Government Contractors and Military

Cybersecurity for Government Contractors and Military

The Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSD(A&S)) recognizes that security is foundational to acquisition and should not be traded along with cost, schedule, and performance moving forward. The Department is committed to working with the Defense Industrial Base (DIB) sector to enhance the protection of controlled unclassified information (CUI) within the supply chain. OUSD(A&S), working with DoD stakeholders, University Affiliated Research Centers (UARCs), Federally Funded Research and Development Centers (FFRDC), and industry, developed the Cybersecurity Maturity Model Certification (CMMC) framework.

The CMMC will review and combine various cybersecurity standards and best practices and map these controls and processes across several maturity levels that range from basic cyber hygiene to advanced. For a given CMMC level, the associated controls and processes, when implemented, will reduce risk against a specific set of cyber threats.

The CMMC effort builds upon existing regulation (DFARS 252.204-7012) that is based on trust by adding a verification component with respect to cybersecurity requirements. The goal is for CMMC to be cost-effective and affordable for small businesses to implement at the lower CMMC levels.

Authorized and accredited CMMC Third Party Assessment Organizations (C3PAOs) will conduct assessments and issue CMMC certificates to Defense Industrial Base (DIB) companies at the appropriate level. The U.S. Federal Government has published Post-Pandemic National Security Action Items under the oversight of the United States Department of Defense (DoD) Instructions & Cybersecurity Maturity Model Certification (CMMC). DOD is migrating to the new CMMC framework to assess and enhance the cybersecurity posture of the Defense Industrial Base (DIB). Need to obtain your CMMC certification? USA Cybersecurity can help with CMMC readiness today.

The CMMC will serve as the most current verification mechanism to ensure appropriate levels of cybersecurity practices and processes are in place to ensure basic cyber hygiene as well as protect controlled unclassified information (CUI) that resides on the Department’s industry partners’ networks. All Government contractors will be required to follow CMMC guidelines. USA Cybersecurity provides everything needed to be compliant and pass the CMMC assessments.

The following outlines a three step process to protect your organization from online threats. Built to defend your networks, our services meet the highest standards and provide your business with the required reporting needed for contract compliance and peace of mind.

3 Step Cybersecurity Plan   

2. Penetration Testing
Def. Penetration testing is a type of security testing used to uncover vulnerabilities, threats and risks that an attacker could exploit in networks, software or web applications. Common vulnerabilities include network design errors, configuration errors and software bugs. Our Penetration Testing service tests your network often so you can stay compliant and prove diligence in securing your online presence.

• Detect and safely exploit vulnerabilities
• Identify paths attackers can use to breach your network
• Quantify the risk to your systems
• Manage your network resources more efficiently to better defend data and equipment
• Continually combat the existence of critical vulnerabilities throughout your network
• Use the most up-to-date cyber security library of multi-platform exploits to defend your network

3. Social Engineering Testing
Def. Social engineering is the art of exploiting human psychology and the manipulation of people, rather than technical hacking techniques, to gain access to buildings, computer systems, devices and your data. Bad actors are brazenly targeting organizations through highly complex official looking and sounding communications. Organized hackers invest in significant amounts of research to target specific people and many of their targets are falling prey to these false requests.

• Our Social Engineering services tests your employees to see if they take our network compromising bait
• We identify who in your organization needs basic Social Engineering security training

Government contractors are vulnerable to cyberattacks 
Government contractors store and transmit government and sensitive information through digital access points within their primary and remote locations. Although many types of cyber crimes are perpetrated against U.S. businesses, Government Contractors are most vulnerable to social engineering attacks and ransomware:

• Software virus that damages or disables computers
• Email phishing scams, resulting in financial or information loss
• Human error by a well-intentioned employee
• Ransomware incident
• Electronic fraud or misrepresentation of information for financial gain

Don't become a victim: Secure your networks today
Government Contractors have hundreds of digital access points that need securing within primary and network locations. USA Cybersecurity can help to secure your location with: Vulnerability Scanning, Penetration Testing and Social Engineering. Each of your networks manage multiple internet-connected computers, mobile devices, VIOP phones, servers, check and credit card processing, various apps and appliances. Cyber attacks can come from anywhere on your network, literally.  The Internet of Things (IoT) allows remote access to your networks. A lot of items are connected, even things you do not normally think about: Computers, Accounting, Apps, Phones, Heating and Air Conditioning (HVAC), garage doors, microwaves and even light switches. 

