Having deployed Asset Performance Management (APM) solutions all over North America since 2016, Spartakus Technologies has worked with dozens of manufacturing organizations to ensure maximum security of their data while maximizing their operations’ reliability.
Cybersecurity requirements for cloud-based software used in industrial facilities by maintenance personnel are crucial to ensure the confidentiality, integrity, and availability of sensitive data and critical operations. This article lists some of the key cybersecurity requirements and considerations for such software used by maintenance and reliability professionals.
Data encryption, access, backup, and recovery
All data transmitted between the maintenance personnel and the cloud-based software should be encrypted using strong encryption protocols (e.g., TLS/SSL). It should also be encrypted at rest to protect against unauthorized access.
The APM provider should have implemented robust access control mechanisms to ensure that only authorized personnel can access the software. Roles and permissions must be assigned to users based on their responsibilities and access requirements (they should only have access to the data and functionalities necessary for their roles).
Authentication methods like multi-factor authentication (MFA) are required to enhance user authentication. Single Sign On like Microsoft SSO are a plus to enforce that aspect and it also improves users’ management (in case of turnover, departure, new employees, etc.)
Since maintenance events, results and documentation are stored in such platforms, it is imperative that the APM provider implements regular data backup procedures to ensure data can be restored in case of data loss. Also, data recovery processes should be in place, documented and tested to ensure they are effective and can minimize downtime in case of disaster.
Platform robustness
The APM provider must deploy secure coding practices when developing the software to mitigate common vulnerabilities like SQL injection, cross-site scripting (XSS), and others.
This is why regular security audits, penetration tests and vulnerability assessments must be conducted to identify and remediate potential weaknesses in the system. Quarterly assessments should be a minimum requirement. When vulnerabilities are found, the provider must implement an action plan as soon as possible to patch potential future issues.
The vendor must also use intrusion detection and prevention systems (IDPS) to monitor network traffic for suspicious activity.
If the software uses APIs for integration with other systems, ensure that API endpoints are secure and properly authenticated with in-transit data encryption.
Finally, vendor must also ensure that all libraries used for developing the software are up to date.
Server, network and security practices
Your APM provider must ensure that the software complies with relevant industry-specific regulations and standards (e.g., NIST, ISO 27001) for cybersecurity and data privacy. Be aware that they might also used services like Azure or AWS who are ISO 27001 compliant. Their employees background should be checked if asked to identify potential illegal activities.
Your vendor should also ensure that physical access to the servers and data centers hosting the cloud-based software is restricted and monitored.
What you should do on your end
Your employees and coworkers should be trained on cybersecurity best practices, including how to recognize phishing attempts and other social engineering attacks. Raise awareness about the importance of cybersecurity among all users.
If mobile devices are used to access the software, implement mobile device management (MDM) solutions, and enforce security policies on these devices.
The passwords used by your employees to access the APM should comply with your password policy (12 characters, caps, special character, number, etc.). If not required by the APM, have your employees change their passwords every 6 months. Ideally, they should not share the same account, and all have individual access.
Yoann Urruty, Eng., CMRP
Director of Technologies – Spartakus Technologies
yoann.urruty@spartakustech.com