What Businesses Need to Know and the Resources to Help
The National Security Agency (NSA) and the U.S. government as a whole have taken drastic steps to ensure and protect our nation’s cybersecurity. A new arm of the NSA is being formed in October of 2019, specifically focused on cybersecurity by unifying its foreign intelligence and cyber defense missions. The Cyber Directorate, responsible for defending against “threats to National Security Systems and the Defense Industrial Base,” will have a direct impact on how business is conducted and manufacturers need to keep a close eye on how it develops. Attached to the IoT Cybersecurity Improvement Act of 2019, the National Institute of Standards and Technology (NIST) is tasked with developing a strategy and providing guidance to strengthen IoT security.
Manufacturers across the nation will need to act now to comply with updated cybersecurity standards and regulations. The NIST 800-171 Special Publication is a suite of business solutions that combine Hardware, Software, Security and Response plans and is required for all Department of Defense (DoD) contractors or subcontractors with controlled unclassified information. The U.S. government has previously made the call for businesses, especially those connected to the DoD sector no matter how minute, to improve their cybersecurity efforts. Up until this time, there have been no penalties associated with not complying with new cybersecurity requirements. However, that is about to change.
It is expected that in Q1 of 2020 manufacturers and businesses working within the DoD sector could face extreme penalties for not complying with NIST 800-171 requirements. The DoD sector isn’t the only one being impacted as well. The National Motor Freight Traffic Associated, Inc (NMFTA) announced in July that they will be changing their cybersecurity regulations for medium and heavy-duty electric vehicles. A very common link for all of these cybersecurity initiatives are that contracts may be pulled and fines and penalties applied.
Who Will Be Impacted?
In the state of New Jersey, there are thousands of businesses that work within the DoD sector or those that would feel the impact of the NIST 800-171 cybersecurity requirements. Similarly in the NMFTA announcement electric truck OEMs, charging station vendors, utilities, network aggregators, trade associations, standards bodies, will also face new requirements built on existing, relevant international standards and best practices. As you can see the list of businesses that will feel the pressure of new cybersecurity rules is growing, fast and easily incorporates the entire manufacturing, transportation, distribution, and supply chain industries.
Those industries directly involved with the above-mentioned sectors as well as those downstream will all be required to comply with the NSA’s new cybersecurity standards. All will need to modernize their cybersecurity plans and technology.
NIST 800-171 requires companies to protect more than technology and should be viewed as a business strategy shift. It requires manufacturers to comply with three specific areas of cybersecurity as explained in the image above.
The supply chain is such a complex weave from large to small manufacturers, some business may not immediately assume they would be affected by the NIST 800-171 standards, or perhaps are not DoD suppliers currently. It can be a challenge to know if the updated cybersecurity requirements will impact a business or the associated cost of becoming NIST 800-171 complaint. The only way to know for sure is to reach out to a NIST partner like NJMEP and conduct a thorough review.
NJMEP works directly with NIST, tasked with developing strategies and providing guidance to our nation’s manufacturers and logistics companies. The NJMEP cybersecurity vertical team has the expertise and knowledge to assist businesses to identify if they need to begin the process of becoming compliant.
These new rules and upcoming penalties for non-compliance can be compared to the ISO 9001:2015 rush that happened in late 2014. Businesses, even those that didn’t expect ISO 9001 regulations to impact their operations discovered that they must abide by these rules or risk losing the ability to bid on certain contracts. These enforcements seemingly happened overnight and manufacturers throughout New Jersey were rushing to ensure their business complies with ISO 9001: 2015.
Manufacturers are in a similar situation with the updated cybersecurity regulations. It’s critical to act fast knowing that these changes are on the horizon. Unique to cybersecurity, it will require an entire business strategy along with training for individuals in the C-suite to the shop floor. No matter their role, every person within an organization can spark a cyber breach.
Hackers are clever. Even when the technology to protect an organization’s critical data is in place, it can only protect known vulnerabilities. The image above is a representation of how hackers exploit unknown vulnerabilities and how firewall patches can only act on those reported to the developer.
Ransomware attacks, silent lurky infectious malware, or the other slew of cyber concerns will directly hinder business growth. It takes a shift in business culture to create a secure and growing organization. However, the value far outweighs the effort compared to addressing the damage cyber threats can cause. If the cyber threat infects suppliers, distributors, or customers, the fallout can be immense. The clean up could take years and result in a damaged reputation, compromised intellectual property, and lost customers.
Business Strategy / Training
Cybersecurity, in general, is largely dependent upon awareness. From not clicking that questionable link on the internet to being on the lookout for Phishing attempts that impersonate co-workers, understanding the treats is the first step toward protecting a business from cyber criminals. However, to truly ensure the cybersecurity of an organization, it takes an all-encompassing business strategy and targeted training for every employee. Furthermore, having a plan in place to address and react to cyber threats is critical in order to comply with the updated cybersecurity regulations.
NJMEP is the leading expert on these new rules and regulations and has the capacity and ability to address a New Jersey manufacturer’s cybersecurity compliance concerns. Starting at identifying if a business will be impacted by the new regulations through training and reaction plans, NJMEP is available to lend support. Cybersecurity is a critical aspect of business if a manufacturer falls under these new rules.
Whether cybersecurity is on the top of mind or there are other areas a business needs to review and potentially improve, NJMEP has the whole suite Business Growth Services ready to assist. The Business Growth Suite of Services includes cybersecurity training and compliance, succession planning, the development of new sales channels, and a host of other critical services to ensure manufacturers thrive in an increasingly competitive environment.
To find out more about these new cybersecurity rules and regulations, contact Ray Martinelli, NJMEP’s Cybersecurity and Supply Chain Specialist. For additional information on the Business Growth Suite of Services, reach out to Ben Dominguez, NJMEP’s Growth & Innovation Specialist.
This article appeared first in Manufacturing Matters! Sign up and keep up with the latest news, developments, and events for New Jersey manufacturing.