Symantec has purchased Appthority and Javelin Networks to strengthen its defense against mobile application attacks and boost its protection around Microsoft Active Directory-based threats.

The Mountain View, Calif.-based platform security vendor said the acquisitions of San Francisco-based Appthority and Austin, Texas-based Javelin Networks will further enhance Symantec's ability to protect the broadest spectrum of modern endpoints and operating systems.

Appthority will make it possible for Symantec customers to analyze mobile applications for both malicious capabilities as well as unsafe or unwanted behaviors such as vulnerabilities, risk of sensitive data loss, or privacy-invasive actions. The company was founded in 2011, employs 35 people, and has raised $25.3 million in four rounds of outside funding, according to LinkedIn and Crunchbase.

[Related: Symantec CEO: Our Endpoint Security Is More Effective Than Our Peers]

The company's technology will be built into Symantec Endpoint Protection Mobile, making Symantec the only company to protect modern and traditional Windows, MacOS, Linux, iOS, and Android endpoints at the device, application, network, identity and cloud layers. Buying Appthority will help Symantec combine mobile app analysis and mobile threat defense to enhance overall security and workflow.

"Mobile apps are a critical threat vector that every company must address to protect their enterprise security," Adi Sharabani, Symantec SVP, Modern OS Security, said in a statement. "The Appthority technology extends SEP (Symantec Endpoint Protection) Mobile's capabilities in limiting unwanted app behaviors, supporting regulatory compliance, and assessing vulnerabilities."

Javelin Networks, meanwhile, can detect Active Directory misconfigurations and backdoors, and help prevent Active Directory reconnaissance and credentials misuse by authorized devices and applications. The company was founded in 2014, employs 21 people, and has raised $5 million in two rounds of outside funding, according to LinkedIn and Crunchbase.

Active Directory services have become an increasingly popular target for attackers, who use the reconnaissance features to discover the users, servers and computers in an enterprise network and then move laterally across the network. Javelin Networks' software protect Active Directory and commonly-used domain resources, including domain controllers, domain identities, and domain credentials.

"The addition of Javelin Networks … gives Symantec customers a unique advantage in one of the most vulnerable and critical areas of IT infrastructure," Javed Hasan, Symantec's SVP of endpoint and data center products, said in a statement. "More importantly, it can help expose exploitable backdoors in AD (Active Directory) and stop attacks at the point of breach while preventing lateral movement."

Symantec's stock is up 2.05 percent to $19.90 in trading Monday morning. Terms of the transactions were not disclosed, and Symantec did not immediately respond to a request for additional comment.

This is Symantec's first acquisition since buying VPN browser security application SurfEasy in November 2017. Symantec carried out five transactions in 2017 – highlighted by its $250 million purchase of agentless isolation provider Fireglass - but failed to make a single acquisition in the first 10 months of 2018.

Symantec must focus on fully integrating the Appthority and Javelin Networks capabilities into the company's existing cloud management platform, according to Marc Harrison, president of Marlboro, N.J.-based solution provider Silicon East. Doing this successfully will make it possible for channel partners to manage the entire Symantec security suite from a single interface.

Symantec has purchased Luminate Security to better protect users around workloads and applications regardless of where they're deployed or what infrastructure they're accessed through.

The Mountain View, Calif.-based platform security vendor said its acquisition of Palo Alto, Calif.-based cybersecurity startup Luminate Security will make it possible to deliver private secure application access, granting user connections only to the specific applications and resources for which they are authorized.

More and more companies are operating their business on infrastructure that is managed by multiple third parties such as Azure, AWS and Google, according to Symantec President and CEO Greg Clark. Secure and private access are a cornerstone of cyber defense, said Clark, who is looking forward to delivering Luminate's unique capabilities to customers.

