CYBERSECURITY

Cybersecurity Desk: Artificial Intelligence and Heat Treating

/ CYBERSECURITY, FEATURED NEWS, MANUFACTURING HEAT TREAT NEWS, OP-ED / Leave a Comment
op-ed

Artificial intelligence remains a hot topic for every industry, not least heat treating. Understanding the how and why of AI’s potential impacts on the industry, however, is not so easily apparent.

Today’s article, written by Joe Coleman, cybersecurity officer at Bluestreak Consulting, breaks down the pros and cons of implementing AI, to help you decide if artificial intelligence might be a beneficial addition to your heat treat operations.

This article was originally published in Heat Treat Today’s December 2023’s Medical and Energy Heat Treat magazine, and can be read in fullness here.

Introduction

Joe Coleman, cyber security officer, Bluestreak Consulting

As all of you are aware, artificial intelligence (AI) is getting more and more attention, and companies are beginning to use AI to help with many aspects of running their businesses. I’m sure you’ve heard of ChatGPT and other intelligent user interfaces (IUI). You may be one of those businesses considering the idea or experimenting with it to access its potential benefits for your business.

Like any industry, there are quite a few pros and cons associated with using AI to improve the heat treating processes. This article will outline some of these advantages and disadvantages. Always make sure you do your own research before jumping into the AI world because it’s not always what it seems.

What Is Artificial Intelligence (AI)?

Artificial Intelligence is the simulation of human intelligence in machines that are programmed to think and learn like humans. It includes a wide range of techniques and approaches, including machine learning, allowing computers to perform tasks that typically require human intelligence, such as understanding natural language, recognizing patterns, solving problems, and making decisions. AI systems are designed to learn from data, improving their performance over time without direct programming. These technologies find applications in many areas, from virtual assistants and language translation services to autonomous vehicles and industrial diagnostics, revolutionizing industries and helping to shape the future of technology

Pros of AI in Heat Treating

Quality Improvement:

  • AI systems can monitor and help control the heat treatment process in real time, ensuring you have consistent quality and to minimize defects.
  • Predictive analytics in AI can anticipate potential defects, allowing for corrective actions before they occur.

Increased Efficiency:

  • AI algorithms can optimize processing parameters and reduce bottlenecks, leading to faster and more efficient heat treating processes.
  • AI-driven automation can improve employee labor throughput and increase overall production speed.

Cost Reduction:

  • By optimizing utilities usage and resources, AI can help reduce the plethora of operational costs within heat treating facilities.
  • Predictive maintenance generated by AI can prevent costly equipment breakdowns and production downtime.

Customization and Personalization:

  • AI algorithms can analyze customer requirements and tailor heat treating processes to their specific needs.
  • Improved data analysis can lead to the development of new and specialized heat treatments for different metals and alloys.

Data Analysis and Information:

  • AI systems can process enormous amounts of data generated during heat treatment, collecting valuable information that can be used for process improvements and better-quality management.
  • Pattern recognition and statistical process control (SPC) analysis by AI can identify trends and correlations that could normally be overlooked.
Click image to download a list of cybersecurity acronyms and definitions.

Cons of AI in Heat Treating

Initial Investment:

  • Implementing an AI system requires a significant initial investment in the technology, training, and infrastructure, which may be a showstopper for smaller businesses.

Dependency on Technology:

  • Dependencies on AI systems can be a problem if there are technical glitches or breakdowns, disrupting the entire heat treating process.

Data Security and Privacy:

  • AI systems rely heavily on data. Ensuring the security and privacy of sensitive data is critical, especially when dealing with Controlled Unclassified Information (CUI), your proprietary heat treating processes, and sensitive customer information.

Ethical Concerns:

  • AI decision-making processes raise ethical questions, especially if the technology is used in critical applications, ensuring fairness, transparency, and accountability in AI decision-making is essential.

Skilled Workers Replaced:

  • Automation using AI might reduce the need for certain manual tasks, potentially leading to skilled workers losing their jobs without the necessary skills to operate or maintain AI systems.

Here’s the bottom line: You should always do your own research to see if AI is a good fit for your business. AI is not always better. There are upsides of using it, and there are definitely downsides to using it. You can’t always trust AI to give you the best information, so always make sure you confirm the information it is giving you through V&V (verification and validation).

At the Metal Treating Institute’s (MTI) national fall meeting, held October 9–11 in Tucson, AZ, Jay Owen gave an excellent presentation entitled, “Artificial Intelligence: Be Afraid or Be Excited.” Contact MTI by visiting www.heattreat.net.

Find heat treating products and services when you search on Heat Treat Buyers Guide.Com

Cybersecurity Desk: Artificial Intelligence and Heat Treating Read More »

Don’t Be the Next Ransomware Victim: How To Detect, Protect, and Recover

/ CYBERSECURITY, FEATURED NEWS, MANUFACTURING HEAT TREAT, OP-ED
op-ed

Ransomware is a threat to all industries, and heat treating is no exception! This article is here to give heat treaters the "how-to" of responding to ransomware, to help keep operations safe and running smoothly. 

Today's read is a feature written by Joe Coleman, cybersecurity officer at Bluestreak Consulting™. This column was first released in Heat Treat Today's November 2023 Vacuum Heat Treat print edition.

Introduction

Joe Coleman
Cybersecurity Officer
Bluestreak Consulting™
Source: Bluestreak Consulting™

Today, the threat of being infected with ransomware is everywhere. Ransomware attacks have grown increasingly sophisticated and widespread, leading to substantial financial harm, emotional distress, and damaged reputation to those unfortunate enough to become victims.