Government Contractors and Cybersecurity
Cybersecurity is now a requirement. Small businesses do not have the resources for 24-hour cybersecurity monitoring — or the expertise to continually navigate new daily threats. USA Cybersecurity will work with your organization to implement and maintain a cyber plan, educate staff and conduct regular vulnerability and penetration tests within your network. Our testing discovers vulnerabilities in your network prior to a bad actor getting in and stealing data, infecting the network, holding it for ransom or just destroying it for the sake of cyber vandalism or planned revenge.  Your organization can do these tests with your in-house IT staff or you can hire USA-Cybersecurity to protect your networks.

The new Internet of Things (IoT)

Internet of Things 
When talking about Internet of Things (IOT), we are talking about smart refrigerators, fitness trackers, home security cameras you can monitor from your phone, and a myriad of other smart devices. The enterprise-grade counterpart of IOT is the Industrial Internet of Things (IIoT), The IIot is perhaps even more impressive, offering game-changing potential through the power of connected machines, sensors, and devices.

Industrial Internet of Things 
IIoT is a subcategory of IoT that refers to the use of automated, interrelated sensors, devices, and machinery to drive operational efficiency at an industrial scale.
IIoT focuses heavily on machine-to-machine (M2M) communication, machine learning, and big data, all of which enable organizations to unlock access to unprecedented amounts of data and rapidly extract insights. The IIoT encompasses a broad range of industrial-grade applications, from AR devices and connected, collaborative robots, to medical devices, inventory tracking, and predictive maintenance.

Most IIoT definitions state that these systems are characterized by a connection between the cyber and the physical, or, information technology (IT) and operational technology (OT). The IIoT is part of the larger IoT ecosystem. The ecosystem consists of a network of devices, computers, and objects that collect and transmit data and then send that data to the cloud. The data is then aggregated with other data and managed with software. Most IIoT systems require data-sharing between multiple devices across several networks including both the cloud (like traditional IoT applications) and the Edge. Edge computing optimizes the sensors, computers, and devices used in an IIoT system, bringing the computing closer to the network edge of those items actively producing data for faster processing. With IIoT, organizations can capture real-time insights and act at in-the-moment while captured data can be sent to a centralized cloud system for later analysis. This high-speed processing also allows companies to spot security threats real-time, thus reducing points of failure in the system.

IIoT versus IoT
While the IIoT falls under the general IoT umbrella, there are a few differences between the two technologies. The key difference is that IIoT focuses on connecting machines and devices in industries like manufacturing, healthcare, and logistics, while IoT is generally used to describe consumer-level devices like Fitbits and the whole range of smart home devices from Ring video doorbells to thermostats and refrigerators.

In addition to the business versus consumer distinction, IIoT is a much more robust than IoT due to its massive scale. When an IIoT system fails, downtime can result in life-threatening situations or major financial losses. While personal IoT devices come with privacy concerns, such as issues about data collection and consent, it is unlikely that failure results in a true emergency situation.

What are the Potential Risks of Adopting IIoT Systems? While a long list of transformative benefits quickly makes the case for IIoT adoption, it is not without risk Transformations are expensive, difficult, and can potentially introduce cyber threats resulting in possible breaches. Below are some of the possible risks that organizations must prepare for when converting to a smart factory:

Security Threats
Many security problems associated with IIoT can be traced back to a lack of basic security. The most common examples: exposed ports, obsolete software applications, or poor authentication practices. Because of this lack of basic security, there are network vulnerabilities providing direct and easy access to the entire system. Additional potential threats are caused when IIoT systems combine IT systems with operational technology (OT). This means security threats move beyond the typical implications of cyberattacks: financial losses, data breaches, reputation damage, etc. Attacks in the cyber-world are directly connected to real-world outcomes that have the potential to cause to threaten human lives. Data Integration One of the biggest roadblocks to IIoT adoption is data integration. In the context of a factory, systems e might encompass thousands of connected sensors and devices, new equipment and software systems, as well as legacy machinery. Adopting connected smart devices allows organizations to collect more data, poor implementation can easily lead to chaos. For example, sensors made from different manufacturers may have different software requirements, making it difficult to analyze data on a holistic level. There is also an issue when older equipment wasn’t designed to collect data, much less format collected data in the same way..

