Cross Walk

Cybersecurity Needs

Overlapping Cybersecurity needs in manufactoring

In the diverse world of manufacturing, where processes range from traditional assembly lines to cutting-edge 3D printing and everything in between, it might seem like each type of manufacturing is a world unto itself. However, beneath the surface, they all share a common thread – the pressing need for robust cybersecurity.

Whether you’re shaping metals in a foundry, stitching together textiles in a textile mill, or even producing high-tech gadgets in a modern semiconductor fab, the importance of safeguarding sensitive data and operational systems is universal. In today’s interconnected world, where data breaches and cyberattacks pose significant threats, manufacturers must adapt to the ever-evolving landscape of cyber threats.

Cross Walk Information

AC.L1-3.1.22

Control Public Information

Control information posted or processed on publicly accessible information

Systems.

Scrub websites and publicly facing information to make sure no private information is posted publicly

Example

Your company decides to start issuing press releases about its projects in an effort to reach more potential customers. Your company receives FCI from the government as part of its DoD contract. Because you recognize the need to manage controlled information, including FCI, you meet with the employees who write the releases and post information to establish a review process [c]. It is decided that you will review press releases for FCI before posting it on the company website [a,d]. Only certain employees will be authorized to post to the website [a].

References

-NIST SP 800-171r2 Page 28 3.1.22 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171r2.pdf 

-ANSI/ISA-62443-4-1-2018: 10.6 Breach Reporting to the Public

-NIST SP 800-82r3 6.4.2 Public information regarding incident response and breach reporting to the public

SI.L1-3.14.5

System & File Scanning
Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed.
Scan storage and information systems for malware as well as any files from external sources.

Example
You work with your company’s email provider to enable enhanced protections that will scan all attachments to identify and quarantine those that may be harmful prior to a user opening them [c]. In addition, you configure antivirus software on each computer to scan for malicious code
every day [a,b]. The software also scans files that are downloaded or copied from removable media such as USB drives. It quarantines any suspicious files and notifies the security team [c]

References
-ANSI/ISA-62443-4-1-2018 9.4, 9.6 Scanning for vulnerabilities
-NIST SP 800-171r2 3.14.5
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171r2.pdf 
-NIST SP 800-82r3 E.2.
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r3.pdf 
-NIST SP 800-82r3 6.3.2.
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r3.pdf 

SC.L1-3.13.5

Public-Access System Separation
Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks. Divide what devices are on what network and system. Manufacturing equipment should be on its own network, so should office, guest networks, and web servers.

Example
The head of recruiting at your company wants to launch a website to post job openings and allow the public to download an application form [a]. After some discussion, your team realizes it needs to use a firewall to create a perimeter network to do this [b]. You host the server separately from the company’s internal network and make sure the network on which it resides is isolated with the proper firewall rules [b].

References
-NIST SP 800-171r2 3.13.5
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171r2.pdf 
-ANSI/ISA-62443-3-2-2020 4.4.2
-NIST SP 800-82r3 6.2.1.1 Logical Access Controls
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r3.pdf 
-ANSI/ISA-62443-3-2-2020 4.7.5

PE.L1-3.10.4

Physical Access Logs
Maintain audit logs of physical access. Have a log of who accesses what areas and devices in case of failure of unauthorized access.

Example

You and your coworkers like to have friends and family join you for lunch at the office on Fridays. Your small company has just signed a contract with the DoD, however, and you now need to document who enters and leaves your facility. You work with the reception staff to ensure that all non-employees sign in at the reception area and sign out when they leave [a]. You retain those paper sign-in sheets in a locked filing cabinet for one year. Employees receive badges or key cards that enable tracking and logging access to company facilities.

References
NIST SP 800-171r2 3.10.4
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171r2.pdf 
NIST SP 800-82r3 2.3.6
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r3.pdf 

PE.L1-3.10.3

Escort Visitors
Escort visitors and monitor visitor activity. Any non-employee must be monitored with an authorized employee at all times.

Example
Coming back from a meeting, you see the friend of a coworker walking down the hallway near your office. You know this person well and trust them, but are not sure why they are in the building. You stop to talk, and the person explains that they are meeting a coworker for lunch, but cannot remember where the lunchroom is. You walk the person back to the reception area
to get a visitor badge and wait until someone can escort them to the lunch room [a]. You report this incident and the company decides to install a badge reader at the main door so visitors cannot enter without an escort [a].