[Related: Duo Sales Leader Departs For Startup Following Cisco Acquisition Bid]

"In this rapidly evolving world, trust in external infrastructure must be carefully considered as corporations can outsource infrastructure but must also remain responsible for data and users," Clark said in a statement. "Luminate incorporated into Symantec's Integrated Cyber Defense puts us at the forefront of security in the cloud era."

Symantec said its Integrated Cyber Defense Platform unifies cloud and on-premises security across endpoints, networks, email and cloud, protecting against the most sophisticated threats while reducing cost and complexity. This allows companies and users to have frictionless access to cloud and on-premises applications while still providing best-of-breed security protection, according to Symantec.

"As corporate applications continue to move to the cloud, IT organizations need innovative approaches to address the complexity and security challenges of providing users anywhere, anytime access," Art Gilliland, Symantec's EVP and GM of enterprise products, said in a statement.

Terms of the deal were not disclosed. Symantec's stock was up nearly 3 percent to $23.09 in trading Wednesday morning.

Luminate Security was founded in 2017, employs 39 people, and has raised $14 million in two rounds of outside funding, according to LinkedIn and Crunchbase. The company in August reeled in Duo Security sales leader Jason Stutt to serve as its first-ever senior vice president of global sales and help Luminate scale its operations in North America.

"As a partner, our integrations with Symantec were successful in reducing complexity and increasing security for joint customers," Ofer Smadari, Luminate Security CEO, said in a statement. "With this next step, we look forward to fully integrating across the entire portfolio and delivering even more innovation to offer complete security for the Cloud Generation."

Luminate Security emerged from stealth in March 2018 with a Series A funding led by U.S. Venture Partners to expand its operations in the United States and develop its channels and customer base. In April 2018, Luminate announced general availability of its platform, which provides secure access to corporate applications in hybrid cloud environments.

The Luminate platform provides employees with a consistent, cloud-native experience around any corporate application regardless of where it's hosted, the device being used, or where the worker is located. All user activities are examined against company policies, triggering automatic actions to ensure security is being enforced and to prevent unauthorized access.

Symantec has made 72 acquisitions over its 37-year history, according to Crunchbase. The company's most recent acquisitions were of Appthority and Javelin Networks in November 2018 to strengthen the company's defense against mobile application attacks and boost its protection around Microsoft Active Directory-based threats.

One Luminate Security partner who didn't wish to be identified said the deal will provide Symantec with a very clear and unique offering, but will challenge the Luminate team to maintain its mindset, energy and capabilities within a much larger company.

"It is a challenging process to integrate and merge into a very big company," the partner said. "But it doesn’t mean it's impossible."

The partner encouraged Symantec to keep Luminate as a standalone operation and maintain the company's product and brand. If the acquisition preserves Luminate's expertise and create opportunities for solution providers to cross-sell the Luminate offering into Symantec's legacy customer base, it'll be a win-win for the channel, according to the partner.

"Don't mix Luminate with the bigger company. Keep them small and with their familiar development team," the partner said. "Just let them work as they are."

At Symantec, we believe Cyber Resilience is about the management--not the elimination--of risk. We recognise that security needs to go beyond systems, software or IT departments. Cyber Resilience puts the power in the hands of people, and arms them with the ability to recognise risks, draw on the collective intelligence of others, and take preventive or corrective action.

We believe Cyber Resilience calls for strategic action. Now. To help achieve this we propose a new strategic partnership between the security function and business leaders, to balance competitive advantage against the inescapable Cyber Risk of today. Our integrated portfolio of solutions helps your people:

• Become fully-informed on which security issues matter most to their organisation
• Use this knowledge to keep all their colleagues informed of their responsibilities
• Gain a competitive advantage against an on-going never-seen-before Cyber Risk

It is time to raise the stakes.

University of Nevada, Reno information security policies and procedures

Security awareness training: Faculty and staff have free information security awareness training available to them. Some of the courses covered in this general security awareness course include: privacy, threats, safe computing best practices, password best practices, malware, social engineering, phishing, physical security, data security, and mobile and remote computing best practices.

