It’s a fact: The manufacturing industry is one of the most vulnerable to cyber attacks. Besides the government sector, manufacturing was the most targeted industry by cybercriminals leveraging ransomware in 2020.
There are a lot of cybersecurity hurdles that manufacturers face. They often rely on legacy technology—which is inherently harder to secure—while also layering in cloud technologies. This means they’re using a hybrid environment that can be cumbersome to protect.
Aside from the difficulty in securing these environments, cybersecurity compliance adds another layer of complexity. Cybersecurity Maturity Model Certification (CMMC) compliance is something manufacturing companies need to start considering as they attempt to secure government contracts. While many industries can get away with not complying with CMMC (for now), manufacturing doesn’t have that luxury for very long.
Why CMMC compliance matters
As a manufacturer, if you intend on securing contracts with the Department of Defense (DoD) or other government contractors, the CMMC requirements apply to you. Even if you do not intend on seeking these contracts in the near future, using CMMC as a guidepost for your cybersecurity program will help you reach a higher level of maturity.
If you’re familiar with National Institute of Standards and Technology (NIST) compliance already, CMMC is very similar. The first three levels are practically identical (granted with a slightly different naming convention). If you are NIST-compliant already, you are well on your way to becoming CMMC-compliant.
There are 5 levels under the CMMC:
- Level 1: Basic cyber hygiene: Requirements include 15 “basic safeguarding requirements” found in the Federal Acquisition Regulation (FAR) clause 52.204-21 and does not require process maturity. This level is only concerned with protecting Federal Contract Information (FCI).
- Level 2: Intermediate cyber hygiene: Requirements include implementing 65 “existing NIST SP 800-171 security requirements” in addition to 7 new practices (or “implementations”) and 2 new processes. At this level, you’ll want to establish your process documentation.
- Level 3: Good cyber hygiene: As mentioned above, this requires everything needed for NIST SP 800-171 compliance plus 13 other practices. Level 3 requires the heaviest practices around “System and Communications Protection.”
- Level 4: Proactive: This level overlaps with 121 practices found in NIST and adds 15 new practices and various processes. Here, the focus is on reducing the risk of Advanced Persistent Threats through reviewing and measuring activities for effectiveness.
- Level 5: Advanced/Progressive: Requirements include continuous improvements to cybersecurity processes along with standardization and optimization of process implementation. This level requires a total of 171 practices, just 15 more than level 4.
In the details of CMMC, at levels 3 and 4, there are two requirements around Domain Name System (DNS):
• Implement DNS filtering services (Level 3)
• Utilize threat intelligence to proactively block DNS requests from reaching malicious domains (Level 4)
In recent publications by the National Security Agency (NSA) and Cybersecurity and Infrastructure Security Agency (CISA), they’ve referred to these requirements as Protective DNS, or PDNS. This technology adds an interesting layer to CMMC requirements.
The role of PDNS in CMMC
PDNS is an important cybersecurity solution for the manufacturing industry because it functions well in hybrid environments, blocking malicious DNS queries no matter where they originate from. In one recent study by the Global Cyber Alliance, over 33% of data breaches analyzed could have been prevented if PDNS were in place.
PDNS is the term for a security solution that examines DNS queries and protects users from accessing deceptive sites that contain malware, ransomware, phishing attacks, and other dangerous content. The service does this by categorizing website domains, determining if they are benign or malicious, and then blocking users from accessing those sites if deemed a threat.
CISA and the NSA released a joint statement around PDNS earlier this year for this reason: “Protecting users’ DNS queries is a key defense because cyber threat actors use domain names across the network exploitation lifecycle: users frequently mistype domain names while attempting to navigate to a known-good website and unintentionally go to a malicious one instead.”
They go on to say: “Due to the centrality of DNS for cybersecurity, the Department of Defense (DoD) included DNS filtering as a requirement in its Cybersecurity Maturity Model Certification (CMMC) standard (SC.3.192).”
But on top of the recommended requirement of DNS at levels 3 and 4 (and PDNS in particular), they also released recommendations around what features you should look for in a PDNS provider.
These features include:
- Ability to block malware and phishing domains
- API access for developers
- DNS encryption
- Leverage Machine Learning and Artificial Intelligence in addition to static threat feeds (important for reaching Level 4)
Navigating compliance (especially government compliance) can be tricky for manufacturers to get right. But implementing the building blocks such as PDNS, anti-virus, two-factor authentication/multi-factor authentication (2FA/MFA), password managers, and defined security processes are the stepping stones towards cybersecurity maturity.
Opinions expressed by contributing authors are their own.