Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Manufacturing Innovation Blog

Cybersecurity Requirements Raising the Stakes for Manufacturers

March 28, 2017

By: Elliot Forsyth

Guest blog post by Elliot Forsyth, Vice President of Business Operations at the Michigan Manufacturing Technology Center (The Center).

Cybersecurity is paramount to our nation’s safety and our military’s viability. Having a sustainable plan in place to combat cyber threats also is critical to the survival of a small business because just one cyber-attack can be catastrophic. The following statistics underscore the severity of the issue:

According to IBM, small and mid-sized businesses are hit by cyber-attacks about 4,000 times per day.
The U.S. National Cyber Security Alliance found that 60 percent of small companies are unable to sustain their businesses over six months after a cyber-attack.
The Ponemom Institute has indicated that the average price for small businesses to clean up after they have been hacked is $690,000; and, for middle market companies, the cost exceeds $1 million.
Manufacturing has become a top five industry for cyber-attacks.

As a result, government agencies are formalizing and instituting cybersecurity requirements for their contractors. Specifically, the Department of Defense (DoD), General Services Administration (GSA) and NASA require contractors to meet minimum security requirements detailed by the National Institute of Standards and Technology (NIST) in Special Publication 800-171 by December 31, 2017—or risk losing federal contracts.

In Michigan, home to more than 2,100 DoD contractors, the Michigan Manufacturing Technology Center (The Center) has launched an educational campaign for small to mid-sized manufacturers to inform them about the need to combat cybersecurity threats and how to comply with the NIST standards that encompass 14 areas:

Access Control
Awareness & Training
Audit & Accountability
Configuration Management
Identification & Authentication
Incident Response
Maintenance
Media Protection
Personnel Security
Physical Protection
Risk Assessment
Security Assessment
System & Communications Protection
System and Information Integrity

These requirements expand on initiatives that originated in 2009 when Congress began adding more information security requirements in the National Defense Authorization Act, and NIST started producing several iterations of cybersecurity standards. The DoD has implemented these measures through the Defense Federal Acquisition Regulation Supplement (DFARS), a component of the Federal Acquisition Regulations system that governs the process for acquiring goods and services.

Today there are new standards for companies handling “Controlled Unclassified Information” or CUI, data that can be considered government-proprietary. It is information the government wants held secure, but is not vital to national security. DFARS now is implementing cybersecurity requirements on contractors handling CUI—a far broader set of companies than those doing classified work.

Implementing proper cybersecurity plans can be a daunting task—especially when time sensitivity is a concern. Many facets of the NIST requirements, including the need for data encryption and multifactor authentication, typically are not found in an everyday manufacturing environment. Why? Small to mid-sized manufacturers typically don’t have the internal IT resources and sizable budgets large enterprises may possess.

A NIST MEP affiliate, The Center is committed to providing cost-effective solutions that enable Michigan manufacturers to work smarter, to compete and to prosper. This mission led to the introduction of a four-step cybersecurity program to meet the requirements mandated in NIST Special Publication 800-171, which was part of a recent informational session hosted by The Center. Highlighting the meeting was special guest Pat Toth, the NIST MEP cybersecurity expert who was involved with the development of the NIST standards.

Toth informed nearly 80 manufacturers about the need for the standards and explained why cybersecurity is more than just a manufacturing issue—it’s an ongoing safety issue. She outlined tactics for guarding CUI and warned attendees about common cyber dangers including spoofing, snooping, social engineering, ransomware and more. Following her presentation, she led a Q & A discussion with the manufacturers.

Understanding the wide range of ongoing complex cyber threats remains a challenge, yet it is no longer optional. In our increasingly connected digital world, cybersecurity will continue to grow in importance and complying with NIST 800-171 could well become part of standard operating procedures.

Cybersecurity

About the author

Elliot Forsyth

Elliot Forsyth is Vice President of Business Operations at the Michigan Manufacturing Technology Center (The Center). He joined the organization in July 2014 and is responsible for leading strategy, marketing, and business development, including the formation and implementation of The Center's cybersecurity practice area. Prior to joining The Center, Elliot had more than 20 years of broad, global business experience with an outstanding record of leading Operations, Strategy, and HR functions.

Video: Heroes of American Manufacturing – AMG Engineering and Machining

June 14, 2023

Small and medium-sized manufacturers sometimes think they’re too small to be a target for hackers. They may not have the resources to put into cybersecurity

Cybersecurity Risk Mitigation for Small Manufacturers

May 12, 2023

Many small manufacturers have limited resources and lack the staff and tools to adequately address cybersecurity needs – leaving them particularly vulnerable to

Demands for Increased Visibility Are Impacting Cybersecurity Preparedness

November 9, 2022

Digitization and connectivity are having a huge impact on more than just your manufacturing operations and ability to monetize data. Your vulnerabilities also

Comments

Per my publication in the NIST RIF, in October 2014, it will not be a cost-effective approach for SMEs to use NIST CSF unless the SMEs have transformed their system-of-systems into Net-Centric Operations and Supply Chains. Please see, Integrated Activity-Based Simulation Research, Inc. RFI in the link below: csrc.nist.gov/cyberframework/rfi_comments_10_2014.html

Deadline is getting close, hopefully everyone is ready on time.

Add new comment

Your name

CAPTCHA

What code is in the image? *

Enter the characters shown in the image.

This question is for testing whether or not you are a human visitor and to prevent automated spam submissions.

Please be respectful when posting comments. We will post all comments without editing as long as they are appropriate for a public, family friendly website, are on topic and do not contain profanity, personal attacks, misleading or false information/accusations or promote specific commercial products, services or organizations. Comments that violate our comment policy or include links to non-government organizations/web pages will not be posted.

Search

Email alerts

Subscribe to free e-mail alerts from the Manufacturing Innovation blog by entering your e-mail address in the box below.

Stay connected

About this blog

Manufacturing Innovation, the blog of the Manufacturing Extension Partnership (MEP), is a resource for manufacturers, industry experts and the public on key U.S. manufacturing topics. There are articles for those looking to dive into new strategies emerging in manufacturing as well as useful information on tools and opportunities for manufacturers.

The views presented here are those of the author and do not necessarily represent the views or policies of NIST.

If you have any questions about our blog, please contact us at mfg [at] nist.gov (mfg[at]nist[dot]gov).