In addition to the free managed training available to all faculty and staff, employees can also take advantage of security awareness training through Lynda.com. Within our internal SharePoint compliance site, users are given resources to the recommended Lynda.com courses.

Online security resources

All it takes is a single hijacked browser session or unprotected third-party device on a network to shut a business down, costing millions in lost productivity and revenue. Regarding browser attacks, many CISOs can’t forget how the CNA Financial breach started with a phishing email telling an admin to perform a browser update. Attackers infiltrated the CNA network, infecting 15,000 systems with ransomware while destroying backups and disabling monitoring and security tools. 

The growing risk of unmanaged endpoints 

Enterprises are overwhelmed with more work than their teams can handle. Department leaders turn to contractors to complete more work and expect employees to be available on any web-enabled device. Organizations find hundreds of new unmanaged endpoints on their networks, with every contractor and employee relying on their laptops, tablets and phones to get work done.

Asking every contractor to load a series of special software or applications on their devices isn’t practical and gets limited adoption. It also burdens already stretched IT staff, who are called on to help. The paradox gets more challenging when organizations need contractor help to get up and running fast to keep up with workloads yet need a security solution that scales across thousands of device types. 

Onboarding contractors quickly sometimes leads to as many as 40% of new endpoints needing to be traced or even discoverable on the network. 

When a contractor is onboarded, they often get access to shared productivity apps. As many organizations don’t have a process to delete a contractor’s access by cloud app or resource, credentials can live on for years – even decades – and lead to intrusion and breach attempts.  

Identifying the new wave of web-based attacks

Fake browser update scams are on the rise today. These attacks rely on websites that tell users to update their browsers to see the content. Brian Krebs, a cybersecurity investigative reporter and blogger, writes, “New research shows the attackers behind one such scheme have developed an ingenious way of keeping their malware from being taken down by security experts or law enforcement: By hosting the malicious files on a decentralized, anonymous cryptocurrency blockchain.”

Earlier this year, security researcher Randy McEoin discovered and wrote about a web browser attack strategy he called ClearFake. The attack strategy starts with WordPress sites that provide victims with a webpage that tells the user to update their browser before they can view the content. Sekoia.io’s Quentin Bourgue and the Threat & Detection Research Team provide a comprehensive technical analysis of how ClearFake works and insights into its installation flow.  

Source: Sekoia blog

Start by securing unmanaged endpoints at the browser 

CISOs are challenged with managing hundreds or thousands of endpoints that often change as contractors are onboarded or let go when their contracts expire. IT and security teams rely on web application isolation because it’s been proven to protect from web-based threats that target an organization’s most valuable apps and resources. Leading cybersecurity vendors who provide web application integration solutions include Broadcom/Symantec, Cloudflare, Cradlepoint, Forcepoint, Iboss, Menlo Security, McAfee, NetSkope and Zscaler.

The technology behind web application isolation is the same for remote browser isolation (RBI), only used in reverse. Instead of preventing hackers from targeting and breaching a network through endpoint web browsers, it prevents hackers from being able to target and breach corporate web or cloud applications. Cradlepoint is differentiated in its support and delivery of comprehensive, two-way protection for the application and its users. 

How remote browser isolation works

RBI uses a zero-trust approach to secure every endpoint and the apps and resources it has access to, treating all active code from a website as a threat, whether malicious or not. It takes a zero-trust approach to protect any device from the latest, unknown web-based threats. Zero-day threats can often evade detection by traditional solutions, such as antivirus solutions, which rely on a database of known signatures to detect threats. Since zero-days are, by definition, unknown, traditional solutions cannot detect them.

RBI assumes that all websites may contain malicious code and isolates all content from endpoints to prevent malware, ransomware and malicious scripts or code from impacting an organization’s systems. All sessions are run in a secure, isolated cloud environment, enforcing least-privilege application access at the browser session-level. 