High Cost of Adoption
There is also the financial aspect of adoption to consider. Organizations preparing for the transition will need to invest in new software, hardware, and equipment. Another consideration is the costs associated with training the existing workforce and hiring new staff, as well as the amount of time it takes to get those workers at full productivity. In the long term, IIoT more than pay for itself; however, many organizations are understandably concerned about the upfront costs associated with transitioning to a new system..

Lack of Expertise
IIoT demands expertise in areas that traditionally have not been part of manufacturing, logistics, or energy sectors. These new technologies require expertise in machine learning, data science, and real-time analytics.

Benefits of IIoT in Manufacturing and Beyond
According to the Microsoft IoT Signals report, 56% of companies adopt IIoT solutions for operations optimization, 47% cite workforce productivity as their primary use case, and 44% said that safety and security were the driving force behind adoption. A report from Dell found that 49% of manufacturers have achieved improved process performance, while 33% say that they have made improvements to their asset utilization. Another 36% of respondents report reductions in downtime. While manufacturing is clearly leading the charge when it comes to adoption of IIoT, other industries are embracing the benefits of IIoT, as well. Here are a few examples that share similar process driven environments:

• Pharmaceuticals. The pharmaceutical automation company Parata Systems uses several IIoT technologies to identify the potential uses of its products and their impact on end-users, and even makes predictions about how those products will perform.
• Agriculture. IIoT is changing the game for agriculture.. Interconnected sensors can be used to reduce water waste, monitor crops and livestock, track weather patterns to plan for the best possible yields, manage equipment, and more.
• Retail. According to the Microsoft “Spotlight on Retail” report, retailers are embracing a wide range of IIoT applications. Among adopters, 57% use IoT for store analytics, 48% for supply chain optimization, 46% say security, and 45% for loss prevention.
• Mining. IIoT is even shaking up mining. This case study looks at how Dundee Precious Metals used IIoT technologies to increase production by 400%, while creating a safer, knowledge-based workflow.
• Oil and Gas. Like the manufacturing industry, oil and gas companies use IoT sensors to manage equipment and predict breakdowns. Additionally, sensors can detect hazards like gas leaks to prevent injury or death..

The Role of IIoT in Your Business
The transformative benefits of IIoT are reshaping industries like manufacturing, transportation, and agriculture. These industries, in recent years, have lagged behind other sectors in technology usage. The cost of sensors and analytics software is beginning to fall, while the pressure to increase efficiency is on the rise. Done right, an IIoT can help organizations optimize their production processes, make data-driven decisions, and drive revenue like never before.

Industrial Internet of Things (IIoT) Cybersecurity
Defending the Internet of Targets Organizations are becoming increasingly reliant on adopting Industrial Internet of Things (IIoT) technologies that allow them to ramp up productivity and make smarter business decisions. While enterprises can benefit significantly from connected environments, IIoT adopters are uniquely susceptible to cyberattacks based on a few key factors. For one, more connected endpoints mean more opportunities for cybercriminals to gain entry into industrial systems. Another issue causing concern is operational equipment being adapted toward use cases they were never designed to do Vulnerable communications protocols and software-hardware configurations that vary considerably between organizations and industries are a main concern.

Safely Embracing the Industrial Internet of Things
Eager to tap new revenue streams hiding in unstructured data, businesses across a range of sectors are implementing IoT devices into their existing systems. However, every time a new device is integrated into the system, the threat surface expands, opening up new entry points attackers can exploit. According to a report from Palo Alto Networks, 98% of IoT traffic is unencrypted and nearly 60% of devices are vulnerable to moderate to severe cyber-attacks.

