The cyber war for data, for control, and ultimately for money, is fought today with more intensity than ever. Ransomware attacks continue to advance with greater sophistication and spread like spilled water into every crevice of business, industry, and government—no one is exempt from becoming a target, and most in foundry management would agree that cyber security is now a threat that shouldn’t be ignored. This year, in fact, the metalcasting industry will not be able to avoid new challenges in this evolving conflict.

The world of the dark web and its throngs of hackers and “bad actors” is a thriving, multibillion-dollar industry, and companies large, medium, and small are all at serious risk. Even novice hackers can buy “ransomware-as-a-service,” and because many countries don’t legislate against malicious cyber activity, it’s become a worldwide business opportunity with low barriers to entry and high profit potential.

“We’re seeing more and more successful ransomware attacks,” said Laura Élan, senior director of Cybersecurity at MxD, “and one of the challenges is that it goes after your human capital. It uses phishing emails, and these are getting really good. All it takes is one click. If they break into your system and do a cryptolock, and if they can get 10 or 20 grand from you, that’s a payday.

“I think there’s a bias we have to change, because small manufacturers are at just as much risk as large ones,” she added. “Granted, the large companies have the big pocketbooks, but the smaller companies may be easier to attack because they may not have the same level of know-how and the deep IT and cyber bench that a large company might have. If I’m a crook and I can get into a small company and take advantage of what they have, and if they’re connected to a larger company, I can pivot all the way up and down the supply chain.” 

Instead of being protected by their “insignificance” to criminals, small foundries might in fact be the preferred target and would do well to consider their own risk, as well as the risk they pose to their customers and suppliers.  

Straight out of the gate, if a company is concerned about ransomware, two immediate and effective actions will shut down a sizeable amount of vulnerability, according to Élan. 

1. Identify types of email and attachments to automatically be quarantined and blocked from passing into employees’ inboxes.
2. Train people to recognize phishing email and only open legitimate, business correspondence. 

“Just those two actions alone can get rid of so much ransomware potential risk,” Élan said. “These are straightforward things companies can implement throughout their IT networks, and they’re very effective.”

Caring Enough to Act

Four key drivers will light the fire in foundries to create and execute a cybersecurity plan—every company will naturally be motivated differently and will shape their plans uniquely according to their individual operations, products, and customers. 

Driver 1. Concern about business disruption has moved many companies to seek cyber insurance to mitigate potential losses. What they must understand, however, said Élan, is that cyber insurance companies, like any other insurance companies, have specific prerequisites about the cyber activities that support an organization’s cybersecurity hygiene, aka its “cybersecurity posture.” 

“Organizations need to be mindful that in order for their insurance criteria to be met, they may have to do certain actions within their environment and be able to prove it,” she said. 

Driver 2. Foundries aren’t islands unto themselves. Regardless of size, all are involved in making parts that flow up and down in a supply chain that is digitized. These days, more and more top-level manufacturers (casting buyers) recognize they’re only as secure as the people and companies with whom they do business. Hence, more foundry customers, by virtue of their procurement language, are instituting new cybersecurity requirements to which foundries must either comply or be left out of the bidding process. 

Driver 3. Foundries that serve the U.S. Department of Defense (DOD) must demonstrate compliance with the Defense Federal Acquisition Requirements System (DEFARS), which addresses the control of unclassified, federal contracting information. Presently, those doing business with DOD are able to self-assess and report their Supplier Performance Score (SPS), which measures compliance with the guidelines of National Institute of Standards and Technology: NIST SP 800–171.

Driver 4. At the end of the day, fear itself is a powerful motivator, and the troubling vision of a crippled operation is enough to evoke preventive action. A company compromised by a cyberattack comes to a screeching halt, rendered unable to deliver product, stated Élan. “I’d like to think that companies want to put cybersecurity in place to protect the supply chain partners they’re connect with, but that’s not always true.” What is true, she said, is that awareness and business risk is stirring an increasing number of companies to enter the cyber fray to defend themselves. 

Although participation is going in the right direction, cybersecurity among small and medium players in the manufacturing sector—including foundries—is far from 100%. MxD research found that less than half have completed a cybersecurity evaluation against NIST SP 800–171, Élan’s preferred standard and the one from which an SPS score can be calculated. The outcome improved when small to medium companies were asked if they have done a cybersecurity assessment against any known framework—70% said they had.