Like RBI, a web application isolation solution doesn’t affect the user experience. The secure web application is still completely functional and interactive. Behind the scenes, web isolation technology is keeping the application secure. Like a web application firewall (WAF), RBI protects applications from Layer 7 attacks. RBI differs from WAF because it isn’t designed to deliver zero trust security to every browser session. WAFs have signatures that can catch threats, but zero-day attacks have been known to breach them. 

Combining authorization and isolation technologies blocks attackers from breaching applications and embedding malicious code. That’s essential for protecting end-users from phishing attempts, malware infections and other application-based attacks. The goal is to protect internal systems, networks and data accessible or linked to applications that risk being compromised. Relying on the OWASP Top 10 framework is table stakes for designing an RBI architecture resilient to risks.  

Of the RBI solutions available, Cradlepoint’s Ericom is differentiated in its combining a secure web gateway (SWG) with built-in remote browser isolation (RBI) to provide zero-trust security for web browsing. Security teams use web application isolation to apply granular user-level policies to control which apps every user can access, regardless of location and role. Those granular controls define which actions they can complete in each app. 

It’s common for (WAI) platforms to support policies controlling file upload/download permissions, malware scanning, DLP scanning, and limit cut-and-paste functions (clip-boarding) and users’ ability to enter data into text fields. The solution also “masks” the application’s attack surfaces from would-be attackers, protecting against the OWASP Top 10 Web Application Security Risks.

Cradlepoint’s Ericom bases web application isolation (WAI) on their remote browser isolation (RBI) expertise and years of helping SMBs with zero-trust initiatives and frameworks. Source: Ericom 

Getting it done 

Remote work and the widespread use of personal devices create entirely new threat surfaces that organizations aren’t staffed or funded with enough budget to provide endpoint software agents. That’s why browser-based approaches are catching on. 

The following are table stakes for securing unmanaged devices in today’s zero-trust world: 

Identification and Categorization of Assets: Begin by thoroughly identifying all enterprise applications, data, and resources. Categorize them based on their sensitivity and the level of access required.

Deployment of Web Application Isolation Techniques: To combat the risk of unmanaged devices causing a breach,  get familiar with web application isolation techniques. Even if an attacker reaches the device, installing web application isolation will protect applications. 

Enforcing Least Privilege Access: First, audit and then identify what resources each role or identity needs and restrict access to other apps, resources, or databases. This alone can reduce the potential for an insider threat and reduce any accidental access to sensitive data.

Continuous Monitoring and Adaptive Policies: A core concept of zero trust is monitoring every resource request and transaction over a network. Getting this right provides the data to identify threats and track breach attempts. 

Multi-Factor Authentication (MFA): This needs to be table stakes for every contractor and employee on the network using any app or resource. Require it for access to the network and also for any app, database or collaborative app.  

Encrypt Sensitive Data: Ensure that all sensitive data, both at rest and in transit, is encrypted. This protects data integrity and confidentiality, even if attackers gain access. 

Data Loss Prevention (DLP): Essential for enforcing safeguards against exposure of confidential and personally identifiable information (PII), data loss prevention (DLP) is essential for an organization to have a hardened security posture. It’s increasingly considered core to zero-trust security frameworks.  

Segment Networks: Getting network segmentation right is worth it. Shutting down the lateral movement of attackers by segmenting the network pays dividends the first time an intrusion attempt goes nowhere.

Implement Endpoint Security Solutions: Use advanced endpoint security tools to monitor and manage devices accessing the network. This includes ensuring that all devices are updated with the latest security patches.

Regular Security Training and Awareness Programs: Training can help raise awareness of the most blatant phishing attempts, malicious links, and other common threats. See it as a support strategy, not the core of any cybersecurity program.  

Get vendors and partners onboard early: Extend RBI to third-party vendors and partners immediately to protect supply chains and partner networks. Ensure they adhere to similar security standards to protect shared networks and data.

