Manufacturing equipment cyber attacks

Why is manufacturing equipment particularly vulnerable to cyber attacks?

The CISA (Cyber Security & Infrastructure Security Agency) issued an ICS Alert November 17th, calling out a particular vulnerability in critical manufacturing equipment.  Industrial Control Systems (ICS) are a too-often overlooked cyber security vulnerability in manufacturing.  You can see the alert here for the technical details.

Our immediate interest is in highlighting the broad-based tendency for increased security vulnerability in manufacturing equipment.  For those industries directly involved in critical infrastructure, cyber security is a given.  However, the vulnerability spans much wider than critical infrastructure, such as power plants or transportation.  Common manufacturing equipment, such a CNC machines, are increasingly targets of cyber attacks.  That’s because they are unusually vulnerable. 

Manufacturing equipment often has a lifespan significantly longer than the underlying computing equipment that controls it.  We hear too often about manufacturing equipment running on outdated Windows XP computers.  And therein lies the problem.  Old operating systems are not updated (patched) to keep pace with current cyber threats.  This could be due to expensive software licenses tied to the manufacturing equipment, or simple oversight of this vulnerability.  This, coupled with the tendency to connect everything to the network and/or Internet creates the unique vulnerability for manufacturers.

What does this mean for manufacturers and their IT partners? 

You and your IT team (internal or your Managed Service Provider (MSP)) need to pay particular attention to these vulnerabilities.  If your operating systems are outdated, or other hardware has vulnerabilities, this can not only be a threat to the availability of the manufacturing equipment (denial of service attacks), but can also expose a path into your broader network and associated data. 

Ideally, your manufacturing equipment is patched and updated on a similar cadence as your computing equipment.  However, if you can’t achieve that for expense or other reasons, you can plan other remediation, such as isolating the equipment from the network and particularly from the Internet. 

For more information on manufacturing vulnerabilities, including evolving CMMC requirements, we invite you to reach out for a discussion.  Contact us here.

What CMMC means for you

Whether you’re a defense contractor, or a supplier to defense contractors, the Cybersecurity Maturity Model Certification (CMMC) is likely to have a direct impact on you…. And soon.  Similarly, Managed Service Providers (MSPs) supporting sub-contractors are already seeing interest in CMMC skyrocket.

The NIST 800-171 cyber security standard is already a requirement for Department of Defense (DoD) contractors (DFARs).  CMMC extends NIST 800-171 to include certification.  There are three important CMMC recent developments:

1) Prime contractors are starting to enforce NIST 800-171 compliance, even in advance of CMMC.

While the Defense Federal Acquisition Regulation Supplement (DFARS) has required NIST 800-171 for at least five years.  Enforcement has been lax.  Many subcontractors simply put together a Plan of Action and Milestones (POAM), and left implementation behind.  Now primes are starting to enforce compliance themselves, asking for completed security questionnaires and validation.

If you have a DoD subcontract, you’ll likely start to see compliance terms in your RFPs and contracts, along with auditing rights.

2) The DoD is phasing in a self-reported score on each NIST 800-171 control. Self-reported compliance is getting teeth, but still selectively.

Similar to the prime contractors enforcing NIST 800-171 compliance, the DoD itself is tightening the reigns.  A CMMC Interim Rule was recently issued and will take effect on November 30, 2020.  This rule requires defense contractors to self-report their NIST 800-171 compliance for select contracts, using a specified scoring methodology. 

You will want to check your RFPs to see if “DFARS 252.204-7012” is included.  If so, and if you want a chance to win, you will have to self-report a compliance score. Contract awards that include this clause will be subject to previews of the reported scores, and perhaps audits.

If you have a DoD contract, CMMC may be coming sooner than you might think.  Fortunately, some funding for compliance may be available or refundable through the contracts.

3) It appears CMMC will expand beyond the DoD, to all federal contracts.

Already the General Services Administration (GSA) has started advising their suppliers to prepare for CMMC.  Similarly, the Department of Homeland Security appears to be heading towards adopting CMMC.  As more federal contracts head in this direction, look for states to follow suit.  While a few states may choose to develop their own standards, most will be oriented to use what’s already developed and gaining momentum.

The CMMC buzz has accelerated around CMMC as suppliers and their IT partners prepare for this major cyber security requirement.  Many MSPs are readily capable of implementing the technical controls associated with CMMC.  However, few are prepared to support that implementation with the over-arching security programs and administrative controls that include governance (policies) and compliance audits for compliance.  If CMMC is entering your world, feel free to reach out for a consultation.