in advance with
travelers provides an opportunity to avoid misjudgments and
miscalculations. When the time comes, you will likely have lots of input
from the government and transportation industries on the merits of
specific travel instances under different threat situations. In the event
of real hostilities, expect travel to screech to a near halt. (You’ll want
to review data conferencing options before the rush starts.)
Patch Your IT Systems
Someone keeps up with the free patches that fix flaws in your computer
systems, right? Businesses have been absolutely inundated with pleas to
keep up with this effort, whether in operating systems, anti-virus
programs, or network equipment. Failure to do so can make your company the
deserved victim of some old virus from a malcontent. Please find someone
to pay attention here. IT-related incidents occur frequently. Prompt
response is important. You can control the outcome.
Beyond the basics above, NCMS has formulated a model and framework as an
alternative approach to quantifying reasonable expectations for
information assurance costs which accounts for additional risks of
increasing collaboration in supply chain and e-Manufacturing strategies
(see Mfg.Trust December 2002). If you are extensively networked with your
trading partners, these concerns are important.
Suggestions (see resources page):
#7 Patch IT systems. Develop an e-mail policy.
#8 Understand the risks of instant messaging being used by the employees
in your company, perhaps without knowledge of the IT staff (see
resources page).
#9 Examine the cost of information assurance in your supply chain
Manufacturing Process Control and SCADA Systems
NCMS/NIST workshops (see July 2002 Mfg. Trust) have pointed out the
severe threat posed to manufacturers by sabotage of factory control and
SCADA systems. These systems were never designed with security in mind,
and they are connected to the Internet. Depending on your industry, this
may be a major issue specifically related to terrorism (eg – food
products), or an ever-present concern (eg – durable goods manufacture).
#10 Examine manufacturing process control from a security point of view.
Conclusions
The source of your unexpected business interruption may be directly
related to international hostilities, or just some copycat, wannabee
mischief maker. For planning purposes it usually does not make any
difference. Your response is the same – avoid expensive interruption to
operations. Just get ready. Do it now.
If you liked Mfg.Trust, please
forward it to a colleague in your company!
For questions, comments, or for NCMS Alliance Partners to request their
own FREE subscription to Mfg.Trust, send e-mail to
johns@sheridansolutions.com
To unsubscribe, please send an email to
listserv@listserv.ncms.org
and insert the words "unsubscribe mfgtrust", without the quotes, in the
BODY of the message. This is a moderated list.
ap
|
