Cybercrime is hands-down one of the quickest growing crimes around the globe and it continues to impact organizations from all industries. Being protected from cyber-attacks is becoming more and more challenging. While cyber criminals are constantly looking for ways to take advantage of your security vulnerabilities, it’s very difficult for most organizations to keep up with them.
This fourth article in the serieswritten by Joe Coleman, cybersecurity officer at Bluestreak Consulting™, will give you a better understanding of some general cybersecurity best practices for all businesses, and a few tips for what you should and shouldn’t do.
This column is found in Heat Treat Today'sDecember 2022 Medical and Energyprint edition.
What Are the Risks of Having Poor Cybersecurity?
It’s difficult to remain 100% protected 100% of the time, but the risks from failing to have proper cybersecurity are hefty. The risks include: malware that can delete your entire system; the selling of your data or your customers’ data; an attacker hacking your system and altering files; an attacker using your computer to attack others; or an attacker stealing your credit card information and making unauthorized purchases.
12 Best Practices To Reduce the Chance of Cyberattacks
Follow these cybersecurity best practices to minimize the risks of cyberattacks and improve your cybersecurity:
Use complex passwords: Use at least 12 to 16 characters, including letters (upper and lower case), numbers, and special characters. Remember to change your passwords frequently.
Keep software up to date, including antivirus and antimalware: Install software patches as soon as they become available. Also, be sure to enable automatic virus definition updates to ensure maximum protection against the latest threats.
Utilize a firewall: Firewalls may be able to prevent some types of attacks by blocking malicious code before it can infect your computer. Enable and properly configure the firewall as specified.
Enable Multi-Factor Authentication (MFA) or 2-Factor Authentication (2FA): This gives you an additional layer of protection that helps to verify that you are an authorized user.
Be suspicious of unexpected emails: Phishing emails are currently one of the biggest risks to a user. The goal of a phishing email is to gain information about you, steal money from you, or install malware on your device (if you click on something in the email).
Use VPNs to ensure connections are private: To have a more secure and private network connection, use a VPN (virtual private network). Your connection will be encrypted, and your private information protected.
Look for HTTPS on websites (instead of just HTTP): On websites that do not use HTTPS, there’s no guarantee that the information between you and the site’s servers is secure.
Scan external storage devices: External storage devices have the same risk as internal storage devices. Always scan external storage devices for malware before accessing them.
Train your employees: If your cybersecurity program has any chance of working, make sure your employees are well trained and always using security best practices. It only takes one mistake. Educate your staff to be aware and on the lookout for different types of malicious social engineering (including a simple phone call asking for a username and/or password).
Backup your important data: Critical data can be lost with security attacks. Make sure you backup your important data frequently to the cloud or local storage device (preferably multiple devices).
Don’t use public networks: Avoid public networks or use a VPN to connect. All of your information is vulnerable on public networks at hotels, coffee shops, airports, and other similar locations.
Use secure file-sharing to encrypt data: When sharing sensitive or confidential information, always use a secure file-sharing solution. If emails are intercepted, unauthorized users will have access to your data.
Improve Your Cybersecurity Weaknesses
NIST SP 800-171 is an excellent best practice, even if you are not in the DoD downstream or military-related supply chain, to ensure your data and your customer’s data is always secure.
My fifth article in this Cybersecurity Desk series will be: “Performing Your Basic & Your Final NIST 800-171 Assessments.”
About the Author:
Joe Coleman is the cybersecurity officer at Bluestreak Consulting™, which is a division of Bluestreak | Bright AM™. Joe has over 35 years of diverse manufacturing and engineering experience. His background includes extensive training in cybersecurity, a career as a machinist, machining manager, and an early additive manufacturing (AM) pioneer. Joe will be speaking at the Furnaces North America (FNA 2022) convention, presenting on DFARS, NIST 800-171, and CMMC 2.0. Contact Joe at joe.coleman@go-throughput.com.
Find heat treating products and services when you search on Heat Treat Buyers Guide.com
As the next installment in this series on cybersecurity, this third article will give you a better understanding of the Department of Defense’s DFARS interim rule and its requirements.
Today's read is a Cybersecurity Desk feature written by Joe Coleman, cybersecurity officer at Bluestreak Consulting™. This column is in Heat Treat Today'sNovember 2022 Vacuumprint edition. Refresh with part 1 and part 2 in earlier editions.
DFARS Interim Rule
On September 29, 2020, the Department of Defense (DoD) published the DFARS (Defense Federal Acquisition Regulation Supplement) interim rule 2019-D041, Assessing Contractor Implementation of Cybersecurity Requirements, with an effective date of November 30, 2020. These new clauses are an extension of the original DFARS 252.204-7012 clause that has been required in DoD contracts since 2018.
The interim rule implements the NIST SP 800-171 DoD Assessment Methodology and the CMMC (Cybersecurity Maturity Model Certification) framework. The interim rule requires contracting officers to take specific action prior to awarding contracts, giving task or delivery orders, or extending an optional period of performance on existing contracts on or after November 30, 2020.
DFARS 252.204-7019 Clause: Notice of NIST SP 800-171 DoD Assessment Requirements
All DoD contractors in the Defense Industrial Base (DIB) must complete a self-assessment using the DoD’s NIST 800-171 Assessment Methodology and generate a points-based score. If the self assessment score falls below 110, contractors are required to create a POAM (Plan of Action and Milestones) and indicate by what date the security gaps will be remediated and a score of 110 will be achieved as part of the Supplier Performance Risk System (SPRS). At the time of a DoD contract award containing the new 7019 clause, a DoD contracting officer will verify that a score has been uploaded to the SPRS.
DFARS 252.204-7020 Clause: NIST 800-171 DoD Assessment Requirements
Along with the 252.204-7012 and 7019 clauses, the 7020 clause is approved for use in all DoD contracts. This new clause requires that contractors provide the government with access to its facilities, systems, and personnel when it is necessary for the DoD to conduct or renew a higher-level Assessment. The higher level Assessments are the Medium and High Assessments. The self assessment conducted as part of the 7019 clause is called a Basic Assessment.
A Medium Assessment is conducted by DoD personnel and will include a review of your System Security Plan (SSP) and how each of the requirements are met and to identify any language that may not adequately address the security requirements.