In this article, we’ll cover ransomware — describing what it is, how it works, and most importantly, how you can protect yourself from becoming its next target. Equip yourself with the knowledge and proactive strategies required to protect your digital assets, data, and systems.

What Is Ransomware?

Ransomware is a cyber threat that wreaks havoc on businesses by encrypting computer files and extorting a ransom from victims for their release. Once your system falls victim to this malicious software, it can spread to connected devices, such as shared storage drives and other network-accessible computers. Even if you comply to the ransom demand, there’s no guarantee of full data recovery, because cybercriminals may withhold decryption keys, demand additional payments, or even delete your data. It’s important to note that the federal government strongly discourages paying ransomware demands, as it fuels criminal activity.

Click on the Image for a full list of Cybersecurity Acronyms

What Can I Do To Prevent Ransomware Attacks?

Frequent and Routine Backups: Perform regular backups of your system and essential files, and consistently verify their integrity. In the case that your computer or system is infected with ransomware, you can restore them to a previous state using these backups.

Keep Software Updated: Ensure that your applications and operating systems are up to date with the latest software/security patches. Most ransomware attacks target vulnerabilities in outdated software.

Secure Backup Storage: The best practice is to store your backups on a separate device that is not connected to the network, such  as an external hard drive. Even better, consider storing your backups offsite at a different location. After completing the backup, disconnect the external hard drive or isolate the device from the network or computer.

Exercise Caution with Links: Exercise caution when dealing with links and entering website addresses. Be especially vigilant when clicking on links in emails, even if they appear to be from familiar senders. It’s advisable to independently verify website addresses. You can do this by reaching out to your organization’s helpdesk, searching the internet for the sender’s organization website, or researching the topic mentioned in the email. Pay close attention to both directly clicking the link to and manually entering the address of a website, as malicious sites often mimic legitimate ones with slight spelling variations or different domains (e.g., .com instead of .net).

Cybersecurity Awareness Training: Businesses should prioritize providing cybersecurity awareness training to their personnel. Ideally, organizations should conduct regular, mandatory cybersecurity awareness training sessions to ensure their staff stay well informed about current cybersecurity threats and techniques employed by threat actors. These training sessions should occur at least once a year. Additionally, organizations can enhance workforce awareness by testing their personnel with phishing simulations that replicate real-world phishing emails, as well as different types of face-to-face social engineering to try to get usernames/ passwords.

Responding To a Ransomware Attack

Isolate the Infected System: Disconnect the infected system immediately from the network to prevent the spread of the infection.

Identify Affected Data: Determine what data have been affected. Sensitive data, such as customer’s electronic CUI (controlled unclassified information), may require additional reporting and mitigation measures.

Check for a Decryption Key: Explore on the internet to see if a decryption key is available. Online resources like www.nomoreransom.org can be helpful.

Restore from Backups: Restore your files from regularly maintained backups.

Report the Incident: Report ransomware incidents. Consider reporting to your local Federal Bureau of Investigation (FBI) field offices or the Internet Crime Complaint Center (IC3) at www.ic3.gov.

Do Not Pay The Ransom: Emphasize the importance of not paying the ransom as it can encourage additional criminal activity.

About the Author:

Joe Coleman is the cybersecurity officer at Bluestreak Consulting™, which is a division of Bluestreak | Bright AM™. Joe has over 35 years of diverse manufacturing and engineering experience. His background includes extensive training in cybersecurity, a career as a machinist, machining manager, and an early additive manufacturing (AM) pioneer. Contact Joe at joe.coleman@go-throughput.com.

Find heat treating products and services when you search on Heat Treat Buyers Guide.com

Don’t Be the Next Ransomware Victim: How To Detect, Protect, and Recover Read More »

Cybersecurity Desk: NIST SP 800-171 Is Changing But Don’t Panic . . .

/ CYBERSECURITY, FEATURED NEWS, MANUFACTURING HEAT TREAT, OP-ED

How can increased cybersecurity measures benefit today’s heat treaters and their clients? Find out more with an exploration of the coming changes in CUI and the way these changes could affect heat treating companies. 

Today’s read is a feature written by Joe Coleman, cybersecurity officer at Bluestreak Consulting™. This column was first released in Heat Treat Today’s September 2023 People of Heat Treat print edition.

Introduction

Joe Coleman
Cybersecurity Officer
Bluestreak Consulting™
Source: Bluestreak Consulting™

This 10th article in the series from Heat Treat Today’s Cybersecurity Desk will explain some of the changes that are being proposed in the IPD (Initial Public Draft) of NIST SP 800-171 Revision 3. On May 10, 2023, the National Institute of Standards and Technology (NIST) released a draft version of Rev. 3 for Special Publication (SP) 800-171, the foundational framework of requirements for protecting controlled unclassified information (CUI). The final version of NIST SP 800-171 Rev. 3 is expected to be released in early 2024.

Don’t panic about these proposed changes in Rev. 3. If you handle CUI and you are working towards your compliance, continue to implement Rev. 2. Don’t wait until Rev. 3 is fully released to start. Remember, DFARS mandates that if you are a DoD prime contractor or subcontractor with CUI, you need to be compliant with NIST 800-171 Rev. 2 as well as CMMC Level 2 or 3 certified. CMMC certification deadline is in 2025 and it’s fast approaching.

Modifications & Additions to Rev. 3

The changes in Rev. 3 should have a positive impact on your ongoing compliance management program. They simultaneously made the requirements easier to understand and implement while also preserving and even adding flexibility that allows companies to make risk-based decisions about their environments and the data managed in those environments. These include the merging, addition, removal,
and clarification of several different requirements. The most obvious difference is that the requirements went from 110 controls down to 109. This was because they had withdrawn 27 of the original controls (most are migrated into another existing control) and added 26 new requirements.

