By   Stephen LaMarca, Manufacturing Technology Analyst

If you run your manufacturing facility with controllers, are you using the latest acceptable operating system? A factory with controllers using a dated OS is just one example of cyber vulnerability.

The Office of  Personal Management was breached in June of this year because of a vulnerability related to the scenario above. This preventable breach was caused because of unpatched servers. It could have been thwarted via current patches and an implementation of two-factor authentication. The OPM breach sparked the Cyber Sprint which ultimately led to the CSIP.
 
On October 30 of this year, the Federal Chief Information Officer (FCIO) Tony Scott released the “Cybersecurity Strategy and Implementation Plan (CSIP) for the Federal Civilian Government” to the general public. Through this document, the Office of Management and Budget (OMB) has directed a series of actions for federal agencies to continue strengthening cybersecurity and modernizing the government’s technology infrastructure.

Five objectives are set forth in the CSIP that focus on strengthening federal civilian cybersecurity. The first objective is prioritizing the identification and protection of high value information and assets. Next is the timely detection of and rapid response to cyber incidents. Following this is the rapid recovery from said incidents when they occur. The fourth objective is the recruitment and retention of the most highly qualified cybersecurity workforce talent the federal government can bring to bear. Lastly, is the efficient and effective acquisition and deployment of existing and emerging technology. For the most part, all government cybersecurity literature is based around “identify, protect, detect, respond, and recover.” 

The CSIP timeline for federal agencies is available at https://www.whitehouse.gov/sites/default/files/omb/memoranda/2016/m-16-04.pdf on page 4 of the document.

So what does this mean to those in the manufacturing industry? If a company plans to sell to the government in the future, they will have to establish a baseline cybersecurity program with defined industry best practices for security protections. All federal acquisitions will have blanket requirements for such sourcing.

A high value asset (HVA) is defined in the CSIP as “systems, facilities, data and datasets that are of particular interest to potential adversaries. These assets, systems, and datasets may contain sensitive controls, instructions or data used in critical federal operations, or house unique collections of data (by size or content) making them of particular interest to criminal, politically motivated, or state-sponsored actors for either direct exploitation of the data or to cause a loss of confidence in the U.S. government.”

Should a company operate a HVA, then they will get strong influence to adopt the Cyber Security Framework (CSF) put out for industry assets. This involves having a security program with defined industry best practices. The CSF was written specifically for industry, thus is lighter in requirements than those listed in the Federal Information Security Modernization Act (FISMA), which is geared more toward government use.

Alongside the CSIP and the CSF is another powerful government tool available to the public’s disposal, the National Checklist Program (NCP). The NCP is the federal database of publicly available security checklists (benchmarks) that provide detailed low level guidance on setting the security configuration of operating systems and applications.

Cyber threats cannot be eliminated entirely but they can be managed much more effectively. These tools help get the current federal system in order and are excellent models for civilian and commercial systems to go by.

For more information on any document mentioned above or the official document itself go to:

CSIP – https://www.whitehouse.gov/sites/default/files/omb/memoranda/2016/m-16-04.pdf

CSF – http://www.nist.gov/cyberframework/

NCP – https://web.nvd.nist.gov/view/ncp/repository