Cybersecurity Requirements Raising the Stakes for Manufacturers
Guest blog post by Elliot Forsyth, Vice President of Business Operations at the Michigan Manufacturing Technology Center (The Center).
Cybersecurity is paramount to our nation’s safety and our military’s viability. Having a sustainable plan in place to combat cyber threats also is critical to the survival of a small business because just one cyber-attack can be catastrophic. The following statistics underscore the severity of the issue:
◾According to IBM, small and mid-sized businesses are hit by cyber-attacks about 4,000 times per day.
◾The U.S. National Cyber Security Alliance found that 60 percent of small companies are unable to sustain their businesses over six months after a cyber-attack.
◾The Ponemom Institute has indicated that the average price for small businesses to clean up after they have been hacked is $690,000; and, for middle market companies, the cost exceeds $1 million.
◾Manufacturing has become a top five industry for cyber-attacks.
As a result, government agencies are formalizing and instituting cybersecurity requirements for their contractors. Specifically, the Department of Defense (DoD), General Services Administration (GSA) and NASA require contractors to meet minimum security requirements detailed by the National Institute of Standards and Technology (NIST) in Special Publication 800-171 by December 31, 2017—or risk losing federal contracts.
In Michigan, home to more than 2,100 DoD contractors, the Michigan Manufacturing Technology Center (The Center) has launched an educational campaign for small to mid-sized manufacturers to inform them about the need to combat cybersecurity threats and how to comply with the NIST standards that encompass 14 areas:
◾Awareness & Training
◾Audit & Accountability
◾Identification & Authentication
◾System & Communications Protection
◾System and Information Integrity
These requirements expand on initiatives that originated in 2009 when Congress began adding more information security requirements in the National Defense Authorization Act, and NIST started producing several iterations of cybersecurity standards. The DoD has implemented these measures through the Defense Federal Acquisition Regulation Supplement (DFARS), a component of the Federal Acquisition Regulations system that governs the process for acquiring goods and services.
Today there are new standards for companies handling “Controlled Unclassified Information” or CUI, data that can be considered government-proprietary. It is information the government wants held secure, but is not vital to national security. DFARS now is implementing cybersecurity requirements on contractors handling CUI—a far broader set of companies than those doing classified work.
Implementing proper cybersecurity plans can be a daunting task—especially when time sensitivity is a concern. Many facets of the NIST requirements, including the need for data encryption and multifactor authentication, typically are not found in an everyday manufacturing environment. Why? Small to mid-sized manufacturers typically don’t have the internal IT resources and sizable budgets large enterprises may possess.
A NIST MEP affiliate, The Center is committed to providing cost-effective solutions that enable Michigan manufacturers to work smarter, to compete and to prosper. This mission led to the introduction of a four-step cybersecurity program to meet the requirements mandated in NIST Special Publication 800-171, which was part of a recent informational session hosted by The Center. Highlighting the meeting was special guest Pat Toth, the NIST MEP cybersecurity expert who was involved with the development of the NIST standards.
Toth informed nearly 80 manufacturers about the need for the standards and explained why cybersecurity is more than just a manufacturing issue—it’s an ongoing safety issue. She outlined tactics for guarding CUI and warned attendees about common cyber dangers including spoofing, snooping, social engineering, ransomware and more. Following her presentation, she led a Q & A discussion with the manufacturers.
Understanding the wide range of ongoing complex cyber threats remains a challenge, yet it is no longer optional. In our increasingly connected digital world, cybersecurity will continue to grow in importance and complying with NIST 800-171 could well become part of standard operating procedures.