It started — like so many stories with disastrous endings — with a suspicious email.
A well-meaning loan officer at a bank checked his inbox and found an unread message. The return address seemed okay — it apparently came from someone else at the bank. Looks legit. Click!
Only it wasn’t legit.
Scott Singer of CyberNINES says this was “a social engineering situation,” meaning the bank employee was fooled by a convincing email address, some smartly crafted words of persuasion, and a sense of wanting to comply with the emailer’s wishes.
The email prompted the employee to contact customers and get them to change critical banking information, the kind of information that could nudge open a virtual door just wide enough to let a cybercrook waltz right in.
Because of this email — and untold financial losses — the bank enlisted the help of Singer’s firm to conduct workshops and training sessions to educate employees about phishing and ransomware.
If you think this happened a decade ago when people weren’t yet savvy to the danger of cyberattacks, think again: This happened just a few months ago.
For manufacturers, the virtual world can bring both efficiency to workflow and havoc to work product or finances.
And it’s not just criminals in the virtual world that manufacturers need to worry about. Any manufacturer doing business with Department of Defense prime contractors has known for years they’ll soon need to demonstrate compliance with federal cyber safety standards. And for years, the date by which they must be in compliance has been a moving target. But now the date has been set: October 2023. Any manufacturer working as a subcontractor for the Department of Defense by then must have a demonstrated security plan in place. If they don’t, they’re out. And that fact certainly will put some small manufacturers out of business.
Between threats of cyberattacks and the security demands of getting defense department contracts, the message is clear: Manufacturers can no longer afford to ignore cybersecurity. You either play ball or go home.
That’s so ransom
Laura Ekholm, executive vice president of L&M Radiator in Hibbing, says her company has been hit hard by cyberattacks. Luckily they had insurance. Two of the three attacks resulted in losses totaling nearly a half million dollars.
An employee received an email from what appeared to be a shipping company L&M works with regularly. And that email came with an attachment, and the wording seemed authentic. The employee clicked on the attachment, which unleashed a ransomware virus into the company’s computer system.
“We have good security systems in place and backups off site,” Ekholm says. “We thought we were doing everything right. We did everything right. But it doesn’t matter.”
L&M took measures to shut down their system, but by then the damage had been done. The cybercriminals held their data for ransom, demanding $350,000 for its safe return. Without the ransom, all of L&M’s employee and vendor data would be released “to the dark web.”
Ekholm and others at L&M thought for a moment. What data could they possibly have that would be damaging to people or vendors? They determined the data wouldn’t be that damaging. But they also determined it wasn’t their decision to make, and that they needed to take measures to prevent the information’s dissemination.
The insurance company paid the ransom. And when they looked at the data, they realized they were right; there wasn’t much sensitive information involved.
Still, they notified the FBI. And were thankful they’d invested in cybersecurity insurance.
“I couldn’t be a bigger advocate for cyber insurance,” Ekholm says. “They came in and took care of everything.”
A year before that, L&M dealt with a similar situation. Instead of a ransomware case, it was a clever scheme to convince a well-intentioned employee to send $100,000 to a bank in Hong Kong.
“They were pretending to be one of our vendors. The tone of mail made it seem like everything was legitimate” Ekholm recalls. “It seemed real, but none of it was.”
The scammer convinced an employee to do the wire transfer. And they’d have gotten away with it if it hadn’t been for an observant CFO, who called a very confused vendor to find out why bank information was abruptly changed.
“She’s like, ‘What the heck, Tom? What’s this huge wire about? You have to give us a heads up on these things.’ And he said, ‘What are you talking about? I have no idea.’”
They called U.S. Bank and convinced them to freeze the wire transfer. They also took the matter to court. In the end, they got their $100,000 back. Attacks such as these have caused L&M to take cybersecurity very seriously.
“It was an eye opener,” Ekholm says. “We had done training and were doing things to make people aware. But the frustrating part was clicking on an attachment in an email that you normally would click because you get emails from them all the time. How do you help that? So, we continue doing training on looking at the IP address and taking a closer look to make sure everything looks right.”