“That actually is a good sign that people are adhering to freely-available guidance and standards,” said Élan. “I’m a big believer and a big proponent of the NIST cybersecurity framework and all of the guidance, especially publications that are being developed with input from the public.

“I always say the good news is, there’s a huge body of knowledge for cybersecurity. And the bad news is, there’s a huge body of knowledge! It can get overwhelming, but the NIST cybersecurity framework has a lot of tools that manufacturers can use.” 

Changes This Spring 

Foundries currently doing or aspiring to do business with the U.S. military are already familiar with the compliance standards contained in DEFARS (the NIST SP 800–171), as well as the Cybersecurity Maturity Model Certification (CMMC), which specifically deals with the protection of confidential unclassified information and federal contracting information. In other words, it’s a program addressing the confidentiality and integrity of specific information that’s shared between the Department of Defense and the manufacturing supply chain. 

However, some may not yet realize that the DOD has updated CMMC, and the CMMC 2.0 final rule is expected to be adopted in March 2023, with an effective date anticipated in May.

Fortunately, said Élan, the DOD aligned CMMC 2.0 to use the same set of requirements as the DEFARS program, so everything a company has already put in place based on NIST SP 800–171 is completely appropriate—these guidelines remain the base set of requirements, she said. 

One major change foundries must prepare for has to do with the assessing of their own compliance. The autonomy of self-assessment permitted with DEFARS will be going away for DOD suppliers, and it won’t be long till mainstream manufacturing casting buyers also follow the path set by the military.

“A big takeaway message I would like to reinforce for foundries is that, under the CMMC program, organizations that have to comply will have to go through a third-party audit,” said Élan. “That is a different game than a self-assessment.”

Under CMMC 2.0, it will be the responsibility of the foundry to not only meet all the published cybersecurity requirements, but to then hire a certified third-party assessment organization. The outside audit will not only add time––perhaps as much as six months—to the compliance process, but will increase the complexity.

Just like an IRS audit, companies will have to demonstrate the cybersecurity measures they’ve established internally or outsourced. 

And then there’s the cost. Depending on the size of your company and the scope of confidential unclassified information you process, an assessment against CMMC 2.0 (or even another standard) could run from $15,000 to over $50,000, according to Élan. 

Customer demand for third-party auditing of cybersecurity compliance won’t be isolated to military and federal casting contracts. Even now, Élan said, other industries may be considering requirements that will mirror DOD’s.  

Where to Start If You Haven’t

Given the updated national cyber-safeguards coming around the bend this year and the anticipated adoption of DOD and government procurement language by the casting buying community, no casting supplier can really hide from instituting security measures. The very first thing to do if you’ve done little or nothing to date is: Assess.

“Hands down, that is what we recommend,” said Élan. “We always recommend that you know where you are—because if you don’t know where you are, you don’t know what you have to do. Whether you do a self-assessment or hire someone to walk through and assess where you are, this gives you a road map for your next steps.”

MxD offers a free tool called the Cyber Marketplace at mxdusa.org/marketplace that assists with cybersecurity self-assessment against a number of different standards, including the NIST SP 800-171, which is the basis for CMMC and DFARS requirements. 

Part of assessment includes identifying what kind of foundry you are today, who your customers are and what they need, as well as your future goals. If there’s no federal contract information or confidential unclassified information in your foundry’s imminent future, you don’t have to sweat the CMMC 2.0, but you won’t go wrong with NIST. Boil it down to: (A) what is your objective, (B) what are your regulatory requirements, and (C) what cybersecurity framework supports your business goals.

Here are some ways to match the type of information you need to protect to the right cybersecurity framework:

• Just OT systems—NIST 800-53
• Payment systems—PCI DSS
• Only systems with “sensitive information”—NIST 800-52
• Only systems on critical (H/M) assets—NERC CIP
• Cloud systems—ISO/IEC 17788

“I think it’s important for organizations to do a little bit of research, knowing what industries they’re in and determining what standards are meaningful in those industries,” said Élan. “Ask yourself what your insurance requires and what your suppliers are asking for. Then pick one.

“The good news with an assessment is, you can see where your gaps are––then you can take a look at what you need to remediate and make a case for budgeting for the kinds of controls and capabilities that should be implemented. It won’t be a ‘one and done’ activity. And for those who haven’t started, we encourage you to get started with an assessment of your current security capabilities.”   

Click here to view the article in the January 2023 digital edition.