A High Assessment is conducted by DoD personnel onsite at the contractor’s location and will leverage the full NIST SP 800-171A (Assessing Security Requirements for Controlled Unclassified Information) to determine if the implementation meets the requirements by reviewing evidence and/or demonstration such as recent scanning results, system inventories, baseline configurations and demonstration of multi-factor authentication and/or two-factor authentication.
Along with that, this rule also requires that contractors flow down their requirements from 7019 to their subcontractors and suppliers. Just as the DoD may choose not to award a contract due to noncompliance, you may not be able to use a subcontractor or supplier due to their noncompliance.
DFARS 252.204-7021 Clause: Cybersecurity Maturity Model Certification (CMMC) Requirements
Heat treaters willing to move forward with these cybersecurity initiatives by the DoD will have an overwhelming impact on the DoD supply chain and your business. If many heat treaters in the U.S. choose to not embrace the mandatory requirements, the DoD and DoD contractors will award contracts solely to the few heat treaters who do choose to become compliant. Poor cybersecurity practices can result in hacking, loss of company data and critical customer data, and attacks by malware, viruses, and ransomware. All of this can result in major damage to the business and loss of customers, not to mention being liable for all losses and paying significant fines.
Complying with DFARS 7012 and NIST 800-171 is a requirement for all DoD contractors, subcontractors, vendors, and suppliers. The DoD has now begun confirming that contractors and subcontractors are compliant before awarding additional contracts. Navigating NIST 800-171 and DFARS is a complex and challenging — but necessary — step in this process.
This DFARS clause establishes CMMC into the federal regulatory framework. This requires that CMMC is to be included in all contracts, tasks or orders, and solicitations, with very few exceptions. The level of CMMC that is required will be determined by the DoD and added into the Request for Proposal. Contractors must maintain the appropriate CMMC level for the duration of any contract and the requirements must be trickled down to your subcontractors and suppliers. The CMMC certification is required at the time of contract award.
Watch For the Next Cybersecurity Desk Installment
My next article, number four in the series, will be: “General Cybersecurity Best Practices and What You Should and Should Not Do.
About the Author:
Joe Coleman is the cybersecurity officer at Bluestreak Consulting™, which is a division of Bluestreak | Bright AM™. Joe has over 35 years of diverse manufacturing and engineering experience. His background includes extensive training in cybersecurity, a career as a machinist, machining manager, and an early additive manufacturing (AM) pioneer.'; Contact Joe at joe.coleman@go-throughput.com.
Find heat treating products and services when you search on Heat Treat Buyers Guide.com
This list of cybersecurity acronyms was compiled by Joe Coleman, cybersecurity officer at Bluestreak Consulting™. Joe writes a regular column called the Cybersecurity Desk in Heat Treat Today's print publication.
An excerpt from one of Joe's columns: "Even if a heat treater is not a DoD contractor or in the DoD supply chain, NIST 800-171 is a great “best practice” standard for any organization to improve overall cybersecurity health. This will help in obtaining future orders because customers will know critical data is secure."
About the Author
Joe Coleman is the cybersecurity officer at Bluestreak Consulting™, which is a division of Bluestreak | Bright AM™. Joe has over 35 years of diverse manufacturing and engineering experience. His background includes extensive training in cybersecurity, a career as a machinist, machining manager, and an early additive manufacturing (AM) pioneer. Joe will be speaking at the Furnaces North America (FNA 2022) convention, presenting on DFARS, NIST 800-171, and CMMC 2.0. Contact Joe at joe.coleman@go-throughput.com.
What does cybersecurity look like in a heat treat shop? In this episode, Doug Glenn, publisher of Heat TreatToday and host of Heat TreatRadio, will be speaking with four industry experts about this challenge: Heather Falcone, CEO of Thermal-Vac Technology, Inc.; Brian Flynn, plant manager at Erie Steel Ltd.; Mike Löpke, head of software & digitalization at Nitrex Metal; and Don Marteeny, VP of Engineering at SECO/VACUUM Technologies LLC. Watch, listen, and learn all about the risks, preventions, practical steps, and future outlook that this panel has to share.
Below, you can watch the video, listen to the podcast by clicking on the audio play button, or read an edited transcript.
The following transcript has been edited for your reading enjoyment.
Doug Glenn (DG): Welcome to another episode of Heat Treat Radio. We’re going to talk about a relatively serious issue today. I hope to have a little bit of enjoyable time doing it. I’m really happy to have these four people on the call with us. We’re going to talk about cybersecurity -- probably one of the most pressing issues. Obviously, it’s not heat treat specific, but we’re hoping to take some of the specific issues that deal with cybersecurity and, if possible, drill them down into the heat treat industry, as best we can.
So, I’d like to introduce our prestigious crowd here today. They’re going to talk a little bit about it.
First, I’d like to introduce Heather Falcone who is the CEO of Thermal-Vac Technology, Inc. out of California. Heather is the CEO, as I mentioned, and currently serves as a member on the board of directors of the Metal Treating Institute. She is a recognized trainer, writer, public speaker on a variety of topics such as leadership, business, and heat treat equipment. At her company, she has led them to be fully compliant in missed 800-171 and DFAR 252.204-7012 -- that’s important, I’m sure -- cybersecurity program as well as EOS system. Heather is, in fact, a member of Heat TreatToday's 40 Under 40 Class of 2019. And I, also -- I don’t know if they’re going to be able to see this; I’ll put it up on the screen if not -- there’s Heather’s picture in a really nice magazine that we got about leadership. Anyway, I am glad to have you here, Heather.
Next is Brian Flynn from Erie Steel, Ltd. Brian is a third-generation heat treater. He attended the University of Cincinnati earning a Bachelor of Science and Chemical Engineering degree with a minor in Material Science. He’s also completed an executive MBA from the University of Toledo. As a plant manager, he has close familiarity with technology development, people skills, customer service, and management of technical services. He is also a member of Heat TreatToday's 40 Under 40 Class of 2021. We’ve asked Brian to get involved here because I think he’s probably got a good perspective on implementing some of this cybersecurity stuff. I appreciate you being here, Brian, thank you.
Next on our list we have an international entry -- Mike Löpke from Nitrex, actually. He’s working out of Germany, right now, but let me read what we’ve got here. Mike has been with Nitrex going on two years and is leading the creation, implementation and marketing of new digital platform for the Nitrex group. He has a background in mathematics and physics as well as substantial knowledge in R&D and metallurgical modeling and is currently in charge of Nitrex software and digitalization department. His expertise in AI (artificial intelligence) and process prediction led Nitrex to develop the very first IIoT-based platform called QMULUS. His thirst for knowledge enables him to remain ahead of evolving technologies. As I mentioned, he’s working out of Germany and he was, and maybe still is, a professional wind surfer. I did enjoy the videos, by the way, Mike. It was very, very good.
