Coding best practices
time 10 minute read

Cybersecurity in Manufacturing: QA with Industry Experts

cyber-security-lock

As recorded from an event hosted by ComTec Solutions and Rochester Technology Manufacturing Association (RTMA). The following questions and answers were discussed on the state of cybersecurity in manufacturing.

Is there any data on how many attacks are specifically targeted versus perpetrators? Of those attacks that are successful or attempted, what is the ratio of attacks targeting specific companies versus multiple companies?

I don’t think these attacks are generally toward a specific target. They will shotgun attack, and whoever bites is where they start attacking. The key is not to bite. With certain companies, they are going after IT, or they’re trying to hit specific targets. The majority of attacks are broad versus targeted attacks.

Hackers use tools to penetrate a company’s environments. They’re hoping to find the weakest link in the company. It is important to educate your company and have cybersecurity training on a regular basis.

Provide education for your end users on what to do and what not to do. Is our backup protected, manual, or automated? That’s what most companies need to think and talk about internally when you’re digging up these events and malicious attacks occur.

Are you seeing a trend in organizations requiring a 15-character+ password requirement for security purposes?

Yes. We’re seeing more unique characters within those passwords. Update every 30, 60, or 90 days. A longer string of characters works best.

Can we use phrases?

We find that if we do phrases, it’s easier to remember.

Would you recommend a password manager?

We recommend password management software. There are several different ones to choose from. Depending on the way you go, they have different levels of encryption. There has been a breach recently with LastPass, so we’re trying to steer people away from it. Keeper is compliant with the requirements for CMMC. Even if you don’t have to be CMMC certified, this says something about the level of security in their cloud site. This one meets all the requirements. That’s one of the ones we’re recommending, especially if you need to be certified through CMMC.

Is there a resource available for employers who have remote employees? When we had desktop computers, it was easier to secure them. When you have people dialing into the network, how does an employer ensure that all those devices are secure?

There are tools that provide mobile-device management software. We highly encourage not using personal assets for company-related purposes. Some companies think they are saving money, but this opens you up to risks. For personal devices, there have to be regulations in order to use them for work. The best thing is not to bring your own device. Make sure that they’re your laptops and your phones. You can lock them down, secure them, lock them from having software installed, monitor them with a cybersecurity package, and patch them. Make sure that they’re company-supplied devices.

What is CMMC 2.0, and what is the deadline?

CMMC 2.0 is a piece of legislation that’s designed to add information security to the defense supply chain. If you’re a part of that supply chain and want to be awarded defense contracts that are going to involve information the federal government wants protected, then you have to take steps to secure that information when it is in your hands and when you pass it down to contracts. One hundred and ten best-practice security controls are outlined in a NIST-800-171. Requirements began with 1.0 around 2017, and enforcement wasn’t realistic. The deadline was pushed back multiple times. 2.0 is in its final rule will be published before May of next year and will start showing up in some contracts. By October 2026, the DOD expects that CMMC will be required in all defense contracts that are awarded.

What are the differences between 1.0 and 2.0?

They worked on simplifying the levels. 1.0 had five different levels that suppliers could fall into as far as what the requirements would be. Now there are three levels. Beyond that, there are some unique controls you needed to follow for version 1.0, but they have now completely aligned CMMC 2.0 with NIST. The auditing process has changed, as has who is required to be audited, and there are changes in the timeline.

Within CMMC, what is an SPRS score, and why is it needed?

An SPRS score (supplier performance risk system score) is managed, owned, and operated by the DOD. You’ll conduct your assessment. The score is created and uploaded. The scoring system and range are ridiculous, ranging from -203 to +210. The score is used by the government to manage contractor risk, managing risk item, price, and supplier.

How often should a company within the CMMC reassess its score?

One of the 110 controls states that it should be reassessed every 365 days (one year). This will depend on where your contracts lie. Third-party assessment can be done every three years, but you still have to update the government every year.

What should we expect during a CMMC assessment, and how can companies within the framework prepare for a successful audit?

When you first read them, they can make your head explode. They are pretty vague. If you look at them, you’ll know what to expect. We’ll come in and ask you questions. We’ll want your leadership to be available, as well as your IT team (both internal and external).