Some of the key considerations involved in establishing a successful industrial internet of things cybersecurity plan; Security Considerations for the IIoT Cybersecurity Challenge o Potential Human Impacts. Because IT-OT convergence is a defining characteristic of IIoT systems, cybersecurity now extends into the physical world. Industrial IoT security requires organizations to consider how cyberattacks can result in public safety risks or things like grid outages that impact entire communities.

Murky Regulatory Guidance 
Currently there is no official policy defining how IoT data can be collected, accessed, and shared. Because of this, organizations will need to develop a strategy that ensures adherence to personal privacy protection as well as industry-specific data management regulations.

Data Management
Sensors can be embedded in just about anything, allowing organizations to collect information on a massive scale. Organizations will need to develop plans for securely managing sensitive information, including how to efficiently process and store the torrent of data without causing latency issues.

Interoperability Challenges
Industrial IoT ecosystems are typically composed of multiple devices including software, hardware, and legacy equipment that were not originally designed to work together. This leaves a lot of room for configuration errors, which could potentially compromise the entire system.

Industrial IoT Systems Security
IIoT cybersecurity is critical for organizations because the consequences of inadequate security could have devastating real-world outcome. While any data breach or ransomware attack can cause significant losses for a company, the impact is mainly financial or reputation. Companies may receive a fine And they will issue an apology along with outlining the steps they will take to protect customers in the future. With OT systems,, a cyber-attack can result in physical consequences, with effects that ripple throughout entire communities. Here are a few possibilities:

Cyber terrorism
Attacks from terrorist groups or outside governments may sound far-fetched, but these are real threat sto the OT sector. These types of attacks are often carried out by sophisticated cybercriminals and are aimed at critical infrastructure. o IP Leakage. Vulnerable IIoT systems could open the door to risks such as IP leakage, enabling the theft of trade secrets or sensitive data.

Production Sabotage 
In manufacturing facilities, vulnerable systems can introduce the threat of production sabotage. Attacks might target robots, putting workers at risk or an attacker might introduce defects in the production line by tampering with production logic. Attackers may also alter products, then demand ransom to prevent defective products from hitting consumer markets.

IIoT is Difficult to Secure
The IIoT presents some unique security challenges The same characteristics that drive its transformative benefits are also the source of its biggest threats. IIoT systems can be spread across several locations, each with hundreds or thousands of connected devices exchanging massive amounts of data,

Legacy OT Equipment and Software
As demand for operational data continues to rise, many organizations are outfitting legacy machinery with IIoT sensors without implementing proper security protections. Many of these machines operate using outdated software and old hardware components with known vulnerabilities. The big challenge, is companies patching is not always possible for these machines, while upgrading require pausing production cycles, thus causing long periods of downtime. Backdoors leftover from previous breaches often go unnoticed, leaving systems vulnerable to threats like WannaCry ransomware attacks.

Incorrect Authentication Practices
Poorly-configured sessions and lax user authentication allow attackers to steal credentials such as user names, passwords, and keys, as well as take control over user accounts to hack into other parts of the system. In a converged OT-IT system, attackers can leverage credentials from IT environments to target OT infrastructure.

Interoperability
IIoT systems are made up of a collection of sensors, software, equipment, and hardware, all of which are configured based on industry requirements and tailored to the unique operations needs of the company. This presents two significant challenges: getting the disconnected systems to work together and securing all endpoints. Just one improperly configured connection can put the entire system at risk. Many organizations use proprietary software which can be difficult to patch, update, and monitor for threats. This leaves the network vulnerable to attacks.

Vulnerable OT Communication Protocols
In order to capture valuable data, many enterprises have made OT technologies like sensors, controllers, and actuators part of the smart factory. While protocols monitor, control, and connect physical processes within the production line, they were not designed to detect cyber threats or authenticate user credentials. Attackers have become increasingly aware of the vulnerability of legacy protocols. They are using tactics like self-propagating worms and peer-to-peer C2 communications to target IoT devices to disrupt critical processes.

