The manufacturing industry is under increasing threat of cyber-related risks and attacks. In this past year, we saw a big shift in focused cyber security attacks on manufacturing companies. It jumped up from the eighth largest target to the second-largest target from 2019 to 2020. This is just one of the reasons why the US Department of Defense is rolling out its Cybersecurity Maturity Model Certification to ensure the protection of Critical Unclassified Information within the Defense Industrial Base. 

In fact, according to 2020 ICS CERT alerts, from 2019 to 2020, there was a 50% increase in the number of CVEs or vulnerabilities found in ICS products. Those vulnerabilities are largely found in manufacturing, energy, and transportation categories. 

As the Cybersecurity Maturity Model Certification (CMMC) rolls out, it’s important for manufacturing companies to think more broadly than just CMMC. While it can address other risks in addition to CUI -it is not the end all be all.

 

What is CMMC (Cybersecurity Maturity Model Certification)?

CMMC is the United States Department of Defense’s (DoD) new cybersecurity maturity model for the defense industrial base, specifically focused on DoD contracts. It will be implemented over time and apply to any contractor at any tier doing business with the DoD.

Each contract will determine the security maturity standards for that scope of work. Each vendor will be assessed against five maturity levels by a group called the Accreditation Board, which is currently being formed. The CMMC Accreditation Board (CMMC-AB) recently appointed Matthew Travis as CEO and Karlton Johnson as Chairman.

CMMC focuses on the protection of CUI (controlled unclassified information) to safeguard the nation’s defense secrets from disclosure to foreign governments or hackers who may turn around and sell this information.

The Cybersecurity Maturity Model Certification starts this year with several pilot programs and is expected to be fully implemented by 2025, though there has been some delay from the change of presidential administrations and with COVID-19 complexities. Regardless of the timeframe, more and more contracts will be awarded using a CMMC standard in the coming years.

 

How is CMMC structured?

The CMMC model is broken down into multiple domains – which are different categories – access control, access management. 

Within each domain is a series of practices and processes at each maturity level that each company must achieve to be considered a level 1 or level 2, and so on. The processes cover procedural standpoints and the practices are ways to ensure the companies are doing things technically, such as patching or ensuring the least privileged access. The process of institutionalization determines how far that organization is in its maturity journey.

 

What are the 17 capabilities domains of CMMC?

If you’ve looked at other cyber security standards, CMMC likely seems very similar. It leverages a lot of what other standards are already encouraging or requiring.

The CMMC refers to maturity at the most basic level, either by

processes and practices of cmmcprocesses performed or practices that have basic cyber hygiene. Processes are documented and managed. The goal is to monitor that they’re happening, review on a regular basis to see if it still works, and optimize or adjust overtime to make sure we’re getting better. Practices are more proactive elements. These go beyond basic fundamentals and attempt to think ahead of where an attacker might be next.

 

Why was CMMC created and why is it important?

Foreign threat actors have already demonstrated successful infiltration of the defense industrial base to steal critical information and intellectual property (see F-35 program). Compromise of critical supply chains can cause risks to intellectual property, but also the potential for that information to inform counter-defenses by military enemies. 

Supply chains are a critical area of threat across industries but especially so in manufacturing. 

Let’s look at a real-world example:

Last week, the REvil group announced they attacked Apple’s supplier Quanta and claimed to have stolen critical proprietary product information and have held it ransom for $50 million. While this example doesn’t affect a provider of weapons systems, it shows how a supplier, Quanta, affected a manufacturing company. The reality is – this is happening – and CMMC aims to protect the DoD’s suppliers from being put in a similar position as Quanta.

However, the potential compromise of CUI is only one of a range of cyber risks that industrial companies face. Although CMMC does not focus on ransomware and other types of threats to operational resilience, for manufacturing companies, these risks are perhaps of greater financial impact as evidenced by some of the significant costs from ransomware disruptions over the past several years.