Categories of Changes

• 18 Controls with “No Significant Change”: Editorial changes to requirement; no change in outcome.
• 49 Controls with “Significant Change”: Additional detail in the requirement, including more comprehensive detail on foundational tasks for archiving the outcome of the requirement.
• 18 Controls with “Minor Changes”: Editorial changes. Limited changes in the level of detail and outcome of requirements.
• 26 Controls with “New Requirements”: Newly added requirement in IPD SP 800-171 Rev. 3.
• 27 Controls with “Withdrawn Requirements”: Requirement withdrawn.
• 53 Controls with “New Organization-Defined Parameter (ODP)”: New ODPs can apply to all change types with the exception of withdrawn requirements. Each requirement includes one or more new ODPs.

Chart with Cybersecurity Acronyms
Click on the Image for a full list of Cybersecurity Acronyms

Implications for Heat Treaters

What has not changed is that companies that handle CUI must comply with the NIST 800-171 cybersecurity standards. Failure to comply can result in significant consequences, including loss of contracts and damage to the company’s reputation. With the release of Rev. 3, heat treaters must ensure they are up to date with the latest security requirements. One of the most significant changes in Rev. 3 is the addition of new security requirements. Heat treating companies must review these new requirements and ensure they have implemented the necessary controls to meet them. Also, organizations must review the updated requirements to ensure they meet the latest best practices. The reorganization of the security requirements may also impact heat treaters. The alignment with the NIST Cybersecurity Framework provides a more comprehensive approach to security. However, some companies may need to adjust their current security programs to align with the new structure. By staying informed and implementing the necessary controls, heat treat organizations can ensure they are adequately protecting CUI and meeting their compliance obligations to their clients.

About the Author:

Joe Coleman is the cybersecurity officer at Bluestreak Consulting™, which is a division of Bluestreak | Bright AM™. Joe has over 35 years of diverse manufacturing and engineering experience. His background includes extensive training in cybersecurity, a career as a machinist, machining manager, and an early additive manufacturing (AM) pioneer. Contact Joe at joe.coleman@go-throughput.com.

Find heat treating products and services when you search on Heat Treat Buyers Guide.com

Cybersecurity Desk: NIST SP 800-171 Is Changing But Don’t Panic . . . Read More »

Cybersecurity Desk: Not Using 2FA or MFA? Your Data Is Not Secure

/ CYBERSECURITY, FEATURED NEWS, MANUFACTURING HEAT TREAT, OP-ED

How can increased cybersecurity measures benefit today's heat treaters and their clients? Find out more with an exploration of 2FA and MFA!

Today's read is a feature written by Joe Coleman, cybersecurity officer at Bluestreak Consulting™. This column was first released in Heat Treat Today's August 2023 Automotive Heat Treat print edition.

Joe Coleman
Cybersecurity Officer
Bluestreak Consulting™
Source: Bluestreak Consulting™

Introduction

This 9th article in the series from Heat Treat Today’s Cybersecurity Desk will explain the significance of 2FA (2-Factor Authentication) and MFA (Multi Factor Authentication), their benefits, and how they can help secure your data and your clients’ data.

2FA and MFA have proven to be effective methods to enhance online security. And, if you provide any products or services to a DoD (Department of Defense) contractor, this is mandatory for all users accessing your computer systems and critical data. Implementing 2FA is a minimum requirement and is better than just a username/password combination. MFA takes your security to a whole new level.

What Is 2FA?

2FA adds an extra layer of security to the usual username/password combination. It requires users to provide a second authentication factor, typically something they possess, in addition to their password. Common examples include a one-time verification code sent via SMS, email, or generated by an authentication app like Google Authenticator or Authy. By requiring the combination of something known (password), along with something possessed (authentication factor), an additional level of security is provided.

What is MFA?

The strengths of Multi-Factor Authentication (MFA) take security a step further by incorporating multiple authentication factors beyond the customary two. These authentication factors can be categorized into three main types: something you know (password or PIN), something you have (smartphone or security token), and something you are (biometrics like fingerprints or facial recognition). MFA offers increased security as it requires multiple factors to be verified before granting access.

Is MFA Better than 2FA?

In terms of security, the more the better should be the correct mindset. MFA is a more secure method than 2FA, because a user must respond to more checkpoints, especially if authentication factors disperse through different access points that aren’t available online (like a token or security key) and require a physical presence. Proving user identity multiple times instead of just submitting items of proof twice (i.e., 2FA), lowers the chance of a breach and helps achieve security compliance requirements.

Implementing 2FA or MFA

Enabling 2FA and MFA is becoming a more and more accessible option across many platforms and services. The most popular websites, email providers, social media networks, and online banking institutions offer 2FA and/or MFA options. Users can typically find the necessary settings in their account security or privacy preferences. It is crucial to follow the provided instructions for setting up and managing these authentication methods properly. In an age where cyber threats are always rising, protecting our online presence is critical. 2FA and MFA have proven to be effective methods in safeguarding our digital lives. By implementing these extra layers of security, companies can enhance their defenses and protect their data and their clients’ data.

What About Your Outside Personnel Support?

Chart with Cybersecurity Acronyms
Click on the Image for a full list of Cybersecurity Acronyms

Many companies have outside vendor support, and maintenance personnel access their network and systems on a regular basis. For example, they may use VPN access that requires the user to “punch a hole” in the firewall, making it much more vulnerable to unauthorized access. Additionally, it is typically a configuration nightmare for your network and the IT folks to get it working properly.