Disconnect Between OT and IT
In many organizations, the IT and operations teams operate as separate entities with little contact with one another. IT teams focus on managing data flow and assets like computers, printers, and network equipment, whereas OT manages industrial machines and physical processes. The challenge is, without IT-OT convergence, cultural differences, data silos, and a whole new set of considerations for both groups can stand in the way of implementing and monitoring security controls.

We recommend that operations teams work closely with an IT pro experienced in IIoT adoption
More Connectivity, More Risk According to a 2019 Ponemon Institute report, 90% of organizations using OT solutions fell victim to a cyberattack within the last 2 years. Interestingly, 20% of those surveyed believed that they had enough visibility into their attack surface to act on incoming threats. For organizations considering adoption, it is critical to understand you will be attacked sooner or later. To stay ahead of an attack, , organizations must map out the entire attack surface and perform a comprehensive evaluation to understand the level of risk. From there, create a plan to transfer, reduce, and prevent each potential threat.

Look Toward OWASP Standards
|For a better sense of threats you will need to consider, we recommend the Open Web Application Security Project (OWASP) list of Top 10 Vulnerabilities. OWASP is a non-profit group that offers unbiased cybersecurity information and guidance. Compliance with the standards outlined below will help you address vulnerabilities that are most likely to be exploited.

What to look out for:

1. Weak, Easy-to-Guess Passwords
2. Insecure Network Services
3. Insecure Ecosystem Interfaces
4. Lack of Secure Update Mechanism. 
5. Use of Outdated or Insecure Components
6. Insufficient Privacy Protection
7. Insecure Data Transfer and Storage
8. Lack of Device Management
9. Insecure Default Settings
10. Lack of Physical Hardening

Setting IIoT cybersecurity policies based on the OWASP list is a great starting point when it comes to reducing the threats to your system.

Best Practices for Maintaining Industrial Internet of Things Security
While there is no official set of “rules” for ensuring your industrial IoT system stays secured, we typically recommend that organizations work with IT experts to adapt the Center for Internet Security (CIS) 20 Critical Cybersecurity Controls to your IoT infrastructure.

The CIS Controls center around the following five core principles:

1. Offense informs defense. Draw lessons learned from real-world attacks that have compromised systems in the past. Use that information to build a foundation based on proven, practical defenses, including only those controls that have been shown to stop known real-world attacks.
2. Prioritization. You’ll want to start securing your system by first implementing the controls that address your biggest threats and can be implemented in your existing environment successfully.
3. Establish Key Metrics. Establish a unified set of metrics shared language for executives, IT specialists, auditors, and security officials to measure the effectiveness of security measures within an organization so that required adjustments can be identified and implemented quickly.
4. Continuous Monitoring. Continuously monitor and test IIoT cybersecurity solutions to measure their effectiveness and identify new areas that can be improved.
5. Automate Where Possible. Automate cyber defenses where possible. This will help ensure that reliable, scalable, and continuous measurements of their adherence to the Controls and related metrics.

We recommend downloading the full report for a deep dive into all controls. Below shows how CIS breaks them down, organizing them into three categories–basic, foundational, and organizational.

1- Basic

• Inventory & Control of Hardware Assets
• Inventory and Control of Software Assets
• Continuous Vulnerability Management
• Controlled Use of Admin Privileges
• Secure Configuration for all Hardware and Software Across All Devices
• Maintenance, Monitoring, and Analysis of Audit Logs

2- Foundational

• Establish Email and Browser Protections
• Set Up Malware Defenses
• Set Limits and Controls of Protocols, Ports, and Services
• Implement Data Recovery Solutions
• Secure Configuration for Network Devices
• Boundary Defense
• Data Protection
• Control Access on a Need to Know Basis
• Establish Wireless Access Control
• Account Monitoring and Control

3- Organizational

• Develop and Implement Security Awareness and Training Initiatives
• Application Software Security
• Incident Response and Management
• Penetration Testing & Red Team Exercises

Government Contractor next steps
As the IIoT continues to gain momentum, enterprises need to consider security threats coming from all endpoints and take steps to protect themselves from harmful and potentially life-threatening cyberattacks. Contact USA Cybersecurity today. More information on Supervisory Control and Data Acquisition (SCADA) can be found HERE.