The manufacturing industry is under increasing threat of cyber-related risks and attacks. In this past year, we saw a big shift in focused cybersecurity attacks on manufacturing companies. They jumped up from the eighth-largest target to the second-largest target from 2019 to 2020. This is just one of the reasons why the U.S. Department of Defense (DoD) is rolling out its Cybersecurity Maturity Model Certification (CMMC) to ensure the protection of controlled unclassified information (CUI) within the defense industrial base.
In fact, according to 2020 industrial control systems cyber emergency response team (ICS-CERT) alerts, from 2019 to 2020, there was a 50% increase in the number of common vulnerabilities and exposures (CVEs) found in ICS products. Those vulnerabilities are largely found in the manufacturing, energy and transportation categories.
As the CMMC rolls out, it’s important for manufacturing companies to think more broadly than just CMMC. While it can address other risks in addition to CUI, it is not the end all be all.
What is CMMC?
CMMC is the United States DoD’s new cybersecurity maturity model for the defense industrial base, specifically focused on DoD contracts. It will be implemented over time and apply to any contractor at any tier doing business with the DoD.
Each contract will determine the security maturity standards for that scope of work. Each vendor will be assessed against five maturity levels by a group called the accreditation board, which is currently being formed. The CMMC Accreditation Board (CMMC-AB) recently appointed Matthew Travis as CEO and Karlton Johnson as chairman.
CMMC focuses on the protection of CUI to safeguard the nation’s defense secrets from disclosure to foreign governments or hackers who may turn around and sell this information.
The CMMC starts this year with several pilot programs and is expected to be fully implemented by 2025, though there has been some delay from the change of presidential administrations and COVID-19 complexities. Regardless of the time frame, more and more contracts will be awarded using a CMMC standard in the coming years.
How is it structured?
The CMMC model is broken down into multiple domains — which are different categories — access control, access management.
Within each domain is a series of practices and processes at each maturity level that each company must achieve to be considered a Level 1 or Level 2, and so on. The processes cover procedural standpoints, and the practices are ways to ensure companies are doing things technically, such as patching or ensuring the least privileged access. The process of institutionalization determines how far that organization is in its maturity journey.
What are the 17 capabilities domains of CMMC?
If you’ve looked at other cybersecurity standards, CMMC likely seems very similar. It leverages a lot of what other standards are already encouraging or requiring.
The CMMC refers to maturity at the most basic level, either by processes performed or practices that have basic cyber hygiene. Processes are documented and managed. The goal is to monitor that they’re happening, review on a regular basis to see if they still work and optimize or adjust over time to make sure we’re getting better. Practices are more proactive elements. These go beyond basic fundamentals and attempt to think ahead of where an attacker might be next.
Why was CMMC created, and why is it important?
Foreign threat actors have already demonstrated successful infiltration of the defense industrial base to steal critical information and intellectual property (see the F-35 program). Compromise of critical supply chains can cause risks to intellectual property, but also the potential for that information to inform counter-defenses by military enemies.
Supply chains are a critical area of threat across industries but especially in manufacturing. Let’s look at a real-world example:
Recently, the REvil group announced they attacked Apple’s supplier Quanta and claimed to have stolen critical proprietary product information and to have held it ransom for $50 million. While this example doesn’t affect a provider of weapons systems, it shows how a supplier, Quanta, affected a manufacturing company. The reality is this is happening, and CMMC aims to protect the DoD’s suppliers from being put in a similar position as Quanta.
However, the potential compromise of CUI is only one of a range of cyber risks that industrial companies face. Although CMMC does not focus on ransomware and other types of threats to operational resilience, for manufacturing companies, these risks are perhaps of greater financial impact, as evidenced by some of the significant costs from ransomware disruptions over the past several years.
While manufacturing may not seem like the most obvious or sexy industry to target, downtime in manufacturing plants causes significant financial loss.
In fact, eight of nine recent manufacturing attacks caused physical shutdowns in 2020 across multiple plants. This provides hackers leverage to ask for significant sums of cash — up to $10 million in some cases — especially in those industries with cybersecurity insurance.
So compliance is far from the only reason manufacturers should focus on robust cybersecurity.
How can manufacturers prepare for CMMC and broader cybersecurity?