There is a better way. Through much research and testing, we have found that BeyondTrust is a great tool to use to allow outside vendors secure access to the information they need to see without connecting to your network. It is currently used by 20,000+ organizations worldwide with much success and security. BeyondTrust also records their entire online session so you can see exactly what they accessed and did during the online session. Check out www.beyondtrust.com for more information.

About the Author:

Joe Coleman is the cybersecurity officer at Bluestreak Consulting™, which is a division of Bluestreak | Bright AM™. Joe has over 35 years of diverse manufacturing and engineering experience. His background includes extensive training in cybersecurity, a career as a machinist, machining manager, and an early additive manufacturing (AM) pioneer. Contact Joe at joe.coleman@go-throughput.com.

Find heat treating products and services when you search on Heat Treat Buyers Guide.com

Cybersecurity Desk: Not Using 2FA or MFA? Your Data Is Not Secure Read More »

Cybersecurity Desk: Not Using 2FA or MFA? Your Data Is Not Secure

/ CYBERSECURITY, FEATURED NEWS, MANUFACTURING HEAT TREAT, OP-ED / Leave a Comment

How can increased cybersecurity measures benefit today’s heat treaters and their clients? Find out more with an exploration of 2FA and MFA!

Today’s read is a feature written by Joe Coleman, cybersecurity officer at Bluestreak Consulting™. This column was first released in Heat Treat Today’s August 2023 Automotive Heat Treat print edition.

Introduction

Joe Coleman
Cybersecurity Officer
Bluestreak Consulting™
Source: Bluestreak Consulting™

This 9th article in the series from Heat Treat Today’s Cybersecurity Desk will explain the significance of 2FA (2-Factor Authentication) and MFA (Multi Factor Authentication), their benefits, and how they can help secure your data and your clients’ data.

2FA and MFA have proven to be effective methods to enhance online security. And, if you provide any products or services to a DoD (Department of Defense) contractor, this is mandatory for all users accessing your computer systems and critical data. Implementing 2FA is a minimum requirement and is better than just a username/password combination. MFA takes your security to a whole new level.

What Is 2FA?

2FA adds an extra layer of security to the usual username/password combination. It requires users to provide a second authentication factor, typically something they possess, in addition to their password. Common examples include a one-time verification code sent via SMS, email, or generated by an authentication app like Google Authenticator or Authy. By requiring the combination of something known (password), along with something possessed (authentication factor), an additional level of security is provided.

What is MFA?

The strengths of Multi-Factor Authentication (MFA) take security a step further by incorporating multiple authentication factors beyond the customary two. These authentication factors can be categorized into three main types: something you know (password or PIN), something you have (smartphone or security token), and something you are (biometrics like fingerprints or facial recognition). MFA offers increased security as it requires multiple factors to be verified before granting access.

Is MFA Better than 2FA?

In terms of security, the more the better should be the correct mindset. MFA is a more secure method than 2FA, because a user must respond to more checkpoints, especially if authentication factors disperse through different access points that aren’t available online (like a token or security key) and require a physical presence. Proving user identity multiple times instead of just submitting items of proof twice (i.e., 2FA), lowers the chance of a breach and helps achieve security compliance requirements.

Implementing 2FA or MFA

Enabling 2FA and MFA is becoming a more and more accessible option across many platforms and services. The most popular websites, email providers, social media networks, and online banking institutions offer 2FA and/or MFA options. Users can typically find the necessary settings in their account security or privacy preferences. It is crucial to follow the provided instructions for setting up and managing these authentication methods properly. In an age where cyber threats are always rising, protecting our online presence is critical. 2FA and MFA have proven to be effective methods in safeguarding our digital lives. By implementing these extra layers of security, companies can enhance their defenses and protect their data and their clients’ data.

What About Your Outside Personnel Support?

Chart with Cybersecurity Acronyms
Click on the Image for a full list of Cybersecurity Acronyms

Many companies have outside vendor support, and maintenance personnel access their network and systems on a regular basis. For example, they may use VPN access that requires the user to “punch a hole” in the firewall, making it much more vulnerable to unauthorized access. Additionally, it is typically a configuration nightmare for your network and the IT folks to get it working properly.

There is a better way. Through much research and testing, we have found that BeyondTrust is a great tool to use to allow outside vendors secure access to the information they need to see without connecting to your network. It is currently used by 20,000+ organizations worldwide with much success and security. BeyondTrust also records their entire online session so you can see exactly what they accessed and did during the online session. Check out www.beyondtrust.com for more information.

About the Author:

Joe Coleman is the cybersecurity officer at Bluestreak Consulting™, which is a division of Bluestreak | Bright AM™. Joe has over 35 years of diverse manufacturing and engineering experience. His background includes extensive training in cybersecurity, a career as a machinist, machining manager, and an early additive manufacturing (AM) pioneer. Contact Joe at joe.coleman@go-throughput.com.

Find heat treating products and services when you search on Heat Treat Buyers Guide.com

Cybersecurity Desk: Not Using 2FA or MFA? Your Data Is Not Secure Read More »

Cybersecurity Desk: Work-From-Home Cybersecurity Tips and Best Practices

/ CYBERSECURITY, FEATURED NEWS, MANUFACTURING HEAT TREAT, OP-ED / Leave a Comment

Work-from-home benefits and challenges extend to work-from-travel occasions! Access corporate networks and systems with 8 cybersecurity best practices.

Today’s read is a feature written by Joe Coleman, cybersecurity officer at Bluestreak Consulting™This column is in Heat Treat Today’s June 2023 Heat Treat Buyers Guide print edition.