These are just a start to getting unmanaged devices secured. Using these suggestions as a baseline to get started will help reduce the risk of a breach starting on a third-party device. Having RBI running when there’s a large influx of contractors globally working on projects is essential for protecting infrastructure.

Anti-virus software works by comparing the files on your computers and those you access online to a database of known viruses, known as virus definitions. Without regularly updated definitions, an anti-virus program won't protect your computers and office workstations against new viruses. All paid anti-virus programs, including Symantec's Norton AntiVirus and their business editions, sell definition updates through subscription plans, and no longer update the definitions once the subscription expires. Unlike some other brands however, current versions of Symantec's programs will completely stop functioning -- even with old definitions -- after the subscription ends, leaving the computers on your network unprotected.

Smart, connected production machinery has transformed manufacturing, leading to tremendous productivity, safety and quality gains. However, the Industrial Internet of Things (IIoT) has also created new security risks. Connected machines represent a cybersecurity endpoint in the smart factory that can put facilities and data at risk. Strong endpoint security practices—including machine user authentication—are needed to protect valuable intellectual property (IP), prevent production delays, and ensure the safety of people and facilities.

Cyberattacks on manufacturers are rising, with an average cost of $4.47 million per incident in 2022. Many of these are traditional attacks on IT infrastructure, such as phishing attacks, ransomware and malware attacks on websites or networks. However, as manufacturers ramp up their use of IIoT and operational technology (OT) devices, production machinery has become a tempting target for hackers and bad actors. Attacks on production machinery or safety-instrumented systems (SIS) can cause considerable operational disruption.

IIoT and OT devices are cyber-physical systems that act as endpoint devices for the factory network. In addition to risks presented by unauthorized access to machine controls and software, they also increase the attack surface for the factory as a whole, allowing bad actors to use them as a pivot point into other IT systems. Unprotected IIoT devices leave factories vulnerable to data breaches, malware and ransomware attacks, denial of service attacks, and other potential harms.

Cyberattacks on production machinery can cause severe damage, including:

• Unexpected production shutdowns due to malicious capture of machinery controls.
• Loss or theft of valuable company or client IP stored on or transmitted to connected machines.
• Safety or quality issues arising from unauthorized changes to machinery controls and settings.

In many factories, production machines are among the most vulnerable network endpoints. This is partly because IT and OT tend to exist in silos, with IT handling traditional endpoint devices (laptops, printers, servers, etc.), while the operations department handles machinery on the factory floor. The 2019 Deloitte and MAPI Smart Factory Study suggests that IT and OT are seriously misaligned in many factories, leading to significant vulnerabilities on the factory floor. Other factors that increase cyber risk include:

• Weak authentication methods that are easily compromised by hackers or inside actors.
• Poor physical security on the factory floor.
• Lack of proper encryption to protect stored data or data in transit.
• Lack of security updates or outdated operating systems and software.
• Legacy equipment that lacks modern security features.
• Minimal endpoint and network security features, such as firewalls, intrusion or anomaly detection, and antivirus software.

To protect people, data, and production machinery, manufacturers need a comprehensive cybersecurity strategy. Photo courtesy ELATEC Inc.

Best Practices in OT and IIoT Cybersecurity

To protect people, data, and production machinery, manufacturers need a comprehensive cybersecurity strategy. This requires adopting best practices and complying with industry standards and regulations.

One of the most essential things manufacturers can do is break down the silos between OT and IT. When considering production machinery as a network endpoint, it becomes clear that OT and IIoT devices must have the same level of attention and protection as laptops, servers and other IT devices. That means adopting best practices from the IT side. These measures include:

• Ensure timely firmware and security updates for all production machinery.
• Implement network segmentation and isolation to prevent users or hackers from using machines to pivot into the network.
• Use appropriate encryption to protect production data both at rest (in the machine memory) and in transit (during communication between the machine and other networks or systems, including cloud applications).
• Adopt a zero-trust security model for networked devices, which continuously verifies device trustworthiness rather than assuming devices are trustworthy once Verified initially.
• Utilize intrusion detection, intrusion prevention and anomaly detection software to detect unusual network traffic to or from the machine and monitor machine health and behavior.