Mike Löpke (ML): Thank you very much!
DG: It’s interesting and it looks exciting. You certainly went to some nice places there.
Finally, I would like to introduce Don Marteeny (DM) who I’ve had the pleasure of working with in the past. Don, it’s always good to see you. Don is the VP of engineering at SECO/VACUUM Technologies for over 5 years. During his career, Don has fulfilled many roles including 3 years as a project engineer, 2 years project manager and 2 years as the engineering team leader. He’s a licensed professional engineer. Don led the implementation of a 3-D modeling tool at SECO/WARWICK, when he is not busy being a Cub Scout den leader, which is great, Don presents papers on state-of-the-art heat-treating technologies. Don is also a Heat TreatToday's 40 Under 40 Class of 2021 recipient; congratulations on that. And Don’s just a heck of a nice guy all around, which I’m sure all of you are!
It's good to have you all.
Let’s jump in, guys. This is a relatively serious topic that we’ve got going on here but let me just throw out some questions to you. Heather, maybe I’ll start with you, if you don’t mind.
When we look at the risk potential in the heat treat market, I guess the first question that comes to my mind is: Okay, who should really be worried about this? Who are some of the people? Brian, maybe I’ll jump to you after Heather is done with some input on that, as well. Go ahead, Heather.
Heather Falcone (HF): Well, the short answer is literally everybody. Literally every person in the United States is subject to being a target for a nation-state level adversary such as China, Russia, Iran, North Korea. No one is safe, no one should assume they are safe, and every single person in this country, regardless of whether you’re a businessperson or not, should protect the data that keeps us safe.
DG: Do we have a sense, Brian, maybe over to you on this -- and again, as I mentioned before we started, if somebody doesn’t have a comment on this, just pass on it -- but are there people or organizations or systems in the heat treat industry, specifically, that are at a higher risk? What do you think as far as risk?
Brian Flynn (BF): In terms of age group demographics the Baby Boomers as well as Gen Z and younger are considered the most vulnerable for cyberattacks. Baby Boomers didn’t have great exposure to today’s brand of cyberattacks nor did they grow up with the internet and computers as we know them today. Gen Z and younger, there is a certain carelessness in terms of sharing personal information they’re too trusting. On top of that, Covid created new types of uncertainty in conjunction with the influx of new users going online since 2020.
But more from a business perspective, I guess it depends. Healthcare, government and financial-like institutions pose the highest potential reward but also the highest risk. In terms of frequencies, small businesses, like myself as a commercial heat treater, are the number one target as they typically lack resources and capital expenditures in order to invest in the infrastructure. And it might just be a pipeline where they’re going through the small businesses to get to my bigger Fortune 500 customers, but it’s really mainly phishing emails that are infected with malware. Over the past 12-18 months, it’s been crazy how many have made it through our firewall.
DG: Over to our equipment guys. I should mention -- Heather and Brian are both commercial heat treaters, Mike and Don are really both kind of equipment guys, although Nitrex also does some commercial heat treating, as well. Don, why don’t we start with you. The same question: Who’s at risk here? And then, Mike, we’ll end with you, please.
Don Marteeny (DM): Well, in addition to what Brian said, which I found interesting on some of the demographics, it’s important to realize, too, that it’s not just people, it’s also equipment. The equipment is becoming more and more interconnected, especially with the IIoT capabilities that most of them have now and all the unique features that that brings, but what that means is -- in order for that technology to function as it intended, it has to be connected to the internet which opens up more doors for access to sensitive data. And it’s not just data that you receive, it’s data that you generate, right? And that’s the important thing, I think, that everybody’s got to realize is that once you’re in that chain of subcontracts, shall we say, and you’re working with those folks that are contracting to the government -- handling sensitive data, you’re in that, too. It’s important to recognize that it’s not just you and your users but also your equipment and how it’s interconnected to the network.
DG: I’m reading a book right now -- I’ll give a plug to this guy -- Mark Mills, who we’ve interviewed before, on this show actually -- it’s called The Cloud Revolution and he’s been talking a little bit about this. The amount of data that is out there, because we’re able to get data off of machines and things like that now and are doing more and more, is just skyrocketing. It’s that data that’s going to be an issue.
Mike, over to you; I just want to wrap up as far as risk assessment, here. Who are the people, organizations, equipment or whatever that is most at risk?
ML: From our perspective, there’s not that much to add. We covered already the topic so we have this human factor which plays a really, really big role in terms of cybersecurity, how people are really sloppy and do not have the right mindset to treat data as they should. We have also, a lot of times, not the right policy in place, we do not have the education needed and so on. There is always this human factor.
But also, with heat treatment as a really old industry and steel manufacturing, as well, we have a lot of facilities with outdated infrastructure. This is also a also big topic. Outdated infrastructure, old, dated network designs firmware which we do not need to talk about it’s 20 years old and older so nobody knew about the potential risks that arise during the last decade and during the last years. This is also a really important factor. That’s it, from my perspective. Everyone, as said, is at a high risk, so, summing it up -- it’s literally everyone and everywhere.
DG: If you think you’re safe, you’re not, right? I think when Heather first started talking, I thought, “Boy, this is going to be a horror show.” If you think you’re safe, you’re not; you’re most at risk.
Let’s talk about data and data storage. Those types of things are really at the core of this, I think. Where are we going to store of all our data? How do we do it safely? When it comes to data storage, what problems have you witnessed or are you aware of, and how about solutions for data storage?
Don let’s start with you on this one then we’ll go to Mike. I know a lot of companies say, “Well, I just want to keep my data in-house.” Is that the answer? What are we doing with data?
DM: That varies. From my observations, it varies from customer to customer, industry to industry. There is a sense to move it to the Cloud, just because it’s easier to manage there, but with that brings risks. I think everybody’s got to be aware of that when they make that decision. On one hand, do I maintain my own servers, do I hire the people to man those servers, etc., or do I pay somebody else to do that in the Cloud? Do I take that risk of the data being someplace I don’t know and I rely on the Fortune 500 company who I’m contracting to maintain the Cloud to secure it, or do I do it myself? Especially for small businesses, these are not easy questions to answer. Like I say, I’ve seen both. And, again, with the invent of Industry 4.0 and IIoT, the pressure to move to the Cloud is pretty high, so, if you want to take advantage of those technologies.