Introduction

In this eighth Cybersecurity Desk installment, understand the benefits and challenges associated with working from home or accessing corporate networks and systems while traveling.

Why Are So Many People Working from Home?

The COVID pandemic forced many companies to adapt to remote working and work-from-home (WFH)

Joe Coleman
Cybersecurity Officer
Bluestreak Consulting
Source: Bluestreak Consulting

policies. Even though these policies have provided employees with more flexibility, they have also highlighted cyber risks that companies must consider. As of March 2022, work-from-home and working remotely have increased by 238% compared to pre-pandemic numbers. Although that number has reduced somewhat recently, it has changed the way companies operate and view WFH.

Several benefits of WFH include:

  1. Increased employee retention and productivity
  2. Reduced distractions and interruptions by coworkers
  3. Reduced company overhead costs
  4. Increased family time by eliminating commute

One of the first challenges most companies face when shifting to a WFH model is ensuring every employee has high-speed internet access. Most employees will use home Wi-Fi network or cell phone/wireless carrier as an internet “hot spot.” The first common sense rule of thumb is always try to avoid public Wi-Fi and public charging stations. Any way you choose to access high-speed internet, it must be secure. By now, most companies should have WFH or remote work policies and procedures in place, with employee awareness and training, because they MUST be followed to reduce cybersecurity risks.

Cybersecurity Best-Practices for Securing Remote Workers

If your company has employees that work from home and you’re wondering what cybersecurity measures you should put in place, here are some best practices to help you:

  1. Secure your work sessions: Using a single room that has a door that can lock is the ideal situation when possible. Many WFH employees are either sitting at their kitchen table or in the living room. In those cases, make sure to have your monitor facing a wall to prevent family or guests from viewing your work session and lock your computer when you’re away.
  2. Separate your home and business networks: Separate your Wi-Fi network so company-approved devices will be separate. Even better, use a secure network and a company-issued Virtual Private Network (VPN) to access your business accounts. You can also use BeyondTrust for secure remote access. Home routers should always be updated to the current software version when it becomes available.
  3. Separate work and personal devices: When accessing your corporate network, only use company-approved devices. Unless your company allows Bring-Your-Own-Device (BYOD), never use an unapproved device to access your company network.
  4. Think before you click: Hackers use phishing and other social engineering methods to target employees with legitimate-looking emails and social media messages. These can trick users into providing confidential data, such as usernames, passwords, credit card numbers, social security numbers, account numbers, etc. SLOW DOWN.
    Don’t click on links sent from an unknown or untrusted source. Resist the urge to click links in a suspicious email. You can hold your cursor over a link, and it will show you (in the bottom left corner of your screen) the website that it will go to if you click on it. If it’s an unknown or suspicious site, DO NOT click on it.
  5. Click the Image TO Download More Than 350 Cybersecurity AcronymsAntivirus with real-time scanning: Antivirus software detects the presence of malware on your computer. A dynamic scanning feature repeatedly checks for computer infiltration by a malicious threat. Always keep your antivirus up to date and active.
  6. Update programs, applications, and operating systems: Vulnerabilities in applications and operating systems are continually being found and exploited. Cybercriminals often use these vulnerabilities to exploit data and infiltrate devices and networks. Application vulnerabilities are a cybersecurity challenge of remote working. Make sure you are regularly performing updates as they are released.
  7. Use 2-Factor Authentication (2FA) or Multi-Factor Authentication (MFA): If you’re not using 2FA or MFA, you are NOT secure. You should use 2FA or MFA wherever it’s available. Your company should have this requirement in its policies and procedures.
  8. Use strong PINs/passwords on your devices: Strong passwords should contain a good mixture of upper/ lowercase letters, numbers, and symbols (or special characters). Passwords should also not be based on dictionary words and should contain at least twelve characters (the longer the better). Never use the same password for multiple accounts and use a password generator and a password manager.

About the Author:

Joe Coleman is the cybersecurity officer at Bluestreak Consulting™, which is a division of Bluestreak | Bright AM™. Joe has over 35 years of diverse manufacturing and engineering experience. His background includes extensive training in cybersecurity, a career as a machinist, machining manager, and an early additive manufacturing (AM) pioneer. Contact Joe at joe.coleman@go-throughput.com.

Find heat treating products and services when you search on Heat Treat Buyers Guide.com

Cybersecurity Desk: Work-From-Home Cybersecurity Tips and Best Practices Read More »

Cybersecurity Desk: What Should Heat Treaters Be Doing NOW?

/ CYBERSECURITY, FEATURED NEWS, MANUFACTURING HEAT TREAT, OP-ED
op-ed

This seventh article in the series from the Cybersecurity Desk  helps you determine if CMMC applies to your business, learn about what changes were made to CMMC 1.0., know what you should be doing NOW to prepare for CMMC 2.0., and more.

Today’s read is a feature written by Joe Coleman, cybersecurity officer at Bluestreak Consulting™. This column is in Heat Treat Today’s May 2023 Focus on Sustainable Heat Treat Technologies print edition.

Introduction

Joe Coleman
Cybersecurity Officer
Bluestreak Consulting™
Source: Bluestreak Consulting™

Along with determining if CMMC (Cybersecurity Maturity Model Certification) applies to your business, this 7th article in the series from Heat Treat Today’s Cybersecurity Desk will give you a better understanding of what the certification is all about and the requirements to become certified. Also, we will cover the changes that were made to CMMC 1.0, the current status of CMMC’s proposed rule, and what you should be doing NOW to prepare for when the CMMC 2.0 rule is finally released.

