Skip to main content
U.S. flag

An official website of the United States government

Dot gov

The .gov means it’s official.
Federal government websites often end in .gov or .mil. Before sharing sensitive information, make sure you’re on a federal government site.

Https

The site is secure.
The https:// ensures that you are connecting to the official website and that any information you provide is encrypted and transmitted securely.

How Vulnerable Are You To a Cyber Attack? A Self-Assessment Tool for Manufacturers

By: Pat Toth
malware message showing a cyber attack
Credit: iStock/solarseven

It’s important for everyone — manufacturers and others — to recognize the threat of cyber attacks and how to prevent them. The vulnerabilities exploited by cybercriminals can shut down your operations, requiring your company to spend thousands of dollars on enhancing security measures and reassuring customers you’re still trustworthy.

One of the challenges manufacturers often face regarding cyber threats is that they're not sure how vulnerable they really are. Have you ever thought about how you can assess your company's vulnerability level? Wouldn’t it be great to be able to better understand where your company lands in meeting its cybersecurity needs?

Fortunately, it's easier than you may think. You can get started by using the MEP National NetworkTM Cybersecurity Assessment Tool to self-assess  the level of cyber risk to your business.

A Walk through of the Cybersecurity Assessment Tool

As you may know, the National Institute of Standards and Technology (NIST) released the five-part Cybersecurity Framework, which has become the standard for cybersecurity in the manufacturing and many other industries. MEP’s self-assessment tool is based on the Framework and follows its five categories: Identify, Detect, Protect, Respond, and Recover.

cybersecurity framework graphic

Identify

After you’ve provided some basic information about your company including the state of residence, you can begin to use the assessment tool. Keep in mind that NIST and the MEP National Network do not retain any information about your company, other than its location. Your score for each step of the Framework will not be recorded. You may want to take note of your score in order to track your progress when you use the tool again for a re-assessment.

The first part of the self-assessment tool relates to the existing structures and practices that help identify cyber threats to your company.

Topics covered in this section include:

  • Whether you've identified the confidential data your company holds and which devices contain it
  • Employee phishing training and their access to sensitive data
  • Whether the devices that store sensitive information are up to date and do not include nonessential business applications
  • Your understanding of the legal and regulatory requirements your company must follow regarding cybersecurity
  • Organizational risk tolerance determination and expression
  • Whether you share and receive information about threats and vulnerabilities from internal and external sources
  • How your company manages passwords
  • The strength and complexity of the passwords you use
  • How often your company changes passwords

The answer choices are straightforward; most require only “yes,” “no” or short answers.

Protect

Next, the tool goes into the Protect category of the NIST Cybersecurity Framework and discusses system protection. Be prepared to give answers about matters such as:

  • Automatic timeouts
  • Firewalls
  • Data retention and destruction policies
  • How often employees receive cybersecurity training
  • Whether workers can access company data remotely
  • Access management for physical assets
  • Data encryption
  • Disaster recovery policies
  • Physical asset management and protection
  • Whether your human resources department assists with cybersecurity practices by doing things like locking a person's account when they leave the company

Detect

The Detect category of the NIST Cybersecurity Framework assesses how well you are equipped to detect malicious threats to your systems. You'll answer questions related to matters like:

  • Anti-virus and anti-malware protection installed on devices
  • The frequency of malware checks
  • How your business monitors for cybersecurity events
  • Whether you track network security events and correlate them with log files

Respond

The Respond portion of the Framework checks to see how well your business is prepared to take action after detecting a cybersecurity threat or incident. The questions cover topics such as:

  • Whether parties in your organization have assigned roles and responsibilities and know how to carry them out when needed
  • Details about the response plan your company has in place to use after an incident
  • Whether you've made changes after past cybersecurity issues to stop problems from happening again
  • Whether there is a person or group assigned to keep cybersecurity events under control and discover when and where they occurred
  • Whether your business has a plan in place to notify customers about compromised sensitive information

Recover

The Recover category deals with the practices you have in place to help your business recover after a cybersecurity incident. The section covers:

  • How often you back up your data
  • Whether you have contact details for parties that could help with the recovery process as needed — such as law enforcement personnel, internet service providers, public relations agencies and lawyers that specialize in cybercrime
  • Whether your recovery plan has actions you and your employees will take to restore normalcy after a cybersecurity event
  • Whether there is someone at the organization responsible for managing the recovery
  • Whether your recovery strategies incorporate lessons learned and get updated as your technologies or plans change
  • Whether you have insurance coverage associated with cybersecurity

After you finish with the questions within the Recover section, the tool shares a few recommended resources before it generates your score.

How Your Local MEP Center Can Help Secure Your Business Through Cybersecurity

If the assessment shows that issues exist in any part of your cybersecurity strategy or if you're weak in a certain area outlined in the NIST Cybersecurity Framework, your local MEP Center will be able to help you reduce the risks to your manufacturing business. One of the resources provided after you complete the assessment is a link to an interactive map of Manufacturing Extension Partnership (MEP) Centers, You can search by state or location to find your local MEP Center.

Remember, the first step to making a change is knowing a problem exists. Use the MEP National Network Cybersecurity Assessment Tool to arm yourself with the knowledge, and take action!

About the author

Pat Toth

Pat is a Computer Scientist at NIST MEP and serves as the Cybersecurity Program Manager. Pat has over 30 years of experience in Cybersecurity and worked on various NIST Cybersecurity guidance...

Related posts

When Business is Slow

Nobody likes business to be slow. If you’re in a fast-paced world like manufacturing, seeing your machines or employees idle can drive a person insane. If you

Comments

Add new comment

  • This question is for testing whether or not you are a human visitor and to prevent automated spam submissions. Image CAPTCHA
    Enter the characters shown in the image.
Please be respectful when posting comments. We will post all comments without editing as long as they are appropriate for a public, family friendly website, are on topic and do not contain profanity, personal attacks, misleading or false information/accusations or promote specific commercial products, services or organizations. Posts that violate our comment policy will not be posted.