You’ve made sure your maintenance technicians know all about safety standards and best practices, but when it comes to implementing and employing information systems safely, is your team as prepared as it should be? The last few years have seen a rapid rise in both the number and severity of cyberattacks, including the use of ransomware, with an estimated 38% increase in global attacks just last year. And according to the Federal Bureau of Investigation, 649 of those security breaches were at critical infrastructure networks.
There’s more than one reason for the rise, including rapid shifts to online education and remote work due to the pandemic as well as the widespread distribution of “user-friendly” ransomware, so there needs to be a multi-faceted response, with expertise and resources coordinated between government and private organizations.
For your maintenance team, putting in place the right policies and educating technicians on the part they can play in defending against cyberattacks are critical steps in improving overall organizational cybersecurity.
Defining cybersecurity for maintenance and repairs
It’s an imperfect metaphor, but you can think of your facility and maintenance enterprise asset management (EAM) solution as a high-tech nail gun. Compared to a simple hammer, it’s more efficient, allowing you to get more done more quickly. It’s just that when you upgrade from a hammer to a nail gun, you also have to implement a new set of safety standards, keeping an eye out for a different set of possible problems.
When you make the switch from old-fashioned paper-and-pen or even spreadsheet-based maintenance management to a modern cloud-based solution, it’s the same idea. You enjoy many benefits, but you do have to think about some aspects of security in new ways.
And those ways are related to maintaining maintenance and repair data confidentiality, integrity, and accessibility.
Understanding the three pillars of information security: Confidentiality, Integrity, and Accessibility (CIA)
At the foundation of cybersecurity is the CIA triad, the three key elements you need to focus on when setting up a system. Again, it’s an imperfect metaphor, but you can think of the triad as a stool with three legs. If any one of the legs gets broken, the stool falls over, regardless of the condition of the remaining two sides. You need all three legs for that stool to be safe to sit on.
The “CIA” in CIA triad does not stand for Central Intelligence Agency. Instead, it’s confidentiality, integrity, and accessibility. But it ends up being helpful that in spy novels and action movies, the Central Intelligence Agency spends so much time tracking down hackers, making things easier to remember when it comes to your own cybersecurity.
On the most basic level, confidentiality is about making sure only authorized people have access. For a facility or maintenance manager, even though there’re no cool sounding designations like “double top secret” or “for your eyes only,” the basic premise is the same. You only want the right people to see your data.
And just like in the movies, it’s not a simply yes or no, in or out. There are levels, and you need to make sure people have a level of access that matches their role in the organization. So, a junior tech might only be able to see their current assigned work orders, while a more senior tech could see all the work orders assigned to their specific team. The maintenance manager can see everything, including assignments, inventory levels, and KPIs.
You can easily understand the importance of confidentiality when thinking about access to corporate secrets, proprietary formulas, processes, equipment, and SCADA.
Can you trust your data? If not, your system lacks integrity.
For any cybersecurity system to deliver value to an organization, you need to be able to trust that the data is both accurate and reliable. So, you need policies and tech in place to ensure that the wrong people can’t get in to alter your data, either accidentally or maliciously. But it’s not just that you want to prevent the wrong people from going in and making changes. You also want to make sure the platform itself can keep your data accurate and reliable.
For facility and maintenance managers making the jump from paper-and-pen or spreadsheets to a modern EAM solution, a big part of the motivation is getting data they can trust. Instead of having all your data spread out over random slips of paper and disconnected spreadsheet files that mostly live as email attachments, with an EAM solution, you get everything in one central spot, where it’s easy to keep it all up to date in real time.
But if your new digital system can’t deliver on data integrity, there was no point in setting up the system in the first place.
In the end, even the best data has no real value if you can’t get it when you need it. You might have everything worked out in the perfect preventive maintenance program, but if you can’t access it, there’s no way for you to know what you need to do and when you need to do it.