What Is Changing in CMMC 2.0

In November 2021, the Department of Defense (DoD) announced a major update to the CMMC program. To safeguard sensitive national security information, the DoD launched CMMC 2.0, a comprehensive framework to protect the Defense Industrial Base’s (DIB’s) sensitive unclassified information from frequent and increasingly complex cyberattacks. Manufacturers or suppliers that handle sensitive or Controlled Unclassified Information (CUI) in any way or those within the DIB need to pay attention. CMMC 2.0 condenses the original 5 CMMC maturity levels into 3 levels, eliminating levels 2 and 4, and removing CMMC unique practices and all maturity processes. They have also revised the number of controls required for each of the three new levels. Level 1 includes 17 controls, Level 2 has 110 controls, and the total number of controls in Level 3 is still to be determined. There are also several other changes made that somewhat relax the requirements from CMMC 1.0.

Who Does CMMC Impact?

Manufacturers in the DIB are going to be held accountable to safeguard sensitive information and must comply with CMMC 2.0. Any contractor, subcontractor, supplier, or manufacturer that provides parts or services to the DoD or anyone within the DIB (no matter how minuscule) will need to comply with one of the three levels of CMMC compliance.

What Should Heat Treaters Be Doing Now?

Although CMMC 2.0 is still in the rulemaking phase, the new CMMC proposed rule is expected to be released sometime in mid-2023. This will give some much needed clarity on how to move forward and will help streamline the implementation of CMMC. Warnings will be issued to the DIB through DoD primes and will be passed down through the supply chain. Manufacturers that do not comply will be at risk of losing contracts.

If you (or your clients) are doing work for any DoD primes (or NASA), such as Raytheon, Lockheed Martin, McDonnell Douglas, Northrup Grumman, or L3Harris (and many more), then this applies to your business. If you are unsure, check the fine print in your contracts, and/or ask your clients about their requirements.

If you handle CUI in any way, you need to be at a CMMC Level 2 or Level 3. The most common level is Level 2. If you don’t handle CUI in any way, but you do handle FCI (Federal Contract Information), you will need to be certified at a Level 1.

On average, it can take a company of up to 100 employees between 12 to 18 months for NIST 800-171 (CMMC Level 2) implementation. Meaning, even though CMMC 2.0 is not completed yet, don’t wait until it is. You’re already a year behind if you haven’t started your NIST 800-171 implementations and you want to be ready for when the CMMC 2.0 rule is released

CMMC certification requires government oversight whereas NIST 800-171 compliance can be self-attested. You should always hire a qualified CMMC consultant to ensure that you’re “audit-ready” for your certification audit.

What’s the Difference Between FCI and CUI?

FCI is information not intended for public release. FCI is provided by or generated for the Federal Government under a contract to develop or deliver a product or service. CUI and FCI share important similarities and a particularly important distinction. Both CUI and FCI include information created or collected by or for the government, as well as information received from the government. However, while FCI is any information that is “not intended for public release,” CUI is information that requires safeguarding and may also be subject to dissemination controls. In short: All CUI in possession of a government contractor is FCI, but not all FCI is CUI.

About the Author:

Joe Coleman is the cybersecurity officer at Bluestreak Consulting™, which is a division of Bluestreak | Bright AM™. Joe has over 35 years of diverse manufacturing and engineering experience. His background includes extensive training in cybersecurity, a career as a machinist, machining manager, and an early additive manufacturing (AM) pioneer. Contact Joe at joe.coleman@go-throughput.com.

Find heat treating products and services when you search on Heat Treat Buyers Guide.com

Cybersecurity Desk: What Should Heat Treaters Be Doing NOW? Read More »

Cybersecurity Desk: Have You Entered Your NIST 800-171 Self-Assessment Score into SPRS Yet?

/ CYBERSECURITY, FEATURED NEWS, OP-ED
op-ed

This sixth article in the series from the Cybersecurity Desk will give you a better understanding of how to submit your basic NIST 800-171 self-assessment score into SPRS (Supplier Performance Risk System).

Today’s read is a feature written by Joe Coleman, cybersecurity officer at Bluestreak Consulting™. This column is in Heat Treat Today’s March 2023 Aerospace Heat Treating print edition.

Introduction

This sixth article in the series from the Cybersecurity Desk will give you a better understanding of how to submit your basic NIST 800-171 self-assessment score into SPRS (Supplier Performance Risk System).

Why Should You Do This?

Joe Coleman
Cybersecurity Officer
Bluestreak Consulting™
Source: Bluestreak Consulting™

The Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7020 is one of the three newly released clauses (after the original 252.204-7012) of the DFARS 252.204-70 series (7019, 7020, 7021) in November 2020. DFARS 252.204-7019 is the “Notice of NIST 800-171 DoD Assessment Requirements”; whereas DFARS 7020 consists of the requirements alone. DFARS 7020 requires you to submit your basic NIST 800-171 self-assessment score to SPRS. Contractors and service providers are to provide the government access to its facilities, systems, and personnel any time the Department of Defense (DoD) is renewing or conducting a Medium or High assessment.

Once your self-assessment score has been submitted and accepted into SPRS, you will be eligible to be awarded contracts. Your score must remain in SPRS throughout the duration of the contract(s). You’ll need to show that you are working towards full compliance.

If a self-assessment score submitted to SPRS is required in order to win a contract, and you don’t have a self-assessment score in the system because you don’t have CUI, does that mean you will lose the contract? Maybe.

The requirement for NIST SP 800-171 DoD self-assessment is being enforced whether or not you have CUI. So, it makes sense to get started on this ASAP to position your company for additional business. Plus, having better cybersecurity controls in place is definitely a business best-practice.