With RFID, the same access control technology can be used for physical access control, machine authentication, and digital access to systems and networks. Photo courtesy ELATEC Inc.

Protect Production Machinery With Strong User Authentication

Machine authentication is a cornerstone of endpoint security in the smart factory. Strong authentication technology ensures that only authorized, trained operators can access controls for production machinery and allows companies to track exactly who has accessed each machine and at what times. The right machine authentication solution can also reduce the risk of remote hacking.

Many manufacturers still rely on password or PIN systems for machine access. However, passwords and PINs are often shared or forgotten. They can also be hacked.

Radio-frequency identification (RFID) offers a more secure alternative to a password or PIN for machine authentication. Users present a physical badge or token to unlock access to the machine. This can also be accomplished via a mobile credential on a smartphone using near-field communication (NFC) or Bluetooth low energy (BLE).

An RFID or mobile solution for machine authentication increases machine security in several ways. First, these systems are highly secure and difficult to clone or hack when appropriate encryption is used. Physical badges, tokens or phones are also less likely to be shared than a password or PIN. In addition, the user must be physically present at the machine with the badge, token or device in hand to unlock access, reducing the risk that the machine can be inappropriately accessed via remote hacking or password theft.

For higher security, RFID and mobile access solutions can be implemented as part of a multifactor authentication process using a secondary password or biometric system.

Finally, loss or theft of a physical badge, token or device is likely to be noticed immediately, unlike a compromised password. IT can quickly and easily shut off authorization if a card is lost or stolen or an employee leaves the company.

Physical badges are also less likely to be shared than a password or PIN. In addition, the user must be physically present at the machine with the badge in hand to unlock access. Photo courtesy ELATEC Inc.

Consider Physical Access as an Aspect of Endpoint Security

Endpoint security must be considered in the context of the total security concept, including physical security. Physical access control (PAC) enhances endpoint security by limiting who can enter the production floor or have physical access to production lines and machines.

This is important because many industrial espionage cases are inside jobs. Limiting physical access to production areas and machinery prevents bad actors from tampering with or disabling access hardware (such as RFID readers), plugging unauthorized devices into a machine (such as a USB drive carrying a virus), or damaging the machine. The PAC solution should go beyond the front door to enable monitoring of employee movements through production areas. In the case of a security or cybersecurity incident arising from the inside, it can be crucial to know precisely who has been in each production area and accessed each machine and at what times.

Ensure Compliance With Cybersecurity Standards and Regulations

Manufacturers must ensure that cybersecurity systems and protocols comply with industry best practices and relevant regulations. The National Institute of Standards and Technology (NIST) Cybersecurity Framework provides guidelines for improving cybersecurity risk management across all industries, including manufacturing. It offers a framework for identifying, protecting, detecting, responding to, and recovering from cybersecurity threats. NIST has also developed a set of cybersecurity resources for manufacturers. In addition, the system should comply with relevant ISO standards such as:

* SA/IEC 62443: A widely recognized industrial automation and control systems (IACS) cybersecurity standard. It provides a structured approach to securing industrial control systems and is especially relevant to manufacturing.

* ISO 27001: A globally recognized standard for information security management systems (ISMS) that manufacturers widely use to establish and maintain comprehensive information security controls.

Manufacturers in highly regulated industries like energy or defense may have additional cybersecurity and machine access control regulatory requirements.

Strong authentication technology allows companies to track exactly who has accessed each machine and at what times. Photo courtesy ELATEC Inc.

