Manufacturing firms are facing increased threats from cybercriminals targeting weaknesses in supervisory, control, and data acquisition (SCADA) systems. Regulatory bodies recognize the data security challenges that manufacturers face and have initiated various requirements and standards of operations meant to safeguard data. Non-compliant firms risk huge fines or even jail terms for the responsible actors.
To survive in today’s competitive global manufacturing industry, companies need to incorporate various security compliance measures in their operations. Regulatory compliance requirements should be built into a company’s internal control systems.
SCADA networks are comprised of various software and hardware that are used to monitor or control equipment in a manufacturing plant. Through the systems, IT staff can manage devices, control remote and local processes, log data, and conduct other monitoring.
However, most SCADA networks fail in terms of enabling the connectivity required in today’s modern manufacturing plants. Therefore, the systems are prime targets for cybercriminals. The risks posed by the networks can result in huge losses due to compromised production lines.
The federal government is well aware of these security vulnerabilities and has designed the regulatory compliance standards for manufacturers. The requirements outline specific rules that should be followed for national security purposes. The rules allow private players to create items that can be used by the government without having to be federal entities.
Compliance Requirements
Two of the main federal regulatory compliance requirements for manufacturers are Defense Federal Acquisition Regulation Supplement (DFARS) and International Traffic in Arms Regulation (ITAR).
DFARS regulation outlines the security standards that information systems developed for transmitting, processing, or storing contract information by the government should meet. Manufacturers have to comply with the regulation across all spheres of their operations. The compliance guidelines are outlined in the NIST Special Publication SP 800-171.
ITAR combines both commercial and research objectives with national security requirements. The regulation covers both technology and manufactured goods. Manufacturers that design items for commercial purposes but which the military can adopt, such as software and computers, have to abide by this regulation.
Manufacturing Industry Standards Guidelines
Traditionally, manufacturers have been implementing controls outlined in various ISO (International Organization for Standardization) guidelines, including ISO 9001 and ISO/IEC 27001:2013.
The ISO 9001 guidelines outlines the security standards that a quality management system (QMS) should meet. A QMS documents the processes, responsibilities, and procedures of quality objectives.
There are three types of audits that are provided for in ISO 9001. These audits are designed for products, processes, and systems. The ISO 9001 documentation has a lengthy list of both mandatory and optional requirements. Under mandatory requirements, companies need to document the following:
- Preventive action procedures
- Corrective action procedures
- Internal audit procedures
- Records procedures
- Document control procedures
For each of the categories above, additional documents have to be provided to prove compliance.
ISO/IEC 27001:2013
The ISO/IEC 27001:2013 regulation is a flexible risk-based approach that covers information security. The standard comprises of a series of controls in Annex A, which guide manufacturers in designing custom security standards based on their needs.
The extended controls in Annex A allow management to prevent, transfer, or accept risk instead of using controls to mitigate them.
Internal Audit Steps for Manufacturing
Carrying out internal audits can be quite cumbersome. However, the audits are effective “pre-tests” that can show how well a firm is prepared before external audits are carried out. A well-implemented internal audit can highlight security weaknesses in your operations, which you can remediate before an external audit is carried out.
Follow the steps below to carry out an internal audit:
1) Involve primary stakeholder players in the audit
While you may be carrying an internal audit, it is crucial to involve various organization stakeholders in the process. For example, the IT department and SCADA experts will need to work together to create a robust security-first approach to ensure compliance.
2) Document internal control procedures
Regardless of the size of your enterprise, establish and document risk analysis, processes, procedures, and policies. The documentation will guide the organization in implementing compliance regulatory requirements.
3) Monitor the effectiveness of compliance controls
Cyberthreats are continuously evolving and to be safe, organizations need to keep abreast of the latest risk management strategies. Your controls’ effectiveness can weaken when threats are not consistently being monitored.
4) Document the monitoring processes
Proper documentation is crucial to carrying out an effective audit. While you may be consistently monitoring threats, the external auditor may fault your compliance efforts if there is no proper documentation.
5) Create an internal audit communication pipeline
Finally, ensure that there is proper communication during the auditing process. Communication is important for maintaining security and compliance. Come up with a process for reviewing internal audits to ensure all compliance measures are implemented on time. 
Jordan MacAvoy is the Vice President of Marketing at Reciprocity Labs and manages the company’s go to market strategy and execution.