DG: Mike, how about you? What do you think as far as data storage and things of that sort?
ML: I think Don mentioned already the two options we have. We could take of all the data storages ourselves, having big data service on premises, having people responsible for it, managing everything, keeping it running, no creation of redundancy, call it like this, having back-up systems -- all of these things you would need to manage by yourself. And the requirements are getting tougher. If you think of having data for the aerospace stored, you’re talking about decades of years, so that’s it.
The alternative is to put everything to the Cloud so then you’d just say, “Ok, I need more data” and more data storage space is available. You can also make use of all the security measures created, for example, by the big Cloud infrastructure providers like AWS in Asia. They are professionals in this. If they say your data is secure because we are using the latest technologies, I think you can be sure that it is. We, at Nitrex, rely fully on this. We say we could not do it better. There are thousands of people working every day on Cloud security, on infrastructure security, and so on and so on. I think our facilities could not be safer.
DG: Brian, let’s go to you on this one and then, last, to Heather. Data security -- if you want to make comments on that and maybe even, if I can put a little sharper point on the pencil on this -- just because a person keeps data in-house, does that make them safe from cyberattacks? General question, or if you want to answer that specific one, Brian.
BF: In today’s climate, the security of the data storage remains at the top of our lists. Knock on wood, very fortunately, we haven’t been on the receiving end of any of those types of cyberattacks, likely because we have a good firewall in place. More relevant to Erie Steel, the problems we face are data storage limits, length of data retention and scalability, and also accessibility -- whether it be video records, furnace records, quality records, shipping records, the list goes on, as far as how long do we want to retain that data and how accessible does it need to be? We utilize surveillance cameras, not spying on employees but really more proof of key operations, proof of start, proof of completion. The cardinal sin of heat-treating is don’t ship a green part back to the customer, so what better way to prove that other than by surveillance systems.
But that poses an issue -- we make sensitive cameras, increase the sensitivity, length of retention goes down. It’s a nice balance between form and function as well as retention, whether we use IP high-definition cameras or low-definition cameras. But that’s on its own internal server, on-site.
A lot of our continuous furnace trending software is continuously recorded -- that’s on its own separate dedicated server with off-site back-ups. Then we have all of our PLC data -- that could fill up a server in a matter of weeks if we really wanted it to. At times, we were recording every second; we don’t need to do that for most operations. Every minute, make the data accessible for a month and then, after that, we send it off to the Cloud.
For our ERP system and our quality management system, we utilize Bluestreak which is a web-based platform. We used to have on-site grid-based platform and that frees up a tremendous amount of space for the server so we can A. keep it 70% or less for capacity reasons. The only issue then, of course, is if we have a power outage, we lose internet -- but those are risks, at this point, that we’re willing to take.
DG: Heather, how about you? Data storage, generally speaking, what’s the situation?
HF: I think whether you’re deciding to store locally or in the Cloud, there are a couple things to consider: your digital rights management and your data loss prevention. If you’re working in-house, that means isolating assets on the land to make sure that, if there is an infection, it stops immediately. That’s one of the basic controls in, what is now, level 1. You have to have some of that in place so that if someone does get into your system, and we’re not talking a brute force attacker, we’re talking a person with the password of 1 2 3 4. We’re talking about the person that has not changed their password in 23 years and they’re still working on a DOS-based system. All those legacy systems that are not yet updated, that’s where the real risk comes from -- storing data locally. It’s really user behavior oriented that’s backed up by the solid digital rights management and data loss protection, as far as storing locally. One thing to be very careful about when moving to Cloud solutions, most commercially off the shelf available Cloud solutions are not compliant within the 800-171. If you’re talking about just Office 365, you have to move to the government version. Now we’re on zoom.gov instead of regular zoom, Doug, I don’t know.
DG: We are not, so be careful what you say.
HF: The problem with that is when you move to those Cloud solutions, they are inherently user prohibitive. They’re awful to work with, and they’re extremely expensive. You are kind of in a rock and a hard place: do we store locally and take on more risk and more in-house compliance cost or do we trust these big guys who have a billion-dollar backing them up who seems to know what he’s doing but also humans are humans and it’s still an inherent broken system? We all have to be careful and take our ownership of the programs that we’re putting in place -- that we have working knowledge where our data is going, how it’s being backed up, how it’s being stored or retained.
DG: Just a quick round-robin question, just kind of a yes or a no, and if you want to elaborate a little bit, feel free: Do you think, in today’s day and age, that it’s just as safe to store things in the Cloud as it is locally? Mike, what do you think?
ML: Yes. But you have to respect the requirements.
DG: Don, what do you think?
DM: Yes, for the most part. Like we said, the larger companies have teams of people working on this every day, so not only can they react, they can be more proactive in staying out in front of it than the rest of us can because they the resources. So, in theory, yes.
DG: Heather, what do you think? Just as safe to store in the Cloud as local?
HF: I believe that it has the potential to be more safe because you can rely on a group of resources that you don’t have to actively manage yourself. However, it takes a lot of oversight and research. It might be easier for a smaller company to create a very small locus of control as opposed to moving to a large collect Cloud solution during their migration to CMMC.
DG: Brian, how about you? Just as safe?
BF: I think the short answer is yes but, you know, it depends on which Cloud are we talking about and what does your internal infrastructure look like as well as what are your internal policies. Then it gets into more of a convenience discussion. How do you need that data? How frequent do you access it? But, I think, there’s the potential to be as safe or potentially more safe.
DG: I want to take a brief break and ask Heather a question. If you can just do a 30-second/60-second explanation of CMMC for us, and then we want to ask some questions about that. But I want to make sure that those who are listening who might not know what that is -- what is that? CMMC -- it’s important.
HF: It’s the Cybersecurity Maturity Model Certification. The government, in all of their perpetual wisdom, decided that they’re really tired of getting attacked by all the bad guys. To protect the state of the defense infrastructure and, I guess, maybe protect themselves because they have to do it too, they designed this system. Now, for today’s talk, I want to make sure that we understand that I’m personally going to be vacillating between CMMC 1.0 and CMMC 2.0. They are drastically different -- CMMC 2.0 is in rulemaking, but it’s got a lot of exciting, better things, potentially, in it versus CMMC 1.0. The point is, CMMC 1.0 is the law of the land and has been since 2019, so, it’s up to everyone who deals with the federal government to ensure that they are up to the minimum standard requirements for CMMC 1.0 which is just, basically, a self-assessment and some basic controls.