Setting Up a Secure Machine Authentication Solution

Strong machine authentication technology is an integral part of endpoint security for manufacturing. For optimal performance, consider the following points:

Use the right access control technology. RFID or mobile credentials using BLE or NFC are more secure, reliable and convenient than password or PIN systems for machine authentication. An RFID badge or token is usually the preferred choice in a factory environment. Smartphones may be a safety or security risk on the factory floor and can be damaged in dusty, hot or humid factory environments. Since most manufacturers issue a corporate ID card for building access and security, it makes sense to leverage the same card for machine access.

Choose transponder technologies and encryption suitable for the application. Communication between the RFID tag and the reader should be encrypted to prevent eavesdropping and credential cloning. In general, high-frequency (HF) RFID technologies, which operate at 13.56 megahertz, allow for more advanced encryption and longer encryption keys than low-frequency (LF) RFID technologies, which operate in the 125 kilohertz range. Well-known transponder technologies such as MIFARE, LEGIC and HID Prox or iClass offer a range of security features and encryption options. For machine authentication, look for a reader that supports at least 128-bit encryption, such as AES-128. Some readers now support advanced elliptic curve cryptography (ECC) for an even higher level of security.

NFC is usually preferred over BLE for facilities supporting smartphone authentication use. NFC credentialing mimics an HF RFID signal on the same 13.56 MHz band. Compared to BLE, NFC has a much shorter read range (a few centimeters vs. up to 100 meters), which ensures users are in close proximity to the machine or device they are unlocking. The short read range prevents others from piggybacking on the proximity of users who are in the vicinity but not actively using the machine. It also reduces signal eavesdropping risks. NFC supports strong encryption, just like HF RFID. A universal reader, such as those available from ELATEC, enables manufacturers to support smartphone credentialing, LF or HF RFID, and even newer interoperable and open standard credentials, such as LEAF or those based on public key infrastructure (PKI), providing maximum flexibility.

For even higher security, consider adding two-factor authentication. This can be accomplished, for example, by requiring both a password and an RFID token to log into the machine. Smartphone credentialing allows for an additional layer of security through the device itself; biometrics (facial or fingerprint recognition) can be turned on for the phone, ensuring that only the phone owner can open the credentialing app.

Having different access levels for different roles, such as machine operators, line supervisors, process engineers, IT and maintenance, is usually desirable. Photo courtesy ELATEC Inc.

Differentiate access levels by user. The access technology should differentiate access levels by user or role. Make sure the system allows a unique identification for each user so that it is possible to identify precisely who is operating each machine and when. Then, consider the type and level of access appropriate for their role and responsibilities.

Having different access levels for different roles, such as machine operators, line supervisors, process engineers, IT and maintenance, is usually desirable. For example, line operators may only need basic access to a few machine functions to carry out production activities, while supervisors and IT may need to be able to access advanced machine parameters and configurations. For maximum security, users should only have the minimum access required to perform their jobs.

Integrate physical and cybersecurity. With RFID, the same access control technology can be used for physical access control (including building entry and “beyond the door” locations), machine authentication, and digital access to systems and networks. A unified access system simplifies security for both IT and OT. It’s also easier for employees since the same credential can be used for everything they need to access at work.

An integrated system enhances endpoint security by limiting both physical access to machines and access to machine controls. This protects the machine from physical tampering and sabotage as well as unauthorized access to the human-machine interface (HMI).

Physical security also includes the integration of the reader into the production machinery. A reader fully integrated into the machine or HMI is more tamper-resistant than one simply plugged into the machine with a USB cord, for example.

ASSEMBLY ONLINE

For more information on RFID technology, read these articles:
Key Considerations for Choosing the Right RFID Tag for Your Traceability Application
Industry 4.0 Technology and Manual Assembly
MTU Aero Engines Uses UWB RTLS to Track and Trace Production, Parts

A professional writer since 1998 with a Bachelor of Arts in journalism, John Lister ran the press department for the Plain English Campaign until 2005. He then worked as a freelance writer with credits including national newspapers, magazines and online work. He specializes in technology and communications.