Two years ago, focus groups in Enterprise Minnesota’s State of Manufacturing® survey revealed that a startling number of manufacturers have fallen prey to cyberattacks. In almost every focus group, someone told a story of getting hit with ransomware attacks, including one company owner who said, “The week we went into lockdown for the coronavirus, we got hacked. It was ransomware. It cost about half a million bucks to get up on the other side of that. Thank goodness it didn’t cost us. I guess we had insurance for a big chunk of it. But it was an absolute nightmare.”
If you’re still uncertain about steps to take to avoid being a victim, here are a few simple ones.
Be wary of emails asking you to take action – Refrain from clicking anything in any email when you’re unsure of its origins.
Hover over links to inspect or verify URLs – You’d be surprised how many times a link in an email can look legit but actually be nefarious. Just because it says www.wellsfargo.com doesn’t mean the link will take you to the banking giant’s website. Tricksters can make the URL say anything they want.
Go directly to the source – If you’re unsure, open a fresh browser page and go to the company’s site on your own, without clicking the emailed link.
Never pay the ransom – It only encourages cybercriminals, and you’re never guaranteed to get an encryption code or to get your data back.
Grant Burns, owner of the cybersecurity firm Bound Planet, says both the reach of the cybercrime world and expertise of its practitioners has evolved in a way that mirrors any successful business.
In infancy, cybercrooks were very often known as “script kiddies,” or low-skilled individuals who preyed upon victims by using prepared scripts. Today, things have gotten more sophisticated.
“Now there’s a need to start thinking about what are called advanced persistent threats,” Burns says. “These are state-funded actors, extremely skilled, well-coordinated. They treat their cybercrime operations like a business themselves. You can have a lot of protections in place, and one of those entities can still harm your organization. So, I think about the ability to respond and recover. I’ve made a big push as of late to help people put together incident response plans, and then also dive further into their backups as well as business continuity disaster recovery.”
One of Burns’ top tips is a simple one: Have a good backup plan.
“Scrutinize your backup configuration, make sure it contains everything that’s critical to your business,” Burns says. “If a bad actor compromises your system, are they able to compromise your backups as well? If the answer is ‘yes,’ then you basically have no backup.”
Burns says any manufacturer that sees a cyberattack as an existential threat should consider immutable storage, which means a backup that is unhackable.
“It means having your actual data separated so that, if there is a compromise of your system, they can’t touch your backups,” he says.
The China problem
John Norris doesn’t mince words when talking about the cyber threat potential from foreign countries.
“China’s stealing our data,” says Norris, owner of Atscott Manufacturing and Tower Solutions. “And they’ll get bits and pieces of whatever they can. They’re quite good at it, and they’ve been working at it for a while. I think the United States is behind schedule in pulling this stuff together and in securing and locking down data.”
This is why the Department of Defense has moved gradually in the last decade to, as Norris says, lock down data. Standards for cybersecurity for several years have been governed by the National Institute of Standards and Technology via its Defense Federal Acquisition Regulation Supplement, better known as DFARS. In that system, companies that worked with any defense contractors were required to self-attest that they’d met all the DFARS requirements — the self-attesting required no proof or third-party review, leaving open the possibility that some manufacturers haven’t exactly met the spirit of the DFARS requirements (and that some may have done so knowingly, which is illegal).
The flaws in the self-attesting system led the Department of Defense to create the Cybersecurity Maturity Model Certification (CMMC). This system is built on third-party verification of compliance, eliminating the possibility that a company isn’t being honest with its self-attesting (and thus potentially leaving the Department of Defense vulnerable to cyberattacks).
The CMMC has been a hot topic among manufacturers. Not only will it force them to undergo a costly overhaul of their tech, but the date by which such an overhaul must be done keeps moving back. But now it seems the date, at least for now, has been set.
In late June, representatives from the Department of Defense hosted a webinar titled, “Countdown to CMMC Compliance.” Among the submitted questions: Given the fact that there are program CMMC details that are still in flux, should companies wait for the program to become finalized before moving forward with compliance measures?