While manufacturing may not seem like the most obvious or “sexy” industry to target, downtime in manufacturing plants causes significant financial loss.

In fact, eight of nine recent manufacturing attacks caused physical shutdowns in 2020 across multiple plants. This provides hackers leverage to ask for significant sums of cash – up to $10 million in some cases – especially in those industries with cyber security insurance.

So compliance is far from the only reason that manufacturers should focus on robust cyber security. 

 

How can manufacturers prepare for CMMC – and broader cyber security?

The Department of Defense’s timeline is to conduct several pilot programs in 2021 and then begin a more widespread deployment of the certification program in 2022 and be completely implemented by 2025. There have been some delays due to COVID-19 complications, but the administration has indicated this timeline will remain. 

 

What should manufacturers do now?

First, begin with an assessment to understand both your security maturity as well as an appropriate roadmap to improve security. Compliance requirements can lead organizations to approach the task as a box-checking exercise. We strongly urge manufacturers to ensure a holistic assessment of the cyber risks not only to CUI, as required by the DoD, but to their overall operational resilience as well. 

It may be that a company’s access to CUI is limited overall or to particular systems. From a compliance point of view, that will limit the security requirements. But this can create a false sense of security for the broader risks from attacks on operational resilience

A comprehensive cyber assessment will certainly include the elements of the CMMC but will also review potential threats beyond the informational ones covered specifically by regulations. 

Second, develop a remediation roadmap. For many organizations, the assessment will highlight any gaps and potential threats. Progress requires a clear prioritization against a set of controls that both address any compliance requirements they might have due to CMMC as well as the broader cyber risks identified in the assessment. There is no “cookie-cutter” set of priority initiatives as each organization’s risks and resources will be different.

Key elements of the security remediation roadmap will likely include:

  • Gaining an accurate asset inventory
  • Ensuring regular vulnerability remediation, either through patching or application of compensating controls
  • Deploying or improving network segmentation and protections to limit access to certain systems over the network
  • Limiting user and account access using the concept of “least privilege” reduces access to only those absolutely necessary
  • Ensuring regular and confirmed backups for key systems

Third, find a way to scale resources either through tapping into third-party service providers or simplifying security through a security management platform. Security maturity is not easy, but it can be made less complex by tapping into expertise or streamlining all of the tools. Some organizations rightfully will choose to outsource key functions to experts such as “managed security services providers”. These firms bring scale and expertise that may not be available internally. 

For those that do decide to drive their security and compliance internally, an IT OT security platform that brings all elements of a standard together is the most successful way to ensure compliance and reliability.

endpoint management

A single platform provides a 360-degree view of risks in the environment in order to quickly prioritize which to remediate and fix. This deep risk view always starts with a robust asset inventory. This asset inventory, if done correctly, provides the foundation for the rest of the security program – from vulnerability assessment to patch management to user and account management, all the way to detection and responding to threats.

The 17 domains of CMMC highlight the complexity that comes with cyber security. A platform that drives maturity across these domains dramatically reduces the total labor and costs required. This is not to say that you will not need separate components to conduct network segmentation or backups, but a platform brings the data from each of these components into a single view to ensure ongoing maintenance and compliance monitoring. 

One example is the area of network configurations. Firewalls and/or VLANs or other network protections will be a part of almost any security maturity program. However,  to ensure that the protections remain robust, operators need to ensure that the rules in those devices reduce access as much as possible and are not changed by people within the manufacturing environment without clear approval. A platform allows you to monitor these configurations for potential changes.

This is just one example, however, of the many components of security that organizations need to monitor – patch status, backup status, anti-virus alarms, user and account risks, etc. A platform that brings all of these together significantly reduces the headaches of management and compliance. 

Finally, bring IT and OT (also called factory automation or controls automation or SCADA or Plant IT) individuals together to create an integrated approach that works for the whole environment. One of the biggest challenges to security for manufacturers is the presence of “Operating Technology” or factory automation equipment in their networks.