The DoD’s timeline is to conduct several pilot programs in 2021, begin a more widespread deployment of the certification program in 2022 and be completely implemented by 2025. There have been some delays due to COVID-19 complications, but the administration has indicated this timeline will remain.
What should manufacturers do now?
First, begin with an assessment to understand both your security maturity as well as an appropriate roadmap to improve security. Compliance requirements can lead organizations to approach the task as a box-checking exercise. We strongly urge manufacturers to ensure a holistic assessment of the cyber risks not only to CUI, as required by the DoD, but to their overall operational resilience, as well.
It may be that a company’s access to CUI is limited overall or to particular systems. From a compliance point of view, that will limit the security requirements. But this can create a false sense of security for the broader risks from attacks on operational resilience.
A comprehensive cyber assessment will certainly include the elements of the CMMC but will also review potential threats beyond the informational ones covered specifically by regulations.
Second, develop a remediation roadmap. For many organizations, the assessment will highlight any gaps and potential threats. Progress requires a clear prioritization against a set of controls that both address any compliance requirements they might have due to CMMC as well as the broader cyber risks identified in the assessment. There is no cookie-cutter set of priority initiatives as each organization’s risks and resources will be different.
Key elements of the security remediation roadmap will likely include:
- Gaining an accurate asset inventory,
- Ensuring regular vulnerability remediation, either through patching or application of compensating controls,
- Deploying or improving network segmentation and protections to limit access to certain systems over the network,
- Limiting user and account access; using the concept of “least privilege” reduces access to only those absolutely necessary,
- Ensuring regular and confirmed backups for key systems.
Third, find a way to scale resources either through tapping into third-party service providers or simplifying security through a security management platform. Security maturity is not easy, but it can be made less complex by tapping into expertise or streamlining all of the tools. Some organizations rightfully will choose to outsource key functions to experts such as managed security services providers. These firms bring scale and expertise that may not be available internally.
For those that do decide to drive their security and compliance internally, an information technology/operational technology (IT/OT) security platform that brings all elements of a standard together is the most successful way to ensure compliance and reliability.
A single platform provides a 360-degree view of risks in the environment in order to quickly prioritize which to remediate and fix. This deep risk view always starts with a robust asset inventory. This asset inventory, if done correctly, provides the foundation for the rest of the security program — from vulnerability assessment to patch management to user and account management, all the way to detection and responding to threats.
The 17 domains of CMMC highlight the complexity that comes with cybersecurity. A platform that drives maturity across these domains dramatically reduces the total labor and costs required. This is not to say you will not need separate components to conduct network segmentation or backups, but a platform brings the data from each of these components into a single view to ensure ongoing maintenance and compliance monitoring.
One example is the area of network configurations. Firewalls and/or virtual local area networks (VLANs) or other network protections will be a part of almost any security maturity program. However, to ensure the protections remain robust, operators need to ensure the rules in those devices reduce access as much as possible and are not changed by people within the manufacturing environment without clear approval. A platform allows you to monitor these configurations for potential changes.
This is just one example, however, of the many components of security that organizations need to monitor — patch status, backup status, antivirus alarms, user and account risks, etc. A platform that brings all of these together significantly reduces the headaches of management and compliance.
Finally, bring IT and OT (also called factory automation or controls automation or supervisory control and data acquisition or plant IT) individuals together to create an integrated approach that works for the whole environment. One of the biggest challenges to security for manufacturers is the presence of “operating technology,” or factory automation equipment in their networks.
Devices such as programmable logic controllers (PLCs), robots, variable frequency drives, I/O cards, and sensors, human machine interfaces (HMIs), panel-view terminals, etc. are not present in IT environments. In most organizations, these devices are not managed by the IT teams, but by factory or manufacturing engineers. However, these manufacturing systems are the most critical assets in the company. If they are compromised, even if they do not contain CUI, operations can come to a standstill.
Therefore, it is essential early in the process to bring leadership from both areas to understand the CMMC standards, as well as potential risks and possible remediation steps for broader security risks such as ransomware.
This way, the teams can define the right tools and approaches that will provide the security requirements without disrupting the critical manufacturing systems. There are tools purpose-built for OT or manufacturing systems that provide the same level of security as in IT but are safe for operations in these sensitive operational systems.