While manufacturers have avoided the attention of hackers in past, the industry has risen to near the top of cyber criminals’ hit lists. As such, many manufacturers are finding their organizations woefully underprepared to combat the ominous threat of cyber attacks. Ryan Bonner works with Brighton-based Brightline Technologies Inc. to educate manufacturers on I.T. matters ranging from cloud management to regulatory compliance and security. Last week, Bonner participated in a cybersecurity webinar hosted by MiBiz and Michigan Manufacturing Technology Center-West. [Editor’s note: Visit mibiz.com/cybersecurity to view the webinar.] After the webinar, he talked about new cybersecurity regulations from the Department of Defense and manufacturers’ exposure to cyber threats.
As vice president of customer success at Brightline, you have a very positive title.
Yeah. Well, in the case of a lot of these manufacturers, success looks like staying in business. With some of the things we’re doing with government-regulated manufacturers, there’s a bit of damocles hanging over their head right now.
Can you explain that a bit more?
Beginning earlier this year, there are some new DFARS (Defense Acquisition Regulations System) clauses which dictate that defense contractors of any type need to meet certain data security standards and have a plan implemented to put them in place by the end of this year. We’re seeing a number of indicators that defense contractors may not be eligible for future contracts after the first of next year. Unfortunately, this whole set of standards and clauses were not well communicated both from the government and prime contractors. We’re fighting a battle of awareness and legitimacy.
What are some of the requirements?
There are a number of requirements for how cloud systems must be secured. There are also very specific requirements for how these clauses get passed down to subcontractors underneath the original contractor recipient.
Is this related to the recent guidelines from the National Institute of Standards and Technology (NIST) in its 800-171 publication?
(The publication) is an excellent document written for how organizations should technically and operationally secure their data. What a lot of organizations miss is that the contract clauses have a lot more to say than just the need to implement 800-171. Those are some more stringent and well-defined requirements in that DFARS clause that, when paired with the NIST standard 800-171, add up to a much more comprehensive set of responsibilities for every defense contractor to adhere to.
What’s your sense for how many manufacturers meet these criteria?
I have yet to meet an organization that can say that they are compliant to all of the requirements found both in the clause and in the associated standards. We’ve spoken to quite a few organizations here in the state, well into the hundreds at this point. There’s a huge shortfall in understanding and implementation.
What happens if manufacturers are not compliant with these federal deadlines?
The big black swan event that every organization who does government or defense contracting is trying to avoid would be a multi-year ban on contracting, which for a lot of organizations would be a death sentence.
Have most manufacturers invested in cybersecurity measures?
Most manufacturers have invested heavily in technology for its ability to contribute to cost effective production. What they didn’t always fully contemplate is the technical debt that they took on when they incorporated those technologies.
What do you mean by technical debt?
The technical debt would be sort of the responsibilities for the proper maintenance and security and administration of these technical systems in a way that mitigates risk and protects the organization from those risks.
Are we past the point where cybersecurity can be addressed with strong passwords and employee education?
Approaching this task at hand can’t be satisfied in a one-hour training video or in a circulated company memo. It’s a holistic approach. It starts at the executive level with an understanding of the risks posed to the organization, assigning ownership to those risks, and developing a complete strategy to implement the best known controls for those security risks in the business. That’s going to probably necessitate new awareness and training efforts on behalf of all the employees in the organization and it’s going to require that organizations adopt a new perspective and stance on cybersecurity where everyone in the organization has bought into ensuring the security of their data and their customers’ data.
Can you touch on some of the topics you covered during the webinar last week?
The webinar primarily focused around some of the key factors that make manufacturers effective and competitive in the workplace and how cybersecurity threats specifically target those factors. We talked about an organization’s ability to produce cost-effective goods and how financial attacks against their organization can undermine that cost effectiveness. We talked about the timely delivery of those goods to the customers and how business interruptions from cybersecurity events can threaten those, especially in a just-in-time manufacturing landscape. We also talked a bit about how the reputation you have with your customers is important and dependent on all of those factors. And if you are the source of leaks of your customers’ intellectual property or your counterfeit parts are starting to be associated with your quality standards even though you didn’t make them, those can have significant damaging effect on relationships with your customers.