A zero-trust roadmap for cybersecurity in manufacturing — from a 98-year-old company
Manufacturers are the most popular corporate targets for ransomware attacks and identity and data theft. With customer orders and deliveries hanging in the balance, they can only afford to have their product lines down for a short time. So attackers know that if they can disrupt manufacturing operations, they can force a high ransom payout.
Pella Corporation’s approach to zero trust provides a pragmatic, helpful roadmap for manufacturers looking to modernize their cybersecurity. Pella is a leading window and door manufacturer for residential and commercial customers, and has been in business since 1925.
VentureBeat recently had the opportunity to interview John Baldwin, senior manager, cybersecurity and GRC at Pella Corporation. He described Pella’s progress toward a zero-trust mindset, starting with improving security for 5,200 endpoints and 800 servers corporate-wide, and fine-tuning its governance framework. Pella uses CrowdStrike Falcon Complete managed detection and response (MDR) and Falcon Identity Threat Protection for endpoint security to reduce the risk of identity-based attacks. The systems are protecting 10,000 employees, 18 manufacturing locations and numerous showrooms.
Baldwin told VentureBeat that the company’s approach to zero trust is “a mindset, and a bunch of overlapping controls. CrowdStrike is not going to be the only player in my zero-trust deployment, but they will be a key part of that of course. Endpoint visibility and protection, you’ve got to start there. And then building the governance framework to the next layer, baking that into identity, making sure that all of your agile DevOps are becoming agile DevSecOps.”
Manufacturing lives and dies on availability
Manufacturers are prime targets for attackers because their businesses are the most time-sensitive — and because their IT infrastructures are the least secure. Baldwin told VentureBeat that “like most just-in-time manufacturers, we’re quite sensitive to disruptions. So that’s been an area of particular focus for us. We want to ensure that as orders are flowing in, the product is flowing out as rapidly as we can so we can satisfy customer demands. That’s been a challenge. We’ve seen a lot of other organizations in our industry and throughout the Midwest … just trying to get through the day being targeted because, as just-in-time manufacturers or service providers, they are very sensitive to things like a ransomware attack.”
IBM’s X-Force Threat Intelligence Index 2023 found that manufacturing continues to be the most-attacked industry, and by a slightly larger margin than in 2021. The report found that in 2022, backdoors were deployed in 28% of incidents, beating out ransomware, which appeared in 23% of incidents remediated by X-Force. Data extortion was the leading impact on manufacturing organizations in 32% of cases. Data theft was the second-most common at 19% of incidents, followed by data leaks at 16%.
Pella’s Baldwin told VentureBeat that the threat landscape for manufacturing has shifted from opportunistic ransomware attacks to attacks from organized criminals. “It is not a matter of if they come, but when, and what we can do about it,” he said. “Otherwise, we could suffer a systems outage for several days, which would disrupt production and be very costly, not to mention the delays impacting our customers and business partners.
Manufacturers’ systems are down an average of five days after a cyberattack. Half of these companies reported that they respond to outages within three days; only 15% said they respond in a day or less.
“Manufacturing lives and dies based on availability,” Tom Sego, CEO of BlastWave, told VentureBeat in a recent interview. “IT revolves on a three- to five-year technology refresh cycle. OT is more like 30 years. Most HMI (human-machine interface) and other systems are running versions of Windows or SCADA systems that are no longer supported, can’t be patched, and are perfect beachheads for hackers to cripple a manufacturing operation.”
Pella’s pragmatic view of zero trust
The lessons learned from planning and implementing a zero-trust framework anchored in solid governance form the foundation of Pella’s ongoing accomplishments. The company is showing how zero trust can provide the needed guardrails for keeping IT, cybersecurity and governance, risk, and compliance (GRC) in sync. Most importantly, Pella is protecting every identity and threat surface using zero-trust-based automated workflows that free up their many teams’ valuable time. “How I envision zero trust is, it works, and nobody has to spend a lot of time validating it because it’s automatic,” Baldwin told VentureBeat.
“The main attraction of a zero-trust approach, from my perspective, is if I can standardize, then I can automate. If I can automate, then I can make things more efficient, potentially less expensive, and above all, much, much easier to audit.