References
NIST SP 800-171r2 3.10.3
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171r2.pdf

 

PE.L1-3.10.1

Limit Physical Access
Limit physical access to organizational information systems, equipment, and the respective operating environments to authorized individuals.
Use fences, walls, barriers to prevent unauthorized access to an area. Make sure the people with physical access to machines need to have access to complete their job. An office worker does not need access to a fennec arm. Require key card access, pin access, or fingerprint scanner to allow access

Example
You manage a DoD project that requires special equipment used only by project team members [b,c]. You work with the facilities manager to put locks on the doors to the areas where the equipment is stored and used [b,c,d]. Project team members are the only individuals issued with keys to the space. This restricts access to only those employees who work on the DoD project and require access to that equipment.
References
-NIST SP 800-171r2 3.10.1
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171r2.pdf

-ANSI/ISA-62443-3-2-2020 3.1.16,3.1.25,4.4.3.1,4.7.5.1,4.76
-ANSI/ISA-62443-4-1-2018 3.1.7, 6.2.2, 6.5,7.2.1
-NIST SP 800-82r3 2.3.6. Physical Access Control Systems
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r3.pdf

-NIST SP 800-82r3 6.2.1.1 Least Privilege
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r3.pdf

MP.L1-3.8.3

Media Disposal Sanitize or destroy information system media containing Federal
Contract Information before disposal or release for reuse.
Any old storage devices, hard drives, flash drives, SSDs, or computers are properly and entirely destroyed to prevent the disclosure of information.

Example

As you pack for an office move, you find some old CDs in a file cabinet. You determine that one has information about an old project your company did for the DoD. You shred the CD rather than simply throwing it in the trash [a].

References
– ANSI/ISA-62443-4-1-2018 7.2.2
-NIST SP 800-171r2 3.8.3

https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171r2.pdf

-NIST SP 800-82r3 6.2.7
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r3.pdf

IA.L1-3.5.2

Authentication
Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems.

Have a method in which users have to prove who they are to access something. If someone wants to change the way a machine works require a password, fingerprint scan, or keycard to verify.

Example
You are in charge of purchasing. You know that some laptops come with a default username and password. You notify IT that all default passwords should be reset prior to laptop use [a]. You ask IT to explain the importance of resetting default passwords and convey how easily they
are discovered using internet searches during next week’s cybersecurity awareness training

Methods
-Using separate authentication mechanisms and credentials for users of the OT network and the corporate network (i.e., OT network accounts do not use corporate network user accounts)
-Using multi-factor authentication for remote access to the OT system
-Using modern technology, such as smart cards for user authentication

References
-NIST 800-171r2 3.5.2
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171r2.pdf
-ANSI/ISA-62443-4-1-2018 3.1.9 Define Authentication page 20
-ANSI/ISA-62443-4-1-2018 5.3.6 Purdue Model why authentication is important
-NIST 800-82r3 6.2.1
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r3.pdf

AC.L1-3.1.2

Transaction & Function Control
Limit information system access to the types of transactions and functions that authorized users are permitted to execute.
Creating roles for each user that gives them access to certain information and systems based on their role. If someone is on a project give them a project role so they can access what systems they need for said project. If IT needs to access a machine system they should have a role to do so

Example
You supervise the team that manages DoD contracts for your company. Members of your team need to access the contract information to perform their work properly. Because some of that data contains FCI, you work with IT to set up your group’s systems so that users can be assigned access based on their specific roles [a]. Each role limits whether an employee has read-access or create/read/delete/update -access [b]. Implementing this access control restricts access to FCI information unless specifically authorized.

References

-ANSI/ISA-62443-4-1-2018 Page 29 5.3

-NIST SP 800-171r2 Page 22
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171r2.pdf

-NIST SP 800-162
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-162.pdf

AC.L1-3.1.1

Authorized Access Control
Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems). This can be achieved by creating a list of all authorized personal who can use certain systems and devices.

Example:
Your company maintains a list of all personnel authorized to use company information systems [a]. This list is used to support identification and authentication activities conducted by IT when authorizing access to systems [a,d].

References:

-NIST SP 800-171r2 Page 22
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171r2.pdf 

-NIST SP 800-82r3 2.3.6. Physical Access Control Systems
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r3.pdf

-NIST SP 800-82r3 6.2.1 Identity Management and Access Control (PR.AC)
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-63-3.pdf