The government really wants to put in place the supply chain that is not full of holes for the enemy to take our most trusted and effective data.
DG: I’m curious, when it comes to CMMC then, implementation, best strategies for implementation, how do we find out about it more? Heather, I’ll stick with you on this one and then maybe we’ll move down to Mike and Don and then over to Brian.
CMMC -- what are some good strategies for implementing this?
HF: The first thing is to identify what you’re going to attack. If your whole company does not deal with CUI or FCI (control of unclassified information or federal contract information), then you don’t need to be talking about CMMC. The first step is to get your senior leadership team together and start with a block of information that’s manageable, either by location, by area, by contract, by project. Start at that top level and read the flow-downs to find out if you even have to do this, then decide a plan of action. I strongly recommend a phased integration approach over a period of about 18 months. If you’re trying to jam this into a 6-month process, it likely will be unsuccessful, strictly because that’s not enough time to even get the written policies and procedures in place. Plan for this to take about 18 months to 2 years and plan for it to cost you about $180,000; it’s about 60 grand a year. This is what the government, the Department of Defense says it will cost.
"The first thing is to identify what you’re going to attack. If your whole company does not deal with CUI or FCI (control of unclassified information or federal contract information), then you don’t need to be talking about CMMC. The first step is to get your senior leadership team together and start with a block of information that’s manageable, either by location, by area, by contract, by project. Start at that top level and read the flow-downs to find out if you even have to do this, then decide a plan of action." - Heather Falcone, Thermal-Vac Technology, Inc.
DG: Alright. You’re speaking from experience though, yes? You guys have done this?
HF: Absolutely, yes. It took us closer to 2 ½ years but, luckily, we started early enough to where that phased approach was okay.
DG: Mike, how about to you -- CMMC. Are some of your customers needing to do it? Are you guys needing to do it? What do you think?
ML: Nitrex is a solution provider so we are not only having commercial heat treatment, but we are also creating furnaces, we are building furnaces. We are also creating this control software and lately we released our QMULUS IIoT platform. We are really involved with this topic because we need to make sure that our customers are getting a solution which is CMMC compliant in the end. One thing which I really would like to mention here is that it does not only stop with the software. It’s not only software, it’s also controllers, it’s a hardware on the controllers, it’s even the network. Let’s say, a component on your controller which has to be CMMC compliant, in the end, which makes it really hard for small companies to take care of it. I suggest that you outsource a lot of these things. You can make your suppliers responsible for it, for sure. This would come with rising prices and so on, but for small heat treatment shops, it’s not maintainable, I guess. Maybe with the new approach of the CMMC release, which is relaxing a lot of things, it might be better, but we still do not know.
DG: Your suggestion is to outsource a lot of these, whether it be components or whatever.
ML: I would just like to add -- because we spend a lot of time to figure out what it really means (the CMMC things) and, as Heather already said, it will take you months to understand everything and if you’re not a professional in cybersecurity and maybe created these policies, you are lost.
DG: Don, how about you?
DM: I think I would echo a lot of what Mike is saying. As the whole industry goes more towards the IIoT implementing things, CMMC will be more and more difficult and you need help. Bottom line, unless you’ve got enough resources internally that can address the needs and understand, first off, as Heather mentioned, understanding the law (the regulations), in and of itself is usually enough to keep someone occupied for quite some time. But, even after that, then knowing what it means in implementing it, getting the right person on it, would certainly help the process.
DG: Brian?
BF: I think Heather really hit the nail on the head. The first step is to make sure it matches your strategic plan and your business plan. Currently, this is not a certification that Erie Steel possesses. It’s on our business plan as a threat under SWAT analysis but based on our current and forecasted customer base, this isn’t something that we plan on moving forward on here in the near future.
DG: Heather, you had mentioned about the control of unclassified information. Can you just expound on that a little bit? If I remember what you were saying, you were saying that it’s important to know whether you’re in that category, right? Because if you are, you need to do certain things; if you’re not, you don’t need to do certain things.
HF: Yes, if you handle CUI at your company or if you create CUI, then you’re likely going to be subject to the DFAR’s requirements when they’re flowed down to you. If you’re a federal contractor, it’s likely you don’t have a choice in this; it’s going to be in your contract flow-downs.
If you want to know more about control of unclassified information, there is an ongoing and everchanging list that’s available to you on the National Archives’ website which is archives.gov. If you go in there and you search controlled, unclassified information, it has a subsection list by industry. If all you do is firearms, cool, click on firearms and it’s going to tell you which CUI you have. If you only work defense, ok cool, here’s a nice little chart. It’s an invaluable resource on picking out key terms of your parts of your business to see if it matches up with the CUI.
But also, FCI, which is the Federal Contract Information, grand jury data is protected. Now, do we all deal with that? No. But financial transactions and general data information that you might not think is protected is protected. Spend some time in the National Archives -- it’s not boring, I promise, it’s actually pretty easy reading. It has nice charts and hyperlinks.
DG: It sounds boring, if I may just say so. Being the National Archives doesn’t sound like a place I want to spend my Friday afternoon.
HF: Well, call me, I’ll make it more exciting for you.
"Lately, we started with education because, we said it already multiple times in this discussion here, that the human factor is the most important part. We need to sensitize people about all the risks and all the things the internet brings. That’s why we started to have these security trainings, web-based and so on, which really help, also, to make people aware of these things."
DG: I want to deviate a little bit from the questions that we sent and maybe wrap up with two questions. We’ll deal with them individually but I’ll get you thinking about it just a little bit. Because we want to make this fairly practical for people, question one will be: Can you tell us what your company has done, thus far, to address cybersecurity? Again, it’s going to be a range of things; some have done a lot, some have done a little. Then, the second question I want to ask you which we will wrap up with is: If you could put on your prognostication hat here and you’re looking into the future -- what do you see being some of the major movements that we’re going to have to be dealing with as far as cybersecurity? It’s a little bit of fun looking into the future and seeing what we’re going to have to deal with in the heat treat industry.
Mike, if you don’t mind, we’ll start with you with Nitrex. What have you had to do so far to really deal with the whole cybersecurity threat?
