As the decade comes to a close, we think about what’s next for cybersecurity in manufacturing.
Manufacturing is a critical infrastructure in the United States. With a significant percentage of the entire US market supporting national defense, the manufacturing supply chain is a prime target for cyberattacks and increased regulation. For the last few years, government agencies have been pushing for the supply chain to get compliant with the NIST SP800-171 cybersecurity standard to fight potential threats.
This past year, the government has been working on two new standards that will affect the industry once they are finalized:
- NIST SP800-171B
- Cybersecurity Maturity Model Certification
The new NIST SP800-171B standard will impose even stricter cybersecurity requirements for companies handling the most sensitive information and components. While the name looks almost the same as the original standard, the “B” makes a big difference. This new standard piles on new requirements including:
- Limiting nearly all use of employee’s personal devices for work
- Requiring expensive hardware to handle encryption when moving data between secure networks
- Mandating 24/7 staffing of a security operations center.
While compliance with the “B” standard will drive up IT budgets, it is aimed at countering “advanced persistent threats” — the kind of hacking done by foreign adversaries to get the US’s most critical data. Fortunately for small-to-medium-sized manufacturers, these requirements are likely to only be imposed on bigger prime contractors. Also, the standard is still only a draft and not yet enforced in contracts.
Cybersecurity Maturity Model Certification
Another draft standard is the Cybersecurity Maturity Model Certification (CMMC). This document proposes a framework for how to evaluate a contractor’s cybersecurity capabilities. It imposes different levels of requirements based on the sensitivity of a contract. For each category of information protection, a company’s capabilities are rated from level 1 (least mature) to level 5 (most mature). Shops working on NIST SP800-171 compliance know that there is no official certification for compliance. That means shops often bring in expensive consultants for audits and assessments. Even that doesn’t guarantee that a government contract office will consider you compliant.
Once this new standard is finalized, things will be much clearer for two reasons:
- The industry will know exactly how to evaluate a contractor’s security.
- Government contracting offices will have the ability to mandate different levels (1-5) of cyber capabilities based on the contractor and project.
Depending on how the standard gets finalized and implemented, this could be a big help to smaller shops that produce components of export-controlled systems but do not work with the full assemblies.
Securing the Entire Supply Chain
Government contractors and subcontractors must also ensure that their entire supply chain adheres to these regulations to maintain data security. This includes material and tooling distributors, platers and other finishers, and any cloud computing service used by the manufacturer to process technical data. Manufacturers typically have policies on how data must be secured internally and within their network. However, in practice, there is often a loose policy for how data is transferred to vendors for communication purposes.
The following examples are potential security gaps:
- When consulting a cutting tool vendor, an email is sent with screenshots of the part and prints. Even worse, the CAD files and prints might be emailed back and forth.
- When going to your outside plater for a quote, a print is attached to an email to the plater for reference.
- Emails are exchanged with customers containing screenshots and file revisions.
- Technical data is processed, stored, or shared using a cloud-based service that is not ITAR compliant per DFAR 252.239-7010. For example, this regulation requires ITAR data on cloud-based services reside in the US — the cloud services you’re using almost definitely do not guarantee this.
Fortunately for manufacturers, there is a better way. Paperless Parts is leveraged by manufacturers to securely communicate with internal teams and with external people like customers and outside service providers. All data is stored in a secure ITAR-compliant manner, complementing NIST SP800-171 strategies manufacturers are adopting.
The Machine Shop’s Guide to Evaluating the Right Front Office Software
This article was written by Scott Sawyer
Scott Sawyer is Co-Founder & Chief Technology Officer at Paperless Parts. He is focused on platform security and developing algorithms to quote parts more quickly and accurately, while scaling both the team and architecture. He worked on defense “big data” technology at MIT Lincoln Lab and Lockheed Martin, prior to leading the engineering team at a Boston IoT startup. Scott holds a BSEE (Villanova) and MSEE (UPenn).