How To Submit Your Basic Self-Assessment Score to SPRS

There are two ways to submit your basic self-assessment score to SPRS.

Option 1: Using email to send the information. Submitting your self-assessment score via email to SPRS includes the following steps:

  • Get an accurate NIST 800-171 Self-Assessment and Score. Conduct the self-assessment and obtain your score using cybersecurity professionals that carefully follow the required DoD Assessment Methodology for NIST Special Publication (SP) 800-171A.
  • Identify your SPRS “Scope of Assessment.” Your SPRS score submission will fall into one of three categories: Enterprise, Enclave, or Contracts.
  • Determine your expected completion date. The “Plan of Action Completion Date” must be determined according to your compliance project timelines.
  • Find your commercial and government entity CAGE codes. Your CAGE codes represent the part(s) of your organization included in the assessment and represented in the final System Security Plan (SSP) document.
  • Provide a brief description of the SSP format and system architecture.
  • Submit your self-assessment score to SPRS. To submit your score, send an email (optionally encrypted and signed) to webptsmh@navy.mil with the subject line “SPRS Self-Assessment Score Submission” in the exact format specified below:
    • Assessment date
    • Assessment score
    • Scope of assessment
    • Plan of action completion date
    • Included CAGE(s) codes
    • Name of System Security Plan (SSP) assessed
    • SSP version/revision
    • SSP date
    • Wait for email confirmation

Option 2: Using the PIEE (Procurement Integrated Enterprise Environment). 

Register a PIEE account at https://piee.eb.mil/. Once your business is registered, choose the SPRS link and follow all instructions. You will need to provide all the same information as shown in Option 1.

Funding & Cost Sharing May Be Available for Heat Treaters

With the huge push for stricter cybersecurity practices by the government and many businesses, cost sharing and funding sources have been identified that may cover a substantial percentage of the costs associated with these critical cybersecurity projects. Every state has at least one MEP (Manufacturing Extension Partnership). Many states are more than willing to help out with the cost of implementation.

About the Author:

Joe Coleman is the cybersecurity officer at Bluestreak Consulting™, which is a division of Bluestreak | Bright AM™. Joe has over 35 years of diverse manufacturing and engineering experience. His background includes extensive training in cybersecurity, a career as a machinist, machining manager, and an early additive manufacturing (AM) pioneer. Contact Joe at joe.coleman@go-throughput.com.

Find heat treating products and services when you search on Heat Treat Buyers Guide.com

Cybersecurity Desk: Have You Entered Your NIST 800-171 Self-Assessment Score into SPRS Yet? Read More »

Cybersecurity Desk: Performing Your Basic & Final NIST SP 800-171 Self-Assessments

/ CYBERSECURITY, FEATURED NEWS, OP-ED
op-ed

For any heat treater interested in getting these high-security contracts, review the following steps that will help you successfully complete your basic and final self-assessment.

Today’s read is a Cybersecurity Desk feature written by Joe Coleman, cybersecurity officer at Bluestreak Consulting™. This column is in Heat Treat Today’s February 2022 Air & Atmosphere Furnace Systems print edition.

Introduction

Joe Coleman
Cybersecurity Officer
Bluestreak Consulting™
Source: Bluestreak Consulting™

Do you have plans to perform your NIST SP 800-171 self-assessment, but need more clarity about what’s involved? DFARS 252.204-7012 and the DFARS Interim Rule, including DFARS 252.204-7019, state that all DoD contractors in the Defense Industrial Base (DIB) that process, store, and/or transmit CUI (Controlled Unclassified Information) and want to be eligible for any contract award must complete a self-assessment (or basic assessment) using the DoD’s NIST SP 800-171 Assessment Methodology and generate a points-based score. This score will then be uploaded into the Supplier Performance Risk System (SPRS). At the time of contract award for a DoD contract containing the new 7019 clause, a DoD contracting officer will verify that a score has been uploaded to the SPRS.

For any heat treater interested in getting these high-security contracts, review the following steps that will help you successfully complete your basic and final self-assessment.

Identifying and Defining Your Organization’s CUI

Your NIST 800-171 basic self-assessment should start by identifying CUI sources and flows and mapping them within your organization’s IT systems. Organizations need to understand that CUI is an information category that includes Covered Defense Information (CDI) and Controlled Technical Information (CTI).

Define the Scope of the Self-Assessment

When finished identifying all CUI, you’re ready to scope the environment. To scope the environment correctly, first, determine what systems, applications, and business procedures that process, store, or transmit CUI. Second, define details of how data moves through your network.

NIST 800-171 Self-Assessment Procedure

You can find the self-assessment procedure for all compliance requirements in NIST SP 800-171A. Basically, a self-assessment is performed evaluating all 320 assessment/control objectives. Assessment/control objectives include the determination statements related to a particular security requirement. The 320 assessment/control objectives are divided among 110 separate controls which are included in 14 different control families.

Self-assessment methods include:

  • Examining: reviewing, inspecting, observing, or analyzing assessment objects
  • Interviewing: discussing with individuals to facilitate understanding, clarification, or gather evidence
  • Testing: confirming that assessment objects under specified conditions are met

Organizations are not expected to use all assessment methods and objects in NIST 800-171A. Instead, they have the freedom to determine which methods and objects are best for them to get the desired results.

Must Have a System Security Plan (SSP)

One of the most important requirements for a successful self-assessment is having a System Security Plan (SSP). Not having an SSP is a definite obstacle.