Here’s one more imperfect metaphor. Think of data as money. It’s great having it at the bank because then you know it’s safe. But what if once it was inside the vault, you could never get it back out? All the benefits of its being safe suddenly disappear. Once you can’t get it, from your point of view, it’s as good as gone.
Protecting the maintenance department from cyberattacks
In practice, a lot of cybersecurity is going to be in the background for your maintenance techs. They’re not in cybersecurity jobs and they’re not likely following cybersecurity news.
The good news, though, is they don’t have to be. Instead, they likely need to just focus on using good passwords.
Enforce strong passwords
Your IT department might have its own take on current best practices for generating passwords because even among experts, there are differences of opinion. And to make matters more fun, those differences change over time.
For example, back in August of 2011, xkcd, “a webcomic of romance, sarcasm, math, and language,” published the still famous Password Strength, which made fun of some of the then-current best practices that encouraged people to use passwords that were hard for them to remember but easy for computers to guess. Instead, the recommendation was to use a combination of any four common words.
Whether that’s good advice or not, all these years later, is, for some people, still up for debate.
Google now suggests creating passwords that include a:
- Song lyric
- Movie quote
- Book passage
- Group of meaningful words
You can also take a phrase and make an abbreviation. For example, the first line of Lynyrd Skynyrd ‘s “Simple Man,” Mama told me when I was young, becomes “mtmwiwy.”
Microsoft has a different set of requirements for strong passwords, including using at least 12 characters and a combination of uppercase letters, lowercase letters, numbers, and symbols. They warn against using any word that can be found in a dictionary or the name of a person, character, product, or organization.
The one thing most everyone agrees on is making sure you don’t recycle passwords. For every platform, you need a unique password that is significantly different than the ones you have used before. That means not adding “123!” to the end of your favorite password to make a new one.
If someone somehow gets one of your passwords, you want them limited to being able to open only one of your accounts. It would be the same with keys. It’s convenient to have one key that works on all your locks, but it does mean that when someone gets your key, they now have access to everything. If every lock requires a different key, losing any one key creates a much smaller security hole.
How important are unique passwords?
There’s a good chance one of the most famous ransomware cyberattacks, the one on Colonial Pipeline that shut down about half of America’s fuel supply, was because of one recycled password. According to Forbes, “the employee ‘may have used’ the password on a different website that was previously compromised, costing the company $2 million in ransom alone and setting off one of the biggest supply chain crises in recent history.”
Implement an EAM with strong security built in
Part of making the jump to modern maintenance management is implementing a robust EAM solution, and for most organizations, that means implementing a third-party platform.
It’s the same as when the front office made the move all those years ago from mechanical typewriters to Microsoft Office or a similar product. They didn’t develop a system in-house. Instead, they brought in a vendor, and part of that process was coordinating with the IT department to make sure the software had all the security features they needed.
The discussions between the EAM provider and IT can get technical quickly, with many industries coming with their own set of standards, requirements, and certifications. The good news for the maintenance department is that a good EAM provider already has a set series of workflows to ensure the right people in your organization get the answers they need.
Although your maintenance techs are already aware of onsite safety standards, they might not know all they need to about the safety and security of information systems. And with the sharp rise in cyberattacks, cybersecurity is more important than ever before.
At the foundation is the CIA triad, confidentiality, integrity, and accessibility. You need to be able to control who has access, ensure the data is reliable, while also making it accessible so the team gets what they need in real time. For the average maintenance tech, much of their role in cybersecurity is related to their use of strong passwords.
Although there are competing and changing claims on the best ways to make passwords that are easy to remember and hard to guess, it has always been important to never use the same password on multiple platforms. In fact, one of the worst cases of ransomware was likely related to a recycled password.
When making the jump to a modern EAM solution, maintenance and facility managers need to coordinate with the IT department to ensure all the requirements are met and the right certificates are in place.
The conversations can get technical quickly, but a responsible provider has a lot of experience in making sure the right people get the information they need to make good decisions.