Select a Center

Arizona State University
Boise State University
Case Western Reserve University
Clemson University
Colorado State University
Georgia Institute of Technology
Indiana University-Purdue University
Lehigh University
Louisiana State University
North Carolina State
Oklahoma State University
Oregon State University
San Diego State University
San Francisco State University
Syracuse University
Tennessee Technological University
Texas A&M, College Station
University of Alabama
University of Dayton
University of Delaware
University of Florida
University of Illinois, Chicago
University of Kentucky
University of Massachusetts
University of Miami
University of Missouri-Columbia
University of Nebraska–Lincoln
University of Texas Rio Grande Valley
University of Utah
University of Wisconsin, Milwaukee
West Virginia University
IAC logo
IAC Cybersecurity Resources
Sponsored by:
EERE AMO
IAC logo
IAC Cybersecurity Resources

As systems to control energy-using manufacturing equipment become more connected to the internet, it is important for plant operations staff to have an understanding of cybersecurity risks and to coordinate risk management activities within their organization.

Small businesses may not consider themselves targets for cyber-attacks. However, they have valuable information cyber criminals seek, such as employee and customer records, bank account information, and access to larger networks. They can be at a higher risk for cybersecurity attack because they have fewer resources dedicated to cybersecurity.

By addressing risk areas, you can protect your business from damage to information or systems, intellectual property theft, regulatory fines/penalties, decreased productivity, or a loss of trust with customers.

IAC Cybersecurity Assessments

Industrial Assessment Centers work with manufacturing clients to increase awareness of cybersecurity risks and potential mitigation activities. As part of facility site visits, IAC clients may elect to receive cybersecurity risk assessments to identify security and privacy deficiencies to the business infrastructure, with a focus on vulnerabilities associated with industrial controls systems.

The IAC Industrial Control Systems Cybersecurity Assessment Tool includes 20 simple questions to characterize industrial controls systems and plant operations. The tool then provides a high level assessment of risk (high, medium, or low). The companion User Guide provides additional context for the questions included in the tool, to help clients understand how