Cybersecurity Compliance with Reg Harnish, CEO of OrbitalFire

Steve Melito: Welcome to New York State Manufacturing Now, the podcast that’s powered by FuzeHub. I’m your host, Steve Melito. Today we’re talking to Reg Harnish, the CEO of Orbital Fire Security in New York’s capital region. Reg is a nationally renowned cybersecurity thinker, and his thoughts on this subject have appeared in places that include Forbes Magazine. Cybersecurity is a critical subject for manufacturers, and if you don’t believe that, you can look it up. Just make sure not to click on any links that look fishy. Anyway, manufacturing is one of the most, if not the most targeted industry sectors for cyber attacks. So Reg, we’re very glad to have you here. Welcome to the podcast.

Reg Harnish: Yeah, thanks, Steve. Thanks for having me.

Steve Melito: You bet. Hey, cybersecurity is filled with acronyms and manufacturers that are part of the defense supply chain need to know about two and comply with two, and those are DFARS and CMMC. What does compliance really mean and what the heck are DFARS and CMMC anyway?

Reg Harnish: Well, compliance is essentially a set of standards that someone thinks an organization should apply to reduce risk, likely in a supply chain, but it could be for other reasons as well. But it’s a set of best practices, a checklist, think of it that way, that typically has really good intent, but often through a lack of prescription and a lot of interpretation can be done in a lot of ways. So it’s different things to different people. DFARS and CMMC are a few of those confusing acronyms, which I think is just job security for a lot of us oftentimes, but it is specifically for DOD or manufacturers in the DOD supply chain. DFARS was sort of the earliest revision, and CMMC is a later variant of these compliance standards and frameworks, and it’s essentially a process for protecting controlled, unclassified information in these manufacturers, and particularly the small manufacturers who probably haven’t done a lot in cybersecurity. It gives them some best practices and some checklists and frameworks to operate under that purportedly will reduce risk to the DOD’s position and programs.

Steve Melito: So let’s talk a little bit about who this applies to that defense supply chain. If I’m a small to medium manufacturer and I make a screw that goes into housing, that goes on a helicopter, that’s used by the Air Force or the Marines or whoever, am I part of that defense supply chain? Does this stuff apply to me?

Reg Harnish: So there’s a lot of confusion around what a covered entity might actually be. So your example’s a good one, and sure that would probably be subject to these types of regulations, but there’s others too. You may not be making anything, but if you are collecting or creating storing processing or transmitting what’s called controlled unclassified information, CUI, then you’re likely subject to the same types of regulations. But honestly these days, because there’s a lot of confusion, a lot of the pressure is coming from primes and sub- primes, and other folks upstream in your supply chain. So whether or not the feds think you’re a covered entity, if you can’t bid on that next job or project, and contractually someone in your supply chain says, ” Listen, we’re not going to use you. We’re not going to work with you unless you can demonstrate compliance with one of these frameworks.” Then guess what? DFARS and CMMC apply to you. Anything else really doesn’t matter. There’s a certain interpretation of the law, but then there’s also pragmatically what’s happening on the ground.

Steve Melito: So those are the acronyms, those are how they apply and might apply. And the New York MEP system of which FuzeHub is part, we’ve got a few acronyms of our own as well. And we’ve been involved in efforts to help manufacturers achieve something called NIST 800 171 compliance. And so as I’m listening to you talk about these other acronyms, I’m wondering, do manufacturers in the defense supply chain no longer have to worry about NIST 800 171 because of CMMC?

Reg Harnish: No, that’s not correct. And oftentimes the requirements will change. And as we’ve seen with a recent update, CMMC in version 2. 0, those requirements will continue to be in flux over time. I think as we figure out where the threats and risks are, I think the frameworks that attempt to address those are going to evolve as well. But in many ways, CMMC, depending on your level and depending on the application level, is actually just a super set of NIST 171. So in a lot of ways, if you are heading down the CMMC journey, you’re going to be dealing with NIST 171 directly or indirectly, and whether you know it or not. One of the things we like about 171 is that it’s a very broad framework, but it doesn’t go very deep. There’s only 110 controls, sub- controls, and it really focuses on confidentiality. Whereas CMMC gets more into the complex side of cybersecurity or the more complex side of cybersecurity, it really contains a lot of integrity and availability controls. And so 171 I think has broad appeal because one, there’s only 110 controls, which is almost a 10th of what you’ll find in CMMC, but also the controls are more familiar to anyone who spent any time in this domain.

Steve Melito: Let’s switch gears a little bit and talk about cybersecurity threats in general, and manufacturers face a lot of them. What are your thoughts on responding to incidents like ransomware, wire fraud and business email compromise?