ML: In the past, we started with the human factor. Until 6 years before, everyone had administrator rights on his local PC and everyone was installing everything -- malware, spyware and even things which were ‘unsuspicious.’ But a lot of things happen in the background without even noticing and these actions are opening doors for cybersecurity things. That’s why we installed something like MS LAPS which is a local admin password solution so that we can make really sure that people are only installing things which have been approved and so on. This was one of the things. Then, we also introduced something like MS Defender as an antivirus solution which is hosted in the Cloud which is making use of AI-identifying things before they get really serious. This for all internal IT infrastructure, making use of the latest approaches and software solutions we can get.
Lately, we started with education because, we said it already multiple times in this discussion here, that the human factor is the most important part. We need to sensitize people about all the risks and all the things the internet brings. That’s why we started to have these security trainings, web-based and so on, which really help
In terms of our solutions which we are offering, we planned accordingly a roadmap on how to make it CMMC compliant. All our hardware, we have to rework our whole controller infrastructure which we are offering to make our furnace CMMC compliant. The same for our MES software which we are having on premise for QMULUS, as well, which is our IIoT solution which is hosted in AWS. Here, it really depends on our customers if you’re hosting it in the Cloud or in the usual, let’s say, public Cloud. That’s what we are doing. We’re investigating our needs and to the needs of our industry.
DG: Good. And we will get to what do you plan on doing in the future, too.
Brian, why don’t we jump up to you on this. So far, what is Erie Steel been up to?
BF: As I stated during the risk assessment portion of management review, cybersecurity is regularly listed as a consistent internal and external threat. Historically, it’s been less relevant than it is today so little action was done. Now, over the past few years, we’ve really focused in this area and targeted internally on internal infrastructure. With that, we always try to keep a focus on understanding current environmental trends in cybersecurity, but with anything, any policy, any initiative, it should start and end with a strategic plan. Plans need to be well thought out, employee expectations clearly communicated prior to rollout, and feedback welcomed throughout these transitions.
Here, we practice self-audits and realize that server capacity as well as the life expectancy of our server was a great concern. We met with IT several times and came up with the plan to replace and upgrade our existing server and came up with it in four separate phases -- phase 1 being clean up the current system, phase 2 being change the system over, phase 3 being the new file structure for day-to-day operations, and phase 4 is to implement our new cybersecurity policy. Right now, we’re approaching the end of phase 3; so we’ll be sitting down again and reviewing the cybersecurity policy. Like I said, though, if you have doubts, self-audit, or you can always have a third-party auditor come in and share their two cents.
Some other things we’ve done are antivirus, antispyware software -- those should be givens. When individuals need to access the servers remotely, make use of VPN’s, utilize firewall security, ensure management has a firm understanding on the server capacity and requirements, regularly back-up the critical data, have redundant back-ups in different locations, of course make sure your Wi-Fi is secure, passwords should regularly change, same for all the usernames. You’ll see this with a lot of larger companies -- you really want to limit access to data and limit authority to make changes.
One thing we have done is our PLCs are operating locally on our own internal internet in case there is a server storm, in case there is a power outage. Well, a power outage wouldn’t help us in that situation but in case there is a server storm or internet outage, we can still operate locally, we just don’t have all the trending software to support it like day-to-day operations.
DG: That, just by itself, sounds like a huge task. Just switching over a server sounds like a lot of work. I think a lot of companies are going to be listening to this, especially some of the smaller captive heat treaters. Where to start? I think self-audit is a good idea and good advice.
Don let’s go to you then we’ll finish up this question with Heather then we'll move into thinking about the future.
DM: From our perspective, we’re focusing on the human factor. We’re trying to increase training and then once it’s out there, we test it. Once in a while, you’ll get forewarned that sometime within the next 24 hours you’re going to get a phishing email and what do you do with it? Sometimes they won’t tell us and all of a sudden, it’s, “Oo, what’s that?” I’m not going to click on that link. But honestly, those are the doors that are easier to close that we need to.
Some other activities have been like adding multifactor authentication where it’s necessary. Yes, it takes longer, yes, it’s a pain, but it’s necessary to make sure it is you and not somebody else. And then, as everybody else has mentioned, the usual firewalls, protecting Wi-Fi data networks, etc.
I did want to touch a little bit more on the equipment side, for just a minute. In my experiences with customers, sometimes an easier way to deal with this, especially because the interconnectivity to the equipment is becoming more and more prevalent, it’s just basically have a separate service, a separate internet connection that you control. And it’s basically if you need help, if you need to connect that piece of equipment to the internet, you physically plug it in, if not, you take it out. And when it’s out, you are in control. On your network, you’re passing data where you need to and that’s it. It’s back under that umbrella. Then, when you physically plug it in, you’re doing so making that decision consciously to say, “Okay, for this period of time, I need it to be connected.” But at least, then, you have some direct control. Is it rudimentary? Yes. Is it maybe not the most convenient? Yes. But, until you’re to the point where you can research all the needed data and regulations, they can get you to the point where, at least, you have some control.
DG: Right. Nothing like a physical line to plug in and unplug to help you feel safe.
Heather, how about you? What has Thermal Technology been doing?
HF: We started with an assessment that we paid people to do -- an expert that came in and evaluated our system against the CMMC requirements. That was very scary and expensive and it felt like someone was speaking Greek to me and, frankly, I got bored within the first 30 minutes of him giving me the report. But that’s where you start. And don’t be afraid if you get a negative score on the darn test because you’ve got to pick a place and you’ve got to get the baseline.
The nice thing about CMMC is it’s progressive; it’s meant to be transitional. You’re not going straight to level 3 and your whole life is going to change. You go from that assessment and then you work your way into phase 1. The CMMC level 1 is meaning we’re doing this stuff; we just can’t repeat it and we don’t have any documentation. And then level 2 -- okay, now we’re doing stuff and now we’re going to make it repeatable by documenting it. Then phase 3 is now we’re going to make machines manage the processes that are documented so we can repeat them and do them. It builds upon itself. So, embrace the stages. That’s what we’ve done and we started all the way back when we were a .79.
DG: Out of what?
HF: Out of the level 1 – 3. We were .79. Now, I’ve seen people who are minus numbers (-2, etc.) and that’s okay. Everyone starts somewhere, and if you haven’t had to look at infrastructure as related to information technology in 20 years, then why would you have ever looked at it? Take it in the phased approach. That’s what we did and we baby-stepped our way in and took all the painful points and broke them down into 1,000 substeps and that was the best thing we could have done.