The SSP describes the system boundaries, how the IT system operates, how the security requirements are implemented, and the relationships with, or connections to other systems. It also includes information on security requirements.

Plan of Action & Milestones (POA&M)

To best protect CUI, organizations need to implement the CUI security requirements to the fullest extent possible. But, when some of the requirements are not completely implemented, a POA&M must be generated. The POA&M includes the tasks needed to resolve deficiencies, along with the resources and timelines required.

The purpose of the POA&M is to identify, assess, prioritize, and monitor the progress of corrective actions, allowing the organization to achieve the desired assessment score.

Next month we will discuss: “Submitting Your Basic Self-Assessment Score(s) To The SPRS.”

About the Author:

Joe Coleman is the cybersecurity officer at Bluestreak Consulting™, which is a division of Bluestreak | Bright AM™. Joe has over 35 years of diverse manufacturing and engineering experience. His background includes extensive training in cybersecurity, a career as a machinist, machining manager, and an early additive manufacturing (AM) pioneer. Contact Joe at joe.coleman@go-throughput.com.

Find heat treating products and services when you search on Heat Treat Buyers Guide.com

Cybersecurity Desk: Performing Your Basic & Final NIST SP 800-171 Self-Assessments Read More »

Cybersecurity Best Practices: Dos and Don’ts

/ CYBERSECURITY, FEATURED NEWS, OP-ED

op-edCybercrime is hands-down one of the quickest growing crimes around the globe and it continues to impact organizations from all industries. Being protected from cyber-attacks is becoming more and more challenging. While cyber criminals are constantly looking for ways to take advantage of your security vulnerabilities, it’s very difficult for most organizations to keep up with them.

This fourth article in the serieswritten by Joe Coleman, cybersecurity officer at Bluestreak Consulting™, will give you a better understanding of some general cybersecurity best practices for all businesses, and a few tips for what you should and shouldn’t do.

This column is found in Heat Treat Today's December 2022 Medical and Energy print edition.

Joe Coleman
Cybersecurity Officer
Bluestreak Consulting™
Source: Bluestreak Consulting™

What Are the Risks of Having Poor Cybersecurity?

It’s difficult to remain 100% protected 100% of the time, but the risks from failing to have proper cybersecurity are hefty. The risks include: malware that can delete your entire system; the selling of your data or your customers’ data; an attacker hacking your system and altering files; an attacker using your computer to attack others; or an attacker stealing your credit card information and making unauthorized purchases.

12 Best Practices To Reduce the Chance of Cyberattacks

Follow these cybersecurity best practices to minimize the risks of cyberattacks and improve your cybersecurity:

  1. Use complex passwords: Use at least 12 to 16 characters, including letters (upper and lower case), numbers, and special characters. Remember to change your passwords frequently.
  2. Keep software up to date, including antivirus and antimalware: Install software patches as soon as they become available. Also, be sure to enable automatic virus definition updates to ensure maximum protection against the latest threats.
  3. Utilize a firewall: Firewalls may be able to prevent some types of attacks by blocking malicious code before it can infect your computer. Enable and properly configure the firewall as specified.
  4. Enable Multi-Factor Authentication (MFA) or 2-Factor Authentication (2FA): This gives you an additional layer of protection that helps to verify that you are an authorized user.
  5. Be suspicious of unexpected emails: Phishing emails are currently one of the biggest risks to a user. The goal of a phishing email is to gain information about you, steal money from you, or install malware on your device (if you click on something in the email).

  6. Click the Image TO Download More Than 350 Cybersecurity Acronyms

    Use VPNs to ensure connections are private: To have a more secure and private network connection, use a VPN (virtual private network). Your connection will be encrypted, and your private information protected.

  7. Look for HTTPS on websites (instead of just HTTP): On websites that do not use HTTPS, there’s no guarantee that the information between you and the site’s servers is secure.
  8. Scan external storage devices: External storage devices have the same risk as internal storage devices. Always scan external storage devices for malware before accessing them.
  9. Train your employees: If your cybersecurity program has any chance of working, make sure your employees are well trained and always using security best practices. It only takes one mistake. Educate your staff to be aware and on the lookout for different types of malicious social engineering (including a simple phone call asking for a username and/or password).
  10. Backup your important data: Critical data can be lost with security attacks. Make sure you backup your important data frequently to the cloud or local storage device (preferably multiple devices).
  11. Don’t use public networks: Avoid public networks or use a VPN to connect. All of your information is vulnerable on public networks at hotels, coffee shops, airports, and other similar locations.
  12. Use secure file-sharing to encrypt data: When sharing sensitive or confidential information, always use a secure file-sharing solution. If emails are intercepted, unauthorized users will have access to your data.

Improve Your Cybersecurity Weaknesses

NIST SP 800-171 is an excellent best practice, even if you are not in the DoD downstream or military-related supply chain, to ensure your data and your customer’s data is always secure.

My fifth article in this Cybersecurity Desk series will be: “Performing Your Basic & Your Final NIST 800-171 Assessments.”

About the Author:

Joe Coleman is the cybersecurity officer at Bluestreak Consulting™, which is a division of Bluestreak | Bright AM™. Joe has over 35 years of diverse manufacturing and engineering experience. His background includes extensive training in cybersecurity, a career as a machinist, machining manager, and an early additive manufacturing (AM) pioneer. Joe will be speaking at the Furnaces North America (FNA 2022) convention, presenting on DFARS, NIST 800-171, and CMMC 2.0. Contact Joe at joe.coleman@go-throughput.com.

Find heat treating products and services when you search on Heat Treat Buyers Guide.com

 

Cybersecurity Best Practices: Dos and Don’ts Read More »