Risk & Security

How Global Power Leader Cummins Embraces Cyber Hygiene

For the head of cybersecurity at this government and consumer engine maker, endpoint visibility fosters regulatory compliance, learning, and security.

Cybersecurity professionals are often tasked with an increasingly difficult role of mitigating security threats and potential cyber intruders.

For those of us in the cybersecurity profession, the past year presented numerous challenges. We battled an uptick in cyberthreats, navigated an increasingly complex system of regulations and rules, and worked hard to minimize risk from the increase in remote work.

I oversee cybersecurity engineering at Cummins, a global power leader that specializes in diesel and alternative fuel engines and generators, and related components and technology. With about 58,000 employees, Cummins is a corporation of complementary business segments that design, manufacture, distribute, and service a broad portfolio of solutions.

Tanium’s Cyber Hygiene Assessment: An actionable path to better endpoint management and security

Like others concerned with cybersecurity, we face challenges on several fronts: maintaining visibility of the enterprise, addressing emerging risks, and using cybersecurity to enable our operations and business—all while creating a cyber-savvy workforce to help our colleagues meet their personal and business goals.

To meet today’s challenges, and learn from them, we try to be creative in our thinking and approaches.

Maintaining real-time visibility

Cybersecurity is increasingly viewed as a measure of quality of how products in different industries are produced and supplied. To create a safe, secure, and high-quality product—whether deployed internally as an IT solution or something your customers use—cybersecurity must be part of the discussion from the start.

[Read also: The US ransomware crisis can be solved]

Recent ransomware attacks have demonstrated how disruptive a cyberattack can be to supply chains and business processes. They highlight the importance of visibility and the need to measure and control risk in an IT environment through governance and application of proactive technical capabilities to mitigate threats.

Across industries, I see a startling lack of visibility and technical enforcement of best practices. It is increasingly common for IT leaders to discover endpoints in their organization they had no knowledge of previously. That underscores the importance of being able to discover and see across endpoints.

Visibility is crucial in efforts to protect and prevent threats from leveraging endpoints that are not inventoried and subsequently not maintained and not managed routinely.

The hybrid challenge

Many companies are hybrid, working across multiple operating systems and applications that traditionally are on-premises and transitioning to cloud environments. While some industries are always going to have some on-premises functions, enterprises will continue to increase efforts to host applications and infrastructure in the cloud.

Being able to bridge those two worlds (between on-prem and cloud) is important. So is the ability to expand and scale the technology and solutions that protect those enterprises across different geographies and technical platforms.

[Read also: How the cloud can be efficient and safer for regulated industries]

Using technologies that can support multiple operating systems and platforms allows your organization to identify endpoints that are transitioning to cloud environments more accurately and efficiently. The correct tooling can help translate between competing data sources and allow a close look at endpoints with a common frame of reference.

Enriching data

It can also assist in enriching other data that have been collected. This ability makes teams more efficient and allows them to make decisions more confidently and with better outcomes. It also addresses the challenges of tool sprawl and rising cybersecurity costs.

This is a common pain point for many organizations, with businesses using funds and staff to consolidate reporting from multiple cybersecurity and operations tools. This consolidation of reporting can prevent the use of valuable resources and skills to more proactively address threats or risks.

[Read also: Tool sprawl threatens post-pandemic security]

Considerations for risks like software vulnerabilities, where some repetitive tasks are becoming more automated and less manual, are key considerations as cybersecurity leaders attempt to improve the maturity and efficiency in their cybersecurity operations. Those improvements free up time for cybersecurity teams to focus on other, more complex tasks.

Complying with regulations 

Companies that provide products to government customers must now adhere closely to global regulations related to sale and distribution. In 2020, the U.S. Department of Defense (DoD) released its Cybersecurity Maturity Model Certification (CMMC). It is meant to help protect the controlled unclassified information (CUI) that is used by government contractors. 

Government contractors must implement, monitor, and certify the security of their IT systems that contain the CUI information they store or transmit. The CMMC now requires third-party assessments and certification of suppliers to be part of the DoD supply chain.

I anticipate that requirement to expand to the broader federal government in the future. Outside of the U.S., other governments and commercial partners have started to include similar requirements in their agreements and regulations. 

Two perspectives

As a former Navy veteran and member of the aerospace and defense industry, I look at the U.S. CMMC initiative from two perspectives.

On the one hand, the government, which depends heavily on commercial companies, has a job to do. It does not need suppliers to make that job more complicated. On the other hand, commercial organizations, especially those doing business outside the U.S., worry the CMMC may hurt their ability to compete and innovate.

This increases the need to handle multiple security and compliance approaches and frameworks. That puts additional stress on cybersecurity professionals, as well as on the businesses and support teams.

[Read also: What does the CMMC mean for my business?]

All government contractors must now meet those new and emerging requirements. Small to medium-size businesses may feel the biggest impact. It may limit their ability to exercise the agility to develop new products and also the customer base that can consume that product. 

