Cybersecurity Compliance in Manufacturing: Problems and (a) Solution

Background
Cyber criminals are increasingly targeting manufacturing, and the industrial sector at large. In 2024, there was a great increase of ransomware attacks in the industrial sector - with an increase of more than eighty percent [1]. Zeo Information Security understands cybersecurity should not end at compliance. We believe compliance is, and should be, the first step for manufacturers to be secure in today's connected world.

 

The Problems
Regulatory Compliance
Today, manufacturers need to follow regulatory compliance if they desire to win government contracts or international operations. In manufacturing, there are, to list a few, International Traffic in Arms Regulation (ITAR), Federal Acquisition Regulation (FAR) [2] , and Cybersecurity Maturity Model Certification (CMMC) [3].
This can quickly become overwhelming and lead to losses if a manufacturer is not ready. This is due to compliance changes and overlapping requirements. For example, the DoD website highlighting CMMC still refers to NIST SP 800-171 Rev 2 - NIST has since released NIST SP 800-171 Rev 3.
Where to Start
Another problem we see is that manufacturers do not know where to start. Most manufacturers do not have the necessary cybersecurity skill on staff and the staff they do have is primarily there for operational technology operations and not cybersecurity.
Operational technology and legacy systems do not make compliance any easier. There are many, and quite frankly almost all, manufacturers that rely on this equipment to run operations.
Cost
Perhaps the biggest problem, in our eyes, is cost. There are many sources that claim to have found costs reaching six digits (wtf?) [4] [5]. This is far too much.

A Solution
Begin with understanding your current infrastructure. There are times where parts of your infrastructure may not need to be compliant with regulations. Once you know where regulated data is, your journey will be much easier.
NIST Special Publication 800-171 will be your friend. This publication by NIST has overlap in FAR, ITAR, and CMMC. Although not directly referenced in some compliance frameworks, security controls can be mapped from a regulatory framework to NIST SPs.
Fortunately, NIST, CISA, and CMMC provide self assessment tools that assists in understanding where you do and do not lack cybersecurity controls.
After you have conducted your own self assessment of your infrastructure, we recommend taking the highest priority/risk and aligning it with NIST 800-171. Then after this, continue to implement security controls that follow in priority and risk.
When you run into security controls where you will need software, we recommend looking for open sourced software first in noncritical operations. In a previous blog, we recommend using spreadsheet software for asset management! Sometimes you will need fancy tools though. You know your infrastructure better than we do.

 

Fin
Cybersecurity compliance is the foundation for protecting manufacturers in today’s connected world, but it should not come at the expense of financial sustainability. By starting with a thorough self-assessment, manufacturers can build robust security programs without excessive costs. At Zeo Information Security, we are committed to empowering manufacturers with practical, affordable solutions. Our ongoing blog series aims to provide actionable guidance to help you navigate compliance challenges. We offer a complimentary risk assessment to identify your next steps. Together, we can create a secure, compliant, and thriving manufacturing sector.

 

1. Dragos, OT/ICS Cybersecurity Report, page 5, dragos[.]com

2. Acquisition, Basic Safeguarding of Covered Contractor Information Systems, 52.204-21, acquisition[.]gov

3. U.S. Department of Defense, About CMMC, defense.gov

4. GoldSky Security,  Estimated Costs Associated with NIST 800-53 and NIST 800-171 Security Risk Assessments, goldskysecurity[.]com

5. National Institute of Standards and Technology, Request for Comments on Draft NIST Special Publication (SP) 800-171B, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations – Enhanced Security Requirements for Critical Programs and High Value Assets, nist[.]gov