Reg Harnish: So I spend all of my days lately with small manufacturers and small businesses, and ransomware and wire fraud are business email compromise really make up, this is going to be sort of a guess, but 80 to 90+% of the incidents that we see. And while we recognize that some of these issues are becoming more sophisticated and they are moving downstream, so things that we only used to see in enterprise, we’re now seeing in 20 person bull bearing manufacturers. The way you build resilience in your organization hasn’t changed a whole lot. And so again, one of the things I like about the NIST frameworks and in particular 171 is that it focuses on some things and provides guidance on a few areas that really help minimize that risk. And not necessarily, or not just the risk of likelihood. So we’re not talking just about prevention, but also for most small businesses, it’s impossible to avoid all cyber crime or bad things happening with computers. But what’s become more important is your ability to discover and detect these issues quickly and then recover in a way that you’ve minimized any disruption, you’ve avoided as much of the cost or loss in damage as possible during the incident. And then honestly, just getting back to business. So responding to ransomware and wire fraud is certainly systemic, but there’s not a lot of rocket science in what we’re doing. And I think you will find that some of the greatest controls to prevent, detect, recover are fairly fundamental and things we’ve been doing for some time.

Steve Melito: Do you think that email is the weakest link? I get about 5 or 10 attempts a week to get something from me.

Reg Harnish: If email is the weakest link, it’s only because it’s the most frequent application that we interface with, and it’s more visible or accessible to more human beings. It’s more central to all the work that we do. Email by itself is no more or less secure than anything else out there. It really comes down to what you do with it and how often. I think there’s also another very common cliche in our industry that humans are the weakest link. And while I agree with that, fundamentally, it’s not in the way that most people explain it or express it. So when the cybersecurity industry says that people at the greatest link, they’re talking about folks not taking time with email to assess links, inspect an email, an attachment, those kinds of things. And so they’re really focused on social engineering type issues with email or let’s say a browser. But honestly, the problem is much bigger than that. So don’t forget, it’s a human who wrote sloppy code that was vulnerable. It was a human who misconfigured a firewall because they wanted to leave early on a Friday. Or it’s humans who open or hold a door for an unregistered visitor. So the human problem is much deeper than just clicking links. And I do agree that all cybersecurity risks come down to a human being. But keep in mind if someone, a human being clicks a link in an email, it means that a lot of technology has already failed. So in that attack chain, the human being is just the last element that failed because there’s a dozen other technologies and other processes and things that have already failed. So I think humans get a bad wrap in terms of social engineering. Not to say that we’ve solved that problem because we haven’t. But I think we need to take a step back and recognize that humans are littered throughout the cybersecurity domain. And clicking links is but one of those risks.

Steve Melito: Speaking of email and humans, I’ve got emails in my inbox right now from a lot of talented ones that FuzeHub talks to, a lot of great companies with great ideas, and we encourage them to make their products right here in New York State if they can. And if they can’t, to do it somewhere else in the US. And frankly, certainly not in China. What are your thoughts about protecting intellectual property designs and trade secrets, and is it bigger than just worrying about China, and Russia, and all of those other actors?

Reg Harnish: Well, I think we’ve seen that some of this, I’ll call it domestic terrorism, but domestic espionage is happening pretty regularly, whether it’s with the NFL trying to steal plays, to certainly the blueprints and designs for manufacturing ball bearings, it’s all happening here as well. So I don’t think China and Russia are the only, I think it’s happening. I think though, if you are protecting yourself and your intellectual property in a meaningful way, you’re generally protecting it from all different types of threat actors and adversaries. So I don’t think there’s anything special necessary to distinguish between China and a competitor in Indiana. But intellectual property itself can be difficult because your IP is not very useful until you share it, until you build something and you actually share that. So unlike other trade secrets and maybe other information, the sensitive data becomes exposed as a process of doing business. And so the question becomes how do you protect your intellectual property once it’s in the wild, and you’ve sold it, or you’ve implemented it, or distributed it? And I think manufacturers have a unique challenge in some ways in that there are adversaries at all ends of the spectrum. So unlike credit cards, unlike in some ways medical records and PHI, intellectual property, if someone’s going after your IP, it’s because they want to put you out of business. They have an engineering or a manufacturing engine that needs fuel. And you take China for example, they’ve got sort of the largest populace on the planet and they’ve got to feed that engine, they’ve got to fuel it. And the only way that they can do that is by pushing more ideas, more blueprints, more engineering designs through that engine to produce product. And the outcome, of course, is that they can produce it faster and at less cost, or lower cost than the manufacturer or the designer, the inventor of that asset. And it may have taken them years, but China steals it in a couple of weeks and they can bring it to market for less. And so that’s really the strategy. And in particular, small manufacturers have a challenge because they don’t necessarily have the resources of a Boeing or Raytheon.

Steve Melito: The resources are always finite and certainly more limited when you’re smaller and there’s a lot of expenses. And one of them can be insurance, and it’s not a riveting subject typically, but it’s an important one. If you’re a manufacturer, how do you get the right cyber insurance policy?