DG: We’re going to go backwards in order, if I can, and let’s talk about the future. I guess, what I want to get a sense from you guys, to wrap up, is 1.What do you see as being the greatest risks to your companies, and, I think, especially with our equipment guys with Nitrex and with Mike and Don, if you’re able to address from your customer’s perspective, 2.What are the issues with new equipment going in? What are the biggest risks that you’re seeing, if there are any, and what do you see us doing in the future differently than what we’re doing now as far as mitigating any of those risks?
Heather, back to you on this one?
HF: The biggest risk is complacency or denial. This will come to you and it already has. If you take the viewpoint of, “Well, I’ll do it when my customer makes me,” you will be so far behind the ball, it’s going to be painful. The absolute worst risk you could possibly take is not looking at it or denying that you’re involved in it. If you’re in heat treating, it is 90% likely that this is going to apply to you in some way. Now, the great news is CMMC 2.0 -- over 60% of the industrial supply base is only going have to be a level 1 -- that’s a self-report annually. That’s not that big a deal. Anybody can do that. And there are great resources that are being developed to help people that want to get that basic level of CMMC compliance.
So, don’t wait, don’t deny it, get your customers to pay for it, put it in your RFPs. It is an allowable cost for reimbursement; don’t let anyone tell you otherwise. If you need more help on that, let me know.
"On the note of chaos, when it sets in, communication is key. If you’re the responsible party, designate primary and secondary points of contact for cybersecurity support. Have performance incentives in place for the responsible managers. If you’re rolling out a new policy, based on the successful rollout of that policy, put some incentives in place. Maintain open lines of communication and welcome feedback."
DG: That’s one of the questions we didn’t get to and that was how to make your customers pay for it which sounds like a very intriguing question, but yes, you mentioned it there.
Don, how about you? We’ll go over to you on this one.
DM: I think, moving forward, a couple of things are happening: The labor market is changing; it’s changing to a demographic that’s more familiar with this technology, which is a good thing. Although, as we said, I think it was Brian that said earlier on, some of those generations may not be as sensitive as they need to be. But what that means is that the older days when we relied heavily on operators to know what’s going on, now we’re switching more towards the technology managing the equipment from the equipment’s point of view. What that means is there will be fewer people managing more equipment from fewer places. So, if you’re looking at a multilocation operation that’s managing data from a central location, that becomes pretty complex pretty quick; but it’s becoming more commonplace in the industry than it used to be. Obviously, that opens up a lot of doors for cybersecurity risk and that’s got to be carefully managed, in the light of CMMC and others as far as cybersecurity goes.
I think the future is -- the technology is there, it’s available, but it has to be implemented carefully and it has to be well thought out by people who know what they’re doing.
DG: Brian, I think we go to you and then we end with Mike.
BF: When chaos sets in, the one standing by your side, without flinching, can be considered your family. When chaos sets in manufacturing, managers must remain flexible, patient and understanding which leads to the difference between a leader and a manager. A good manager is not always a leader, and good leaders are always managers. Managers have people work for them while leaders have people follow them. On the note of chaos, when it sets in, communication is key. If you’re the responsible party, designate primary and secondary points of contact for cybersecurity support. Have performance incentives in place for the responsible managers. If you’re rolling out a new policy, based on the successful rollout of that policy, put some incentives in place. Maintain open lines of communication and welcome feedback. Make sure that training materials are available. Something that I’ve come to realize is that employees often shy away from asking for help. Instead, try to get the help at their fingertips and ask specific, strategic questions to prove they’re understanding.
Really, at the end of the day, conduct your risk assessments. You don’t know what you don’t know, and that’s 95% of what is knowledge today. Be cognizant of what’s out there. Let’s face it -- cyberwarfare, cyberterrorism are very real, very selective, quick and cheap attacks from the hacker’s perspective, and they remain anonymous.
DG: And devastating for the companies that are on the receiving end, potentially.
BF: On the microscale, it’s real, especially for small businesses.
DG: You’ve hit on an interesting thing, Brian, and obviously we can’t spend time talking about everything but, it’s just the way you address this from a personnel perspective inside your company -- are you having someone there that’s the point person for cybersecurity? This shows my ignorance, but that’s okay, it’s easy to do. Do they have a chief security officer, a CSO, now, I assume, adding to the ‘C-suite’?
But yes, I think that’s a good point.
Let’s go over to Mike. What do you see as being the future threats and how are we going to be mitigating them?
ML: I think there is not that much to add here. We talked about the human factor, as I said, is the most important thing. Education and also more of education is needed here. Also, with the people on the shop floor, they are often working still with pen and paper -- they are not really used to going with the digital mediums and components and so on. So, really, we have to be sensible there, as well. You mentioned that the management has to take care that they are not "steamrolled" by all these approaches. This is really important.
The other thing, I already mentioned as well, is to outsource as much as possible, if it’s possible. Talking about the hardware, the software components and solutions and so on -- if you can get a solution which is CMMC compliant and the vendor is stating it, get it, because it’s taking a lot of work from you.
DG: The last thing we’ll do, and you may or may not have anything for this -- any final thought you want to leave with the people that might be listening to this, watching this? These are basically going to be people who are manufacturers who have their own in-house heat treat shops, commercial heat treaters, suppliers to the industry. Are there any last comments that you want to leave?
Don, anything?
DM: The only thing I’d add is just to be proactive. That always helps in these cases. And what that means is up to you but be proactive to address it.
DG: I was thinking the same thing: Don’t stick your head in the sand. Or, if it is there, get it out. Get it out of wherever it is and pay attention. Be proactive.
Heather, how about you?
HF: That’s exactly right. And some of us have larger egos that prevent us from reaching out for help. Understand that the literal federal government wants to help you, and there are so many resources out there that can be a nightmare to navigate but start with the people on this call. Reach out, talk to someone, get outside your circle and start figuring out how to make it work for you.
DG: Mike, how about you and then we’ll end with Brian, if you have any other comments. Again, if you don’t, no problem.
ML: That statement of Heather’s, I think, of being proactive, ask for help, don’t be shy. Invest the money. It will be worth it to invest.
DG: Brian, how about you?
BF: I think, find what works best for your organization and remain flexible. Solutions to cybersecurity should not be a one size fits all approach, so plan for the worst and strive for the best.
