Help, We've Been Hacked
By Lisa Derby Oden, MassMEP Project Development Coordinator
We hear it regularly in the news these days. Here in Massachusetts, Athol, Charlton, Gardner, New Bedford, Leominster School District, and Bay Path Regional Vocational Technical High School are among several municipal governments and school districts that have been subjected to cyber and ransomware attacks. According to a study by Deloitte and the Manufacturers Alliance for Productivity and Innovation, Cyber Risk in Advanced Manufacturing, 40 percent of manufacturing firms experienced a cyber-attack in the last year. Out of those, 38 percent suffered over $1 million in damages. The study also found that most of the cyber threats experienced by manufacturers were coming from internal employees through phishing, direct abuse of IT systems, errors and omissions, and use of mobile devices. The most astonishing fact revealed by the survey was that 87 percent of manufacturing companies have a disaster recovery plan in place for all data security concerns. But only 37% of them have it in a documented and tested state.
Digging a little deeper, it is not just the traditional hackers and cyber criminals that are targeting manufacturers. Manufacturers are also being attacked by competitors as well as countries conducting corporate espionage. Motivation for these attackers can be monetary, but also includes competitive advantage, operations disruption, and revenge.
With this stark information in view, let's take a look at the cybersecurity initiatives a manufacturer can take to protect themselves. Cybersecurity, also known as information security, refers to the technologies, processes, and practices designed to protect networks, devices, programs, and data from attack, damage, or unauthorized access. This covers a lot of ground! NIST provides a thorough overview and framework of what is involved in identifying and managing cybersecurity risk. https://www.nist.gov/cyberframework
New Required Certification
Prior to 2020, manufacturers that were part of the Department of Defense (DoD) Supply Chain were required to comply with NIST 800-171. This standard included a self-assessment component. However, starting in 2020, manufacturers who are planning on conducting business with the DoD will be required to undergo an audit by an authorized auditing entity for Cybersecurity Maturity Model Certification (CMMC) before bidding on a contract or subcontracting to a prime.
The audit is a certification procedure developed by the DoD to certify that contractors have the controls to protect sensitive data. There are five levels of certification: Basic Cyber Hygiene, Intermediate Cyber Hygiene, Good Cyber Hygiene, Proactive, and Advanced/Progressive. If not part of the DoD Supply Chain, manufacturers can choose self-assessment and can work their way through the framework provided earlier in this post. For more on CMMC, watch this video.
There are resources available to assist in navigating this entire process if a manufacturer prefers not to go it alone. Tom Andrellos, MassMEP Director of Growth Services, states, "Unfortunately manufacturers have become targets of hackers and attackers. Companies have become increasingly reliant on computer systems to vertically integrate product designs, manufacturing processes, cost structures, supplier networks, and proprietary information throughout the supply chain. This information becomes potentially destructive and valuable information can go to competitors, agencies, and governments around the world. MassMEP's strong cybersecurity solutions and funding help with risk mitigation of these threats."
MassMEP offers three levels assistance:
- Bronze/Cybersecurity Evaluation Training (CSET) – Walks you through the Self-Guided Assessment using a checklist driven process. Covers policy, plans, and procedures. Meets NIST CUI requirement.
- Silver/DFARS Approach/Cybersecurity Assessment Training 800-171 – Comprehensive Assessment that supports any framework. Provides company-specific action plan, recommendations, and cost.
- Gold/Cybersecurity ISO 27001 – Security Management System. Internationally recognized. Standard and auditable. Maps over 800-171 and ISO 27001.
To learn more about these levels go to: https://massmep.org/services-and-solutions/operational-excellence/cybersecurity/
For more information, contact: Tom Andrellos, firstname.lastname@example.org, 508-831-7020