Where to Start

The word “cybersecurity” can be intimidating, but efficiently managing risks to your data, information, and technology assets is a foundational aspect of effectively operating a business. Many businesses only begin to look at cybersecurity and privacy when it is required by a customer or they experience an incident such as a data breach or ransomware attack. Don’t wait until it’s too late! The sooner you start managing these risks, the better able you will be to cost-effectively adapt and comply with customer or industry requirements and respond if an incident does happen.

Small Business Guide

Small and medium-sized manufacturers (SMMs) are especially vulnerable to a cybersecurity event: they often are less prepared for an event, have valuable information that is not well protected, are willing to pay ransoms in order to avoid costly disruptions, and act as entry points to other valuable targets. But because SMMs often have less complex operational needs and IT/OT infrastructures, they may be able to quickly take some basic steps to defend their information and systems. View and download the manufacturer’s guide to cybersecurity for small and medium-sized manufacturers for some easy steps any manufacturer should be able to implement to quickly and cost effectively address cybersecurity risk.

This guide is based on guidance in the Cybersecurity Framework 2.0  and generally accepted cyber hygiene best practices. It is broken down into five steps: Identify, Protect, Detect, Respond, and Monitor. It also has some basic practices you and your employees can take immediately to protect your data and information. Additional guidance will be forthcoming for the range of small businesses’ size, to include manufacturers.

Govern

The NIST Cybersecurity Framework (CSF) provides an outline for how to achieve cybersecurity outcomes, regardless of organizational size or maturity. Incorporating the functions and categories of the CSF into organizational cybersecurity policy ensures broad coverage across each of the major cybersecurity topics to manage and reduce risk.

The  Manufacturing Profile offers guidance on how to implement the CSF specifically for manufacturing organizations. The Profile further tailors guidance based on impact level of system within the Manufacturing environment.

Identify

CISA offers the Cyber Security Evaluation Tool (CSET) which is a desktop software tool that guides asset owners and operators through a step-by-step process to evaluate industrial control system (ICS) and information technology (IT) network security practices.

CISA publishes cybersecurity alerts and advisories through a variety of reports to spread awareness of vulnerabilities, indicators of compromise, tactics and techniques of known threat actors, and mitigations.

CISA Tabletop Exercise Packages (CTEPs) are a comprehensive set of resources designed to assist stakeholders in conducting their own exercises. Cybersecurity, physical security, and cyber-physical convergence scenarios have been developed to test the company’s response and recovery capabilities.

Protect

CISA partnered with INL to develop training for Industrial Control Systems (ICS). Web based training is offered through the CISA Virtual Learning Portal, and instructor led training is also available. All CISA training courses are presented with no tuition cost to the attendee.

NIAP publishes a Product Compliant List of evaluated products which comply with the requirements of the National Information Assurance Partnership (NIAP) program and, where applicable, Federal Information Processing Standards (FIPS). Although this is not specifically designed for manufacturing, it is useful for identifying commercially available vendor products which have gone through a security approval process.

International Society of Automation Security Compliance Institute is a non-profit entity which certifies OT Components, Systems, and Organizations to the ISA/IEC 62443 set of standards. This provides a list of certified (according to the standard) products commonly found in manufacturing environments called ISASecure.

Detect

Malcolm is a network traffic analysis tool suite offered through a partnership between Idaho National Laboratory and CISA. It was created to support all 16 critical infrastructure sectors and contains parsers for many ICS-specific protocols.

Respond

CISA encourages reporting of cyber incidents through their Incident Reporting System.

NIST provides templates and examples of Incident Response Plans which are specific to manufacturing. Volume 2 is focused on process-based manufacturing and Volume 3 is focused on discrete-based manufacturing. Refer to Section 3.5.

NIST provides the Digital Forensics and Incident Response (DFIR) Framework for Operational Technology (OT), including a flow chart, for how to perform incident handling and digital forensics specific to operational technology.

Recover

NIST provides templates and examples of System Recovery Plans which are specific to manufacturing. Volume 2 is focused on process-based manufacturing and Volume 3 is focused on discrete-based manufacturing. Refer to Section 3.6. 

Privacy Framework Quick Start Guide

If your company collects and processes data on humans, such as for product testing or quality control purposes, you should understand the privacy implications related to how that data is processed and used. Similar to the Cybersecurity Framework, the Privacy Framework also has five steps: Identify, Govern, Control, Communicate, and Protect. Check out this quick start guide to better understand how to identify and manage privacy risks.

How Secure is Your Factory Floor

As the manufacturing industry becomes more digitized, it is an increasingly popular target for cybercriminals. View this interactive infographic to explore potential vulnerabilities on your factor floor and review simple actionable guidelines to help mitigate risks.

Cybersecurity and Privacy Laws and Regulations

Most manufacturers are required to follow some Cybersecurity and Privacy standards, laws, regulations, or requirements. These may come from Federal, State, Local, or Tribal Governments, be industry-mandated, or voluntary. If your company sells products to the U.S. government, you may be required to comply with the minimum cybersecurity standards set by FAR and DFARS. Learn more about complying with Cybersecurity and Privacy Laws and Regulations.