That is a huge factor in a company’s stability and growth.

Securing IoT (Internet of Things) and telemetry data

As part of the automotive industry, Cummins has made the transition to providing telematics, the wireless communication that connects products to diagnostic services, to our customers. Connected vehicles, airplanes, trains, and other devices were not traditionally considered something many people would view as internet-connected devices. 

But data can now be collected from both moving and stationary vehicles—as well from other equipment—and transmitted, providing vital information to customers and manufacturers about how a component or product is performing.

[Read also: Manufacturer secures 50,000 endpoints with Tanium for speed and agility]

The more data you combine—from product performance information to data from IoT devices used in manufacturing the product—the greater the insight you gain about the product. That insight becomes extremely important to a developer and maker of a product. The customer also reaps the benefit of a higher quality product with a potential reduced operating cost. 

Of course, storing and transmitting sensitive data has significant privacy and security implications for both vehicle owners and the businesses developing the product.

Today, companies grapple with questions, such as:

  • How do we secure and manage IoT data and keep it safe from interception?
  • How should a device authenticate and communicate with the IT environment?
  • How do we measure how a device does something?
  • What happens if someone tries to reverse-engineer a device and use it for something else that is damaging? 
  • How can we best detect and thwart a hack?

Managing IoT and telemetry data in our industry and in others is an evolving challenge as the environment rapidly changes and develops. Removing data from silos that may have been built for traditional reasons is key to letting a business securely leverage those different data sources that reveal crucial business insight. Breaking those silos may seem counterintuitive to many cybersecurity professionals, but it can be done with an increasing level of proficiency and speed if the proper controls, processes, and governance are in place. 

Securing remote work

The ability to secure a remote workforce continues to be a top concern for all organizations. When COVID-19 hit, most companies did not know if their employees were using secure personal networks and following secure data-handling guidelines at home. And there often is no insight into how members of a worker’s household are potentially using company devices, or if employees and contractors are attempting to use a personal device to access corporate networks and data. Those were all normal, pre-COVID concerns, but they increased in scale with the movement of a substantial portion of a company’s workforce into the home.

[Read also: A pandemic dividend on cybersecurity & risk management for CISOs]

Cybersecurity professionals were concerned about several things: Is an endpoint available? Are employees using it? And if they are not using it, can we get it back or pull it from the system? 

These kinds of questions have been common for all industries during COVID-19, especially as companies realized they could hire talent from anywhere because people were working from anywhere. All these unknowns introduce greater risk to networks and data.

To counter these risks, many companies now use segmentation to compartmentalize their networks to better protect critical areas like finance or legal data. Cybersecurity professionals must think about how they align different teams and processes to address segmentation, and then put protections and detection around endpoints.

[Read also: How to block lateral movement in a cyber attack]

Embedding protections into the endpoint, when and wherever possible, to deliver a method to assess the risk of an endpoint and the user of that endpoint is a critical step today. This is driving a substantial portion of the discussion around zero trust in cybersecurity. It also requires an organization to answer the question of what zero trust means in the different organizations that are adopting it as a framework.

Cloud-based technologies can help companies operate smoothly when transitioning to remote work. In the midst of the pandemic, companies implemented tools and techniques like virtual desktops and applications, employee security training, and endpoint security management to manage security risks. As remote work persists, companies will continue to prioritize the security of remote access.

Creating a cyber-savvy workforce

Equally as important as the tools and technologies that defend against external threats are the measures put in place to defend against internal ones. A comprehensive education program at all levels should be a priority for all companies. With constant news stories about corporate data breaches, it is important for your cybersecurity team to answer questions or distill information. Otherwise it is easy for other workers to become paralyzed by fear and uncertainty of what to do next.

[Read also: How to turn your remote workers into security advocates]

Employees are human beings. Hackers are targeting them at home. I start conversations with my colleagues with questions like: Have you thought about or talked about security at home? What are your habits at home? A thoughtful approach considers connecting with employees about both their professional and personal lives, since a cyber event that impacts their personal life can also impact their ability to perform their job. Plus, it is the right thing to do as a caring cybersecurity leader.

If you do not follow good practices, you will introduce risk into your life, just as you would if you were driving a car. The computer is a device that you operate. You do not have to know everything, just as you do not have to be a mechanic to operate a car. But you need to be careful about how you turn the wheel, how much you push the gas, and which signals you follow.

Threats are constantly evolving. We are trying to ensure that our team is always improving our detection and response capabilities. You can spend lots of time and money trying to protect yourself, but some of the most effective approaches are taking mindful steps to understand how and what you are accessing and trying to accomplish.

There is an increasing number of cyber intruders and threats actively looking to take advantage of the systems that a business and its employees use. In the end, you must have a plan for how to respond, recover, and restore quickly to limit the impacts.

Dwayne Smith
Dwayne Smith is director of cybersecurity engineering at Cummins, founded in 1919 and headquartered in Columbus, Ind.