The assessment will provide the gap analysis highlighting those areas that need to be remediated and prioritizing them, whether you are doing it independently or whether you use a company like ComTec.

Another way to get prepared is to know what’s covered (CUI, confidential, unclassified information). You need to know where your data is and what data is covered. We’ll ask you over and over again. Some customers don’t know. It’s your definition of your customers’ definition. Now, being defined as 1, 2, or 3 is required.

How long does an assessment typically take?

The actual physical groundwork takes a day (maybe less than that). Going through the 110 questions takes a lot. On top of that, we take a physical assessment of the customer’s network itself, so understand that that’s going on.

Are you seeing CMMC requirements in/on your customer contracts yet?

We have not yet seen them. We do have other requirements: plan of action milestones, a roadmap of how you’re going to become CMMC compliant. They are coming, but we are not seeing the specific CMMC requirements on the contracts yet.

Are there any challenges you’ve had in meeting the existing challenges?

We need to update our score. There are certain challenges with training employees and, sometimes, challenges in software access points and how to control those access points.

How can small to mid-sized manufacturers manage the cost and resource requirements associated with achieving CMMC compliance?

Know where your data is.

If someone gains access to my ERP, could they build my product because my information is there?

That’s probably CUI.

Other customers say that hackers couldn’t build my product. Knowing where their data is vital.

No CUI will go through email.

What if one of our customers sends CUI through email?

Most of you have been through ISO. You design the system; you tell the auditors what your plan is. It’s similar, but it’s more mandated. Tell us what needs to be protected. Do you need to go full on, or do you keep that data where no one can access through the network? Should you limit access?

If a bad actor goes to look for that, they have only one place to look. Those access points provide opportunities for intrusion. It’s tricky to allow access to only the people who specifically need to know and not transfer via email.

It’s like any other industry on different levels. Customers who needed CMMC requirements when they came out in 2017 scrambled to get them compliant. We had a client who was a $15–20 million manufacturing company. Your pricing has to be appropriate, and we laid down a quote for $250,000. You’re going to see companies quote numbers for compliance, but that is not really realistic. You can build to the level that you need. Look at multiple sources and really understand what you’re getting before you run with that point.

Is it good practice to document your security strategies? How does that fall into CMMC? Is there a requirement that they want to see documentation of the 110?

It comes down to policies and procedures. You need to know how to handle those specific controls and document how you’re going to do it. 

Everyone, from the leadership team to the shop floor, needs to be involved. If intrusion happens, how will you handle it? You have to have a plan and have demonstrated that those strategies are in place and that you’ve been practicing them before compliance can be achieved.

You have to have a cybersecurity policies and procedures manual as part of that requirement. Even state requirements have requirements on how we are doing and the procedures we will follow if we get breached.

Will cybersecurity insurance require similar documentation?

Read the fine print in the policy. We are receiving surveys asking if we have cybersecurity insurance from our customers’ clients. They would ask: “Do you have multifactor authentication?” and if they did not, they would not renew their policies. That is a bigger and bigger concern for customers. Years back with ISO, some companies jumped right in, and some were hesitant. But it usually makes your company better whether you need it or not—whether you absolutely have to do it or not. These requirements are making us better companies and more secure. Your insurance company is going to require some things.

If you’re not following your policies and procedures, insurance may not kick in.

What is CUI, and how do I know what CUI I have?

This is one of the most common questions in the industry. CUI starts to define what your scope is. Once you know what type of information you have, you can build a strategy and structure to protect it. NARA (National Archive and Records Administration) is in charge of the entire government CUI program no matter the department: defense, education, homeland security, etc. By its definition, anything—product, service, information, data—created for, by, or because of the federal government or because of a federal contract becomes CUI.

NARA also mentions that all of the CUI is supposed to be marked and labeled by the government. So we, as commercial organizations, are not supposed to be marketing what is CUI and what is not. That should come from the government.

When in doubt, contact your program management office, contract POC, a person in the government, or your prime if you end up being subbed. They should be able to mark or identify that information for you. (Sometimes primes don’t know.)

Understanding the different categories, what work you are using, and the broad definition of anything for, by, or because of the government will be a solid foundation to start asking the right questions of the right people.

