According to a 2019 Cybersecurity Readiness Review, adversaries have successfully stolen up to US$600 billion in intellectual capital each year out of the United States Defense Industrial Base (DIB). The thefts significantly erode military and economic advantages and put newly developed weapons and other systems as risk.
Last year, the Department of Defense (DoD) said “not anymore,” rolling out a Cybersecurity Maturity Model Certification (CMMC) program for the 300,000+ members of the DoD supply chain.
The Project Spectrum CMMC Readiness Pilot, sponsored by the DoD, is being led by the Maryland Innovation and Security Institute (MISI), and its team at DreamPort. DreamPort is a state-of-the-art cyber innovation, collaboration, and prototyping facility based in Columbia, Maryland. The readiness pilot is designed to do three things:
- educate and create awareness on cyber and cyber resiliency
- test and evaluate solutions
- provide data on exactly what tools aid in the compliance journey, their cost, and the technical and human level of effort required to achieve compliance
Read on to learn how the CMMC program works.
Supply Chain Security Gaps Lead to Loss of Competitiveness
“There was a Naval weapons system that was being engineered and manufactured in the Norfolk, Virginia, area,” said Armando Seay, Director of DreamPort. “Threat actors in China were able to determine what that weapon system was going to look like, and get the plans by hacking the Defense Industrial Base. They didn’t really have to hack the Navy to access the information. They likely could have – it didn’t mean they didn’t try, but it was a lot easier to hack the dozen or more companies that were part of the Defense Industrial Base supply chain to gain easier access.
“The attackers stole the plans, and then produced the weapon faster and cheaper. Of course, the breach was discovered, but obviously we couldn’t build that weapon systems anymore because it had been severely compromised.
“Here’s another example. There’s a plane being used in China right now that is based on U.S. design plans also stolen out of the DIB. The depth of these thefts is costing the nation money, it’s costing taxpayers money, and it’s also putting the nation at risk. How do we protect ourselves or defend ourselves or stay ahead of adversarial countries like China and Russia if we can’t protect our own IP?” Seay asked.
In addition to IP theft, there was also concern that the supply chain could be disrupted by a cyberattack. To deal with all potential security scenarios, the DoD created security requirements for five levels of CMMC compliance. Now, to participate in the DoD procurement process, supply chain vendors of varying sizes and security postures are required to commit to appropriate levels of cyber compliance and resiliency.
Cybersecurity Maturity Model Levels – From Basic Cyber Hygiene to Advance Security Practices
“Level one is basic cyber hygiene, something that all business should be doing anyway,” Seay said. “Level two gets a bit more sophisticated. Level three, the kitchen sink gets thrown in, and so on. If the vendor is building a fighter jet, or a nuclear weapon system, or super-secret technology that absolutely positively cannot be stolen, they need the highest level of security compliance. Levels four and five are where maturity measurements come in place,” he added.
“All our vendors want better security than they have right now, which in some cases was zero,” Seay said. “They understand that in order to support the Department of Defense, whether it’s for one hundred or hundreds of millions of dollars worth of business, they must be compliant with our cybersecurity standards of level one through level five as appropriate. We now conduct regular audits and enforce compliance. If vendors don’t maintain their level of cyber resilience, they simply won’t be granted a Department of Defense contract.”
The goal of the CMMC program is to significantly strengthen cybersecurity for DoD suppliers, many of which are manufacturers. But whether we’re talking about defense contractors or the millions of manufacturers serving in the global industrial space, the mission is exactly the same: understand what your current OT and IoT security posture is, and create a plan to better protect your operation and processes against vulnerabilities, threats, and any sort of cyberattack.
Identifying Advanced Security Solutions That Are Effective, Easy to Implement, Affordable
An important component of CMMC program success involves identifying advanced security solutions – both hardware and software, that are relatively easy for supply chain vendors to implement.
One of the core technologies needed revolves around the ability to passively and non-intrusively sense and detect threats and vulnerabilities in an industrial environment, without disrupting ongoing operations.
“At the beginning, we asked supply chain participants basic questions like: What are you running in your environment? Do you know what devices are on your network? How are they communicating with each other? We found that many of them lacked this fundamental security insight. But without it, they can’t begin to protect themselves against cyberattacks,” Seay said.
We all tend to focus on IT – the computers we use, the networks, and so on, but we totally forget that while manufacturers use IT, they also use something called OT, operational technology,” Seay said. “The way you secure OT and even IoT is different than the way you secure IT. The software and the technology that’s needed to determine whether a manufacturing enterprise has been compromised is different.”
Nozomi Networks Contributes Advanced OT and IoT Security with Guardian
The DreamPort cyber innovation center opened in late 2018. In 2019, Nozomi Networks joined the roster of DreamPort collaborators to help advance supply chain vendor security and accelerate their compliance with CMMC levels.
Nozomi Networks contributes its industrial strength OT and IoT security technology to the cause – addressing both the Asset Management (AM) and Situational Awareness (SA) domains within the CMMC model.
The Guardian OT security solution was chosen for several reasons:
- It immediately solves the visibility problem with an automated, up-to-date asset inventory
- It quickly detects and disrupts threats and anomalous behavior
- The Threat Intelligence subscription service continuously monitors mixed OT and IoT environments and delivers ongoing threat and vulnerability intelligence
- It doesn’t disrupt the supply chain member’s operations
- It accelerates a supply chain member’s path towards CMMC compliance
- It has an agreeable price point
High Cyber Resiliency is Essential to Guard Government Supply Chains
“Attacks on the industrial base are not slowing down. In fact, they’re increasing because a large segment of our nation ignored the operational technology sector, the manufacturing sector, the industrial sector,” Seay said. “It wasn’t until Ukraine (where attacks shut down the power grid twice in two years) happened that we started realizing that these attacks were a real threat. The adversary goes to where we’re not looking. They go to our weak flank, not our strongest flank.”
Supply chain (and manufacturing) resilience lies in increased operational visibility, cyber awareness, best practices and standards, and compliance. That’s exactly the focus of the DoD’s supply chain program – that and making sure intellectual property stays in the right hands.