The DoD’s response: “No, it’s not prudent to wait. NIST 800-171 has been in effect for a long time, and it’s better to be able to accurately report where your company is in terms of compliance with it. Full adoption of NIST 800-171 should have begun long ago.”
Norris is very well-versed in the world of Department of Defense contracts. Several years ago, Tower Solutions secured a $14.75 million contract with General Dynamics for 50 so-called “roll up” towers. The towers, installed along the U.S.-Mexico border, can be affixed with surveillance cameras.
Working with General Dynamics, the nation’s fifth largest defense contractor, not only gave Tower Solutions a substantial boost in business but it also gave Norris a comprehensive glimpse into the evolving world of working with Department of Defense contractors, including the complicated landscape of the CMMC.
“It’s not something where you can snap your fingers and it’s done in a short amount of time,” says Norris. “If you haven’t gotten started, and if you want to do work with the federal government, you better get yourself pulled in. And they better do it sooner than later because it’s not an easy process. It doesn’t take a rocket scientist to know that China is creeping up on us. And they’ll do whatever they can to get our technology.”
It’s one thing to demand that every manufacturer raise the security level of their tech to DoD standards. It’s quite another to pay for it.
Dave Hall at 3-D CNC, a Hutchinson-based precision machining company, says the cost to get compliant is going to run about $60,000.
The price tag is enough to make companies ask tough questions, such as: Is it worth it?
“We second guess that all the time at this point,” Hall says, “but I would say yes. We don’t have a choice. We’re going to have to keep this roadmap going.”
Tony Boogren, a project manager at Minnesota Tool & Die Works, says that by the time they fully upgrade their system to be CMMC compliant, they’ll have spent about $40,000.
The final cost of a tech upgrade that can bring a manufacturer into compliance is affected greatly by how much of your tech is actually necessary for the work being done for the DoD contractor.
“If you can make that a smaller area of your business — like it only lives on a certain application or lives on our software as a service platform or maybe a couple of computers — your scope is smaller and therefore the things you have to do are minimized. That’s where that dollar range comes in.”
If, on the other hand, you’re a large manufacturer and need to completely lock down every piece of your tech…
“That’s where that can start to add up,” Burns says.
For companies that haven’t begun the process of upgrading, figures like $40,000, $60,000 or $100,000 may result in sticker shock. Things may get ugly as the October 2023 deadline approaches.
As it currently stands under the NIST self-attesting requirements, most companies aren’t even posting their self-attested scores to the DoD’s website. Of the 80,000 companies that should have self-attested scores on file with the DoD, only a quarter have done so. Of the 25% that have, only some have taken steps to get into compliance in accordance with CMMC requirements — which includes a third-party certified cybersecurity specialist signing off.
Such stringent requirements will likely result in the loss of small businesses in the DoD supply chain.
“My hope is that maybe it’ll throw more government contractors our way because they’ll find it harder and harder to find small businesses that are compliant,” Hall says. “That’s the big picture for me. Last word I got is that, of 80,000 companies in the U.S., only 25,000 are registered at this point. And probably only a fraction of that 25% are as far as we are.”
Minnesota Tool & Die Works has been working with Burns at Bound Planet. They’re in the process of implementing a comprehensive plan to upgrade their tech and bring them into CMMC compliance. Boogren says they are working on more than 100 of the CMMC’s requirements, and that it will take them two years to complete everything.
Boogren says he’s been monitoring the government oversight on cybersecurity, noting there wasn’t much enforcement over the past few years. But now that cyberattacks are becoming more common, he understands why the October 2023 date will most likely be adhered to, and that’s why they opted to move forward with a plan that will set them back about $40,000.
Eventually, the 2023 date is going to arrive. The odds of manufacturers not getting compliant in time are high. What will happen then?
Will the DoD make accommodations for manufacturers that haven’t made it to full compliance? Or will they shut down the defense industrial base because of cybersecurity requirements?
“They’ll have to pick their poison,” one industry expert says. “Do we want guns and missiles and airplanes, or do we want everybody to be compliant?”
…
Featured story in the Fall 2022 issue of Enterprise Minnesota magazine.