How do you know what type of CUI?

There are 20 different categories: defense, export control, procurement and acquisition, etc.

If you have a government contract, you have to be doing CMMC level 1, which includes multifactor authentication. That’s going to be your starting point to add additional protections on CUI based on what the current contracts are. Some protections needed to be added now. Some are easier, such as making sure that all your accounts have passwords.

Incident response is part of the cybersecurity response: bottlenecks, etc.

What type of cybersecurity training are you doing with your employees?

Level 1, we used ComTec as a cybersecurity partner. All of the employees who use a computer understand and know how to recognize and avoid those attempted intrusions.

Level 2 is getting everyone to understand those policies and procedures and explaining to employees that this will improve our operations in general.

Level 3 is explaining to the leadership what will happen if something happens.

HR comes up to speed, so they are making new employees aware during onboarding. It may not be adequate to get someone new up to speed.

With all the state regulations, labor laws, and employment insurance, is HR really the right place to ensure that training takes place?

HR is a piece of it, but their department manager will go through everything they need to be doing, onboarding with an IT person when they start.

The minute you create an account on your network, that person is enrolled in your training. It’s passive to say you’re going to get this regular training. The repetition of that training helps people remember. Track it so that when an employee doesn’t do it, you can follow up and make it fairly seamless for HR.

New employees are often targeted via LinkedIn. It is important to have training in place for those incidents. HR can help them identify those who are coming and be prepared. If HR gets involved earlier, you’re better off.

Coordinate the onboarding process for safety and quality. You need those accountable individuals who run with these strategies. HR will handle that coordination.

You could put it under quality as well.

What emerging trends are you observing in terms of the targets chosen by cybercriminals?

The attacks and criminals are not random anymore. They are very organized and have “sales departments.” We aren’t dealing with just hackers anymore. When you talk about trends, education, government, manufacturing, healthcare, and municipalities are the top five. These industries are targets because there is a wealth of customer information.

MS Azure is being hacked, with 1,400 attacks per day. Small to mid-sized businesses are ramping up those efforts on your businesses. Forty-six percent of ransomware attempts and attacks are made on small to midsize businesses. Every 11 seconds, there is a new ransomware attack.

Since you are in one of the most attacked industries, you want to pay attention to the NIST framework. People are the number one vulnerability for companies. People have to be trained to know what to do.

What is the dark web, and what should I be aware of?

The dark web is essentially a collection of websites usually using various technologies to stay anonymous. Access is through a special kind of browser for the purpose of providing illegal services and products. One of the things that happen is when these breaches happen and personal information is compromised. The dark web is the repository where they are shared and saved.

There are tools that continuously look for listings that include your credentials, social security numbers, addresses, and/or bank account numbers and can report back to you that they’re seeing it listed on the dark web so you can be aware of it. React accordingly: e.g., change your bank account and update your password. You can be more vigilant once you know that your info has been compromised.

With the ever-changing industry, what is ComTec consistently doing to keep up with security needs (30 years of experience)?

We have to stay educated. We are registered with the CMMC accreditation body as a registered practitioner organization. We are learning what we need to, staying close to our vendors to know where the threats are, and constantly looking at what’s out there. You have to do it every day. It’s tough to see the latest trends.

Bridging the gap of how manufacturing is done or how sales/products/services are managed and matching it up with the government risk requirements is a continuous project.

If you go to the CMMC accreditation body, they have monthly town halls. Sign up for these. You will stay aware of what’s going on and what’s required of you.

Do your primes add to it, or do they follow what cybersecurity requirements come from the government?

They don’t add requirements, but they do often require a faster timeline/deadline in order to issue contracts. Not all of them are on the same page. Larger primes are pushing a little harder.

Get Started with a Winning MSP Today

ComTec Solutions is a full-service technology services and ERP implementation and consulting company that has been providing advisory and technical expertise for manufacturers and engineering firms for nearly 30 years. Companies looking to improve productivity, elevate the customer experience, and accelerate financial growth find value in ComTec’s expertise. ComTec is a proud Certified Platinum Epicor partner dedicated to helping customers strategically align technology with their desired business outcomes with speed, agility, and confidence. To learn more, let’s talk!