Reg Harnish: Tough question these days, because the cyber insurance industry is itself really in a state of free fall and change and revolution in a lot of ways. If you go back 15 years ago, and you think about the AIGs, and Chubs, and Lloyds, and Beasleys that got into the market early, they really took a bath because they treated cyber incidents like hurricanes. And hurricanes, we know when they happen, where they happen, we know what damage they produce, we know how to recover from them, and we know none of that for cyber. So the actuarial science is very different and you can’t treat them the same. And so what we’re seeing now is a lot of those big insurers, underwriters, carriers are exiting the business as quickly as possible, and they’re being replaced with what we call sort of a insured tech 2. 0, or next gen insured tech organizations.
If you’re a small manufacturer, you need insurance. Absolutely, there’s no way around it. But there’s a couple of things that are really important. One is that insurance does not replace your cybersecurity program. So DFARS and your pursuit of compliance of DFARS works in complement to an insurance program and vice versa. Keep in mind that your insurance policy is designed to address and cover residual risk, meaning the things that you can’t feasibly address through cybersecurity controls. And so ideally what would happen is as your cybersecurity program matures and you introduce more controls that are more effective and auditable and proactive, your premium should go down because your risk and your residual risk has been reduced. The problem is that the industry, generally speaking, is not smart enough, the insurance industry is not smart enough to directly correlate investments in cyber with risk, residual risk and premiums, but it’s getting better. There are definitely organizations out there who understand this at a deep level and are changing the mechanics of insurance and addressing this in the way that it’s supposed to. It’s supposed to work as a system, a system of different components. Today it’s pretty broken, but we do see it changing slowly, and there are players out there who are addressing this, but again, that can’t stop you from getting a policy because if you’re exposed and something undesirable happens, you’ve got bigger headaches.

Steve Melito: That’s for sure. So I think in a way, we’ve almost come full circle. One last question, sort of two parts actually. Where do you start in cybersecurity and then how do people get in touch with you if they want to talk and see how you could help?

Reg Harnish: Well, yeah, thanks. I appreciate that. Getting started really is about commitment. I have personally been involved with hundreds, maybe thousands of organizations who were pursuing some kind of compliance. And I don’t think I’ve ever seen a 100% compliant organization. And that’s because we have defined the goals incorrectly. So obviously 100% is the goal, but what’s most important is your commitment, being able to demonstrate continuous improvement, showing a regular system of assessment and remediation. Those are things that a lot of the federal agencies, a lot of companies who are enforcing compliance through their supply chain are looking at and saying, ” Hey, listen, let’s not make great the enemy of good.” If someone in our supply chain has really done a lot of the right things, made investments, they’re measuring their progress, they’re clearly and transparently reporting to us, that’s good enough because we know that they’re in the same boat that we’re in. And just like we find 100% compliance unachievable, so do they. And so it’s really about managing risk, whether it’s in your own organization or in your supply chain. So getting started, honestly, it’s about taking that first step. I just saw a talk the other day that was really super helpful for me, and it talked about how do you form a new habit, it’s called Atomic Habits and how do you form these habits? And if you want to get up and go to the gym every day, don’t focus on the gym, focus on your sneakers. And the moment you wake up, put your sneakers on because that creates success downstream because you’ve taken that very first step, you’ve committed to it, and that very first step is so easy that of course you can get up and put your sneakers on. There’s just nothing to it. So I encourage folks to really think about this as an investment, a continuous and never ending program and activity. And you got to be reasonable with your expectations about what is achievable in a short timeframe. But I think, again, no different than saving money or personal fitness. It’s the long game and you’ve got to commit to that. And if you do that, the results are typically apparent. If all this sounds interesting and you like our approach, you can certainly contact us at sales@ orbitalfire. com or go to our website for more information. We’re very transparent about pricing. We’re specifically designed for small manufacturers, and so we have packages that are as affordable as $ 10 per month per user. And when we talk about that first step, getting into a basic cybersecurity package, there’s just no excuse anymore because all you’ve got to do is put your sneakers on. And those sneakers actually are very affordable through us.

Steve Melito: Excellent. So get started. Manufacturers, this is a critical subject. Reg Harnish, thank you so much for being on New York State Manufacturing Now.

Reg Harnish: Thank you, Steve. It’s been a great conversation. I appreciate it.

Steve Melito: Wonderful. So we’ve been talking to Reg Harnish of Orbital Fire and New York’s Capital region about the importance of cybersecurity in what you as a manufacturer need to know, and even more importantly, do. Hey, normally this is the part of the podcast where I tell you about FuzeHub’s upcoming events, but we’re headed into the home stretch of 2022, and well, there just aren’t any more big events until next year. But here’s what I can tell you. If your fiscal year is calendar based, Q4 is probably your last chance to plan your marketing efforts for the year ahead. And while I can’t tell you where the economy is headed, I can tell you now that if you think you have all the customers you need, it might be time to think again. Reach out to FuzeHub for a free half hour marketing consultation. It’s as easy as visiting www. fuzehub. com. When you get there, just click the speak to an expert button and fill out the form. You’ll hear from a member of our manufacturing solutions team. It’s probably me, and we’ll set up a time to talk. So on behalf of FuzeHub and New York State Manufacturing Now, this is Steve Melito signing off.