Watch this on-demand webinar to learn how to achieve IT-level security in OT environments.

Devices such as PLCs, robots, variable frequency drives, I/O cards, and sensors, HMI’s, panel-view terminals, etc. are not present in IT environments. In most organizations, these devices are not managed by the IT teams, but by factory or manufacturing engineers. However, these manufacturing systems are the most critical assets in the company. If they are compromised, even if they do not contain CUI, the operations can come to a standstill.

Therefore, it is essential early in the process to bring leadership from both areas to understand the CMMC standards, as well as potential risks and possible remediation steps for broader security risks such as ransomware.

This way, the teams can define the right tools and approaches that will provide the security requirements without disrupting the critical manufacturing systems.  There are tools purpose-built for OT or manufacturing systems that provide the same level of security as in IT but are safe for operations in these sensitive operational systems. 

 

Benefits of a multifunction platform for IT OT security 

For the past 30 years, Verve has worked with manufacturing and industrial organizations to help secure their environments. We have learned what will work in manufacturing and what will not. We have helped clients from assessment through to remediation and maintaining high security standards. 

We believe the only real way to make progress is to bring together an IT-OT software platform to reduce the cost of security management with the expert human resources to provide the necessary expertise and scale for internal teams. An IT-OT platform like Verve provides 5 key benefits. 

And when combined with our team of operating technology cyber security and operations experts, the platform can accelerate time to maturity as well as reduce the cost of maintenance. 

 

FAQs about CMMC for Manufacturers:

Is CMMC better than NIST or NIST 800-53 for manufacturers?

This is not a better or worse situation, they are different. CMMC is a maturity model, not a standard. The overall goal is to see maturity get better over time. Level requirements differ depending on organizational attributes.

 

Is CMMC applicable to OT?

Yes. If there is CUI on OT networks, it is applicable. It’s about protecting the CUI. If CUI moves onto a CNC machine, but we can’t find a way to remove it from the design, we must protect the machine. If we can limit the amount of information shared in OT devices, we can reduce the CMMC maturity requirements into OT.

 

How do you deal with out-of-date systems?

Identify the processes, procedures, and compensating controls in place. What is the process to ensure the CUI is protected if the system can’t be replaced or patched? Document this procedure and compensating controls.

 

What’s the difference between security for CUI and Operational Risk?

There is a series of ways to limit compliance based on where CUI lives within an OT environment. For example, segmenting networks limits the scope of where CMMC would apply if the number of systems with CUI were reduced. But with ransomware/other attacks, manufacturing organizations need to think more holistically.

 

How does CMMC overlap with other security requirements? 

There are overlaps as CMMC is built off of the NIST 800-171 framework. The great news is that as you secure your environment according to NIST CSF or 800-171 you are achieving a significant set of steps to CMMC maturity. Our presentation lays out how CMMC fits with NIST 800-171 and where it goes beyond. 

On-Demand CMMC Webinar

Watch the full webinar to learn more about CMMC guidelines for industrial manufacturers.

Achieve CMMC Compliance Maturity

Related Resources

Blog

Why is OT Systems Management Critical to ICS Systems Security?

How OT security leaders such as the CIO and CISO can apply IT Systems Management into ICS systems security into a new approach called OT Systems Management

Learn More
Whitepaper

Achieve CMMC Security Maturity

Download the whitepaper to learn how the CMMC applies to both IT and OT systems, what compliance entails and how to meet requirements.

Learn More
Webinar

Improve OT Security Efficiency & Effectiveness with a Multifunction Platform

It’s no surprise that leading Gartner security analysts say that introducing additional tools adds more complexity into IT and OT security environments. Adopting multifunction platforms provides end-users with simple, but easy-to-manage solutions across all security needs/functions regardless of where organizations find themselves in their cyber security journey and maturity. This webinar aims to explore the efficiency of a centralized data…

Learn More

Request a Demo

Ready to speak to an industrial security specialist? Contact us today!

Contact Verve