“Previously,” he went on, “we had a lot of manual processes, and the results were okay, but we spent a lot of time validating. That’s not really that valuable in the grand scheme of things. [Now] I can have my team and other technical resources focused on projects, not just on making sure things are working correctly. I assume that most people are like me in that sense. That’s much more rewarding.”
Doubling down on identity and access management (IAM) first
Baldwin told VentureBeat that “identity permeates a zero-trust infrastructure and zero-trust operations because I need to know who’s doing what. ‘Is that behavior normal?’ So, visibility with identity is key.”
The next thing that needs to get done, he said, is getting privileged account access credentials and accounts secure. “Privileged account management is a part of that, but identity is probably even higher in the hierarchy, so to speak. Locking down identity and having that visibility, particularly with the Preempt product [now Identity Protection Service], that’s been one of our biggest wins. If you don’t have a good understanding of who is in your environment, then [problems become] much harder to diagnose.
“Merging those two together [securing accounts and gaining visibility] is a game changer,” he concluded.
Going all-in, early, on least-privilege access
“Pella has long enforced a, we’ll call it, least privileges approach. That allowed us to isolate areas that had accumulated some additional privileges and were causing more issues. We started dialing back those privileges, and you know what? The problems also went away. So, that’s been very helpful,” Baldwin said. “Another thing that I’ve been very pleased with is, it gives us a better idea of where devices drop off our domain.”
Establishing endpoint visibility and control early in any zero-trust roadmap is table stakes for building a solid foundation that can support advanced techniques, including network and identity microsegmentation. Pella realized how important it was to get this right and decided to delegate it to a managed 24/7 security operations center run by CrowkdStrke and its Falcon Complete Service.
“We’ve been extremely satisfied with that. Then I was one of the early adopters of the Identity Protection Service. It was still called Preempt when we purchased it from CrowdStrike. That has been fantastic for having that visibility and understanding of what is normal behavior based on identity. If a user is logging into these same three devices on a routine basis, that’s fine, but if the user suddenly starts trying to log into an active directory domain controller, I’d like to know about that and maybe stop it.”
Know what zero-trust success looks like
Pella’s approach to zero trust centers on practical insights it can use to anticipate and shut down any type of attack before it starts. Of the many manufacturers VentureBeat has spoken with about zero trust, nearly all say that they need help keeping up with their proliferating number of endpoints and identities as their manufacturing operations shift to support more reshoring and nearshoring nearshoring. They’ve also told VentureBeat that perimeter-based cybersecurity systems have proven too inflexible to keep up.
Pella is overcoming those challenges by taking an identity-first approach to zero trust. The company has decreased stale and over-privileged accounts by 75%, significantly reducing the corporate attack surface. It has also reduced its incident resolution from days to 30 minutes and alleviated the need to hire six full-time employees to run a 24/7 security operations center (SOC) now that CrowdStrike is managing that for them.
Pella’s advice: Think of zero trust as TSA PreCheck for identity-based access
Baldwin says his favorite approach to explaining zero trust is to use an allegory. His favorite is as follows: “So when people ask me, what do you mean by zero trust? I say, ‘You’ve experienced zero trust every time you enter a commercial airport.’ You have to have identity information provided upfront. They have to understand why you’re there, what flight you’re taking … Don’t bring these things to the airport, three-ounce bottles, whatever, all the TSA rules. Then you go through a standard security screening. Then you … behave expectedly. And if you misbehave, they’ll intervene.”
He continued, “So when people go, ‘Oh, that’s what zero trust is,’ I’m thinking, yeah, I’m trying to build that airport experience, perhaps with better ambiance and a better user experience. But in the end, if you can follow all of those rules, you should have no problem getting from development to test to QA to deployed to production and have people use it. If you are a, we’ll say, security practitioner, good in your field, maybe you can sign up for that TSA PreCheck, and you can have a speed pass.”
Pella’s vision of zero trust is providing PreCheck for every system user globally, not slowing down production but providing identity-based security at the scale and speed needed to keep manufacturing and fulfilling customer orders.
VentureBeat’s mission is to be a digital town square for technical decision-makers to gain knowledge about transformative enterprise technology and transact. Discover our Briefings.