For this edition of our “Ask an Expert” series, we interviewed Cory Albrecht, director of the Advanced Institute for Manufacturing at Mohawk Valley Community College. The Advanced Institute for Manufacturing is part of the New York Manufacturing Extension Partnership (NY MEP) and serves small companies in the Mohawk Valley region.
Your organization has taken a lead in providing cybersecurity consulting to small manufacturers in New York State. What do small manufacturers need to know about cybersecurity?
The most important thing that small manufacturers need to know is that cybersecurity is not an issue that can be put on the back burner. Unfortunately, some small companies list cybersecurity as a low priority issue because they don’t think they’re a target for these sorts of attacks, or because they think it’s going to be an expensive undertaking. The reality is that small and medium-sized manufacturers are one of the most targeted groups for cyber attacks, and there are many steps companies can take to protect themselves that cost very little to nothing. A very small investment up front can help save a company from a business-closing disaster down the line. It’s also worth mentioning that cybersecurity does not just exist in the technological realm. Our risk assessments also look at the storage and protection of paper documents, prototypes, and the physical security of buildings. Attackers do not limit themselves to strictly technological attacks, and as a result companies need to consider more than just their network security when looking to protect themselves.
Please tell us about a time or two that you’ve helped a manufacturer become more secure.
So far, our most prominent success stories have come from the metalworking industry. AIM’s cybersecurity team recently was able to provide cyber remediation to a manufacturer that was the victim of an attack in which we assisted in the recovery of their data and aided them in preventing a similar attack from happening again. In another instance we were able to work with a company in a proactive fashion. We looked at their current security, met with their IT contractor, reviewed their company policy, and conducted employee interviews to help determine the gaps in their security. Then we developed a report that outlined each issue, gave suggestions for remediation, and prioritized the order in which these issues should be resolved. In both of these cases, the amount of money that needed to be invested in new equipment was either minimal or nothing at all, which was a surprise to them. Most of the recommendations made were amendments to company policy and additional employee training. As with most programs that MEP centers offer throughout New York State, it is better to be proactive with cybersecurity, and not reactive to the damage and company reputation.
What makes cybersecurity such a prominent industry cluster in the Mohawk Valley? And how can the region’s cybersecurity assets contribute to a strengthened, more secure manufacturing base?
One of our region’s strongest assets is our cybersecurity knowledge base. We have a variety of colleges that have cybersecurity academic and research programs. This, along with the strong government and military presence at the Griffiss Institute and the Air Force Research Laboratory (AFRL), allows us to communicate with some of the greatest cybersecurity minds in the world, and apply that expertise to the small manufacturers in the area. The AFRL alone has over 1,200 local employees and an annual budget exceeding $1 billion. This investment has also helped spur the development of a cluster of defense contractors calling the Mohawk Valley region home. This regional cyber ecosystem will continue to offer cutting-edge network and cybersecurity resources to manufacturers throughout the Mohawk Valley and New York State.
The National Institute of Standards and Technology (NIST) has issued guidance for federal agencies to ensure that sensitive federal information remains confidential when stored in non-government information systems and organizations. How do these requirements affect New York State manufacturers with Department of Defense contracts?
The Advanced Institute for Manufacturing is working to develop solutions for the new NIST 800-171 Defense Federal Acquisition Requirement that will go into effect on December 31st 2017. This NIST cybersecurity regulation will ensure that all manufacturers that have Department of Defense contracts and are working with Controlled Unclassified Information (CUI) have a plan for cyber and network security compliance in place. Our cybersecurity team has been working with NIST and other cybersecurity resources to offer awareness, education, assessment and training to manufacturers in New York State. In order to obtain or retain a Department of Defense contract from 2018 forward, manufacturers will need to be sure they are in compliance with the standards in this publication in regards to cybersecurity and information assurance.
Cory Albrecht can be contacted at [email protected]