DG: Guys, thanks very much. I appreciate it. This is a huge, huge topic. I know we’ve just skimmed across the top.
Cybersecurity: it's important for more than just keeping checking accounts safe. Banks, government agencies, and online data bases all require strict cybersecurity. But what about heat treaters? What are cybersecurity requirements for heat treaters, and how can they become compliant?
Today's Technical Tuesday is a Cybersecurity Desk feature written by Joe Coleman, cybersecurity officer at Bluestreak Consulting™. This column series will have its debut in Heat Treat Today'sSeptember 2022 Trade Showprint edition.
Do You Need To Be Compliant?
If you are a heat treater who provides services to a Department of Defense (DoD) contractor or downstream DoD requests, you are affected by this topic and need to read on to get more details. In some cases, you may have already been asked about compliance by some of your customers. In this article and in future articles, we will provide the answers to the most
frequent questions regarding how heat treaters can become and stay in compliance to cybersecurity specs and even improve compliance in cybersecurity health.
Discussions around DFARS compliance, NIST 800-171 implementation, and cybersecurity within federal defense contracting are becoming increasingly prevalent by the day. Although it seems like the conversation is only recently gaining steam, the DFARS mandate has been around longer than people realize.
The DoD is requiring all contractors, subcontractors, and suppliers to be DFARS 252.204-7012 and NIST 800-171 compliant. Don’t take a chance on losing current DoD contracts and losing future business because of noncompliance. Compliance is non-negotiable for heat treaters within the DoD supply chain.
Heat treaters implementing effective cybersecurity practices are facing particularly challenging circumstances because there are more devices (including mobile devices) than people, and attackers are becoming more innovative. Cybersecurity is the practice of protecting systems, data, networks, and programs from digital attacks (web/cloud based). These cyberattacks usually seek to access, change, or destroy sensitive information; extort money from users; or interrupt normal business processes. Therefore, the government is pushing cybersecurity more than ever before. All of us need to be sure critical data and systems are protected and secured.
Here are several eye-opening statistics of how cybercrime affected SMBs (small to mid-sized businesses) from 2021:
Cyberattacks increased by nearly 300% since the beginning of the pandemic
58% of cyberattack victims are small and mid-sized businesses
60% of small companies go out of business within 6 months after a major security breach
55% of ransomware attacks involve companies with fewer than 100 employees
95% of cybersecurity breaches are a result of human error
What Is DFARS 252.204-7012?
DFARS 252.204-7012 is a DoD regulation that has become increasingly important for defense contractors and suppliers.
Originally implemented in 2016, DFARS 252.204-7012 requires safeguarding and “adequate security” of Covered Defense — which also includes CUI (Controlled Unclassified Information) — by implementing the guidelines found in NIST SP 800-171.
DFARS 252.204-7012 further requires contractors to follow certain procedures in the event of a cyber incident, report the incident to the government, and provide access to systems.
What Is NIST SP 800-171?
NIST SP 800-171 is a NIST (National Institute of Standards and Technology) Special Publication that provides recommended requirements for protecting the confidentiality of CUI in non-federal organizations or businesses. Defense contractors must implement the recommended 110 control requirements contained in NIST 800-171 to demonstrate their provision of adequate security to protect the Covered Defense Information (CDI) included in their defense contracts, as required by DFARS 252.204-7012. If a manufacturer is part of a DoD, General Services Administration (GSA), NASA, or other federal or state agencies’ supply chain, the implementation of the security requirements included in NIST SP 800-171 is a must.
The deadline to be fully compliant with NIST 800-171 was December 31, 2017. But it’s not too late.
Even if a heat treater is not a DoD contractor or in the DoD supply chain, NIST 800-171 is a great "best practice" standard for any organization to improve overall cybersecurity health. This will help in obtaining future orders because customers will know critical data is secure. Explaining NIST 800-171 in depth, and each of the specific control areas, is beyond the scope of this article, so, be on the lookout for a future article on this specific topic later in this series of articles.
Consequences of Failing To Comply With DFARS 7012 and NIST 800-171
Heat treaters willing to move forward with these cybersecurity initiatives by the DoD will have an overwhelming impact on the DoD supply chain and your business. If many heat treaters in the U.S. choose to not embrace the mandatory requirements, the DoD and DoD contractors will award contracts solely to the few heat treaters who do choose to become compliant. Poor cybersecurity practices can result in hacking, loss of company data and critical customer data, and attacks by malware, viruses, and ransomware. All of this can result in major damage to the business and loss of customers, not to mention being liable for all losses and paying significant fines.
Complying with DFARS 7012 and NIST 800-171 is a requirement for all DoD contractors, subcontractors, vendors, and suppliers. The DoD has now begun confirming that contractors and subcontractors are compliant before awarding additional contracts. Navigating NIST 800-171 and DFARS is a complex and challenging — but necessary — step in this process.
Watch for Future Articles in Heat TreatToday Covering the Following Topics:
DFARS 252.204-7012 and NIST SP 800-171 Explained for Heat Treaters
DFARS Interim Rule Explained (DFARS 252-204-7019, 7020, and 7021)
General Cybersecurity Best Practices and What You Should and Should Not Do
Performing Your Basic & Your Final NIST 800-171 Assessments
Submitting Your Assessment Score(s) to the SPRS (Supplier Performance Risk System)
CMMC 2.0: The New Changes and How To Become Certified
How To Safely and Securely Work From Home and Work Remotely
If You're Not Using 2FA or MFA, Your Data and Your Customer’s Data Is Not Secure
. . . and many more cybersecurity topics curated for heat treaters
Can You Afford Compliance? Funding and Cost Sharing for Heat Treaters
With the huge push for cybersecurity by the government, cost sharing and funding sources have been identified that may cover a substantial percentage of the costs associated with these critical cybersecurity projects.
About the Author:
Joe Coleman is the cybersecurity officer at Bluestreak Consulting™, which is a division of Bluestreak | Bright AM™. Joe has over 35 years of diverse manufacturing and engineering experience. His background includes extensive training in cybersecurity, a career as a machinist, machining manager, and an early additive manufacturing (AM) pioneer. Joe will be speaking at the Furnaces North America (FNA 2022) convention, presenting on DFARS, NIST 800-171, and CMMC 2.0. Contact Joe at joe.coleman@go-throughput.com.
Find heat treating products and services when you search on Heat Treat Buyers Guide.com