Paperless Parts
Published

5 Best Practices for Manufacturing Cybersecurity

A Department of Defense (DoD) push to protect data by vetting suppliers more thoroughly illuminates how any CNC machining business can improve. 

Share

Is your customers’ data secure? Most leaders of CNC machining businesses likely would say “yes,” but answering in the affirmative is no longer enough for those seeking sensitive defense-industry work. The struggle to meet new government standards shows the extent to which basic cybersecurity best practices can differentiate not only these manufacturers, but virtually any shop trusted with sensitive data. 

 

Our expansive July 2019 issue cover story, “How to Become a Defense Supplier,” touched on more than cybersecurity.

This was the subject of a recent conversation with David Watts, solution consultant at Avatara, an information technology firm that is focusing on helping small- and mid-sized manufacturers meet new Department of Defense (DoD) requirements. More specifically, Avatara is helping DoD suppliers prepare for Cybersecurity Maturity Model Certification (CMMC). While current regulations dictate that DoD suppliers constantly track and update their own security policies and report on progress, the new CMMC requires answering to third-party auditors, and doing so prior to the awarding of a contract rather than after the fact. “A lot of manufacturers are going to be caught flat-footed,” Mr. Watts says.

National security implications aside, Mr. Watts says a crisis for some can present opportunity for others. Based on Avatara’s experience with customers so far, the most significant areas of weakness involve practices and procedures that are rudimentary by modern cybersecurity standards, even if they take time and effort to implement. As he puts it, “If you don’t do this stuff, you’re nowhere near ready for CMMC. But really, a lot of it could be viewed as basic best practices for anyone.” Examples include:  

Training Regularly

Although the specifics had not been published at the time of this writing, the CMMS builds directly on the current National Institute for Technology (NIST) 800-171 standard, which already specifies training for key employees. “You’ll have to show the auditors, ‘Here are the training sessions, here are which ones we passed and failed, and here’s what we’re doing about it if we failed,’” Watts says.

Even without auditing, staying up to date is essential because threats are ever-evolving, he says. For example, security technology might not be enough for shops that do not appreciate the power of social engineering tactics. Phishing, or the sending of fake emails to obtain passwords or other information, is a classic example. “Just having a firewall in place is not enough to prevent that,” he says, adding that formal training should include practicing fake attacks. “It’ll tell you ‘Bob clicked this link seven times,’ and then you can tailor your training to Bob.’”

Requiring Strong Passwords

Password policies — that is, the rules governing what makes a good password — could explain part of the reason for the prevalence of tactics like phishing. Mr. Watts says that following best practices for passwords is a requirement for CMMC Level 3, the minimum level of certification for most CNC machining businesses seeking DoD contracts. Examples include requirements for certain numbers of characters and symbols; requirements that passwords change regularly; limits on using identical passwords; and limits on log-in attempts.

Requiring Multi-Factor Authentication

Multi-factor authentication refers to the use of multiple means — that is, more than just a password — to verify that users are who they say they are. For instance, a bank might ask for both a log-in ID and the answers to personal security questions. This is good practice in general, but necessary for CMMC, Mr. Watts says.

Monitoring for Threats

As is the case with current NIST standards, CMMC requires monitoring incoming and outgoing data to detect attacks and potential indicators of attacks, Mr. Watts says. Examples include malicious code, communications with external systems, unusual traffic patterns and so forth. Likewise, records of data crossing a network are necessary to identify attackers, weak points and more in the event of a security breach.   

Considering Security Beyond the Virtual

One of the simplest ways to steal sensitive data is to simply plug a USB stick into a computer or server. For its part, Avatara maintains all customers’ data in a private data center environment. Servers lack a port for any removable media, and are locked behind biometric access points and defended by armed guards. Manufacturers that opt to maintain their own information technology infrastructure may not go to these lengths, but precautions might be warranted even if the risk is more to a shop’s own financials rather than national security.  

World Machine Tool Survey
The view from my shop.
DN Solutions
Paperless Parts
Techspex
benchmark international advanced manufacturing trade show
Hurco
Mazak - Innovative manufacturing for medical
Kennametal
MMS Top Shops
SolidCAM
Starrett 2900 Series Digital Indicator

Related Content

SPONSORED

How this Job Shop Grew Capacity Without Expanding Footprint

This shop relies on digital solutions to grow their manufacturing business. With this approach, W.A. Pfeiffer has achieved seamless end-to-end connectivity, shorter lead times and increased throughput.

Read More

Reinventing a Precision Shop With a Data-Driven Mindset

When this machine shop lost 90% of its business within three months, a reinvention was in order. Here's how it survived after quickly falling on hard times.

Read More
SPONSORED

Swiss-Type Control Uses CNC Data to Improve Efficiency

Advanced controls for Swiss-type CNC lathes uses machine data to prevent tool collisions, saving setup time and scrap costs.

Read More

Machine Monitoring Boosts Aerospace Manufacturer's Utilization

Once it had a bird’s eye view of various data points across its shops, this aerospace manufacturer raised its utilization by 27% in nine months.

Read More

Read Next

CNC & Machine Controls

When It Comes to Cybersecurity, Be Scared, but Be Prepared

Warnings about threats to internet-enabled networks in manufacturing plants should be taken seriously without giving in to alarmist overreactions. The risks are real, but manageable, while the benefits are too compelling to forego.

Read More
CNC & Machine Controls

Cybersecurity for Job Shops

Small and medium-size machining job shops can take steps to protect computerized or networked assets such as CNC machines from cyber attacks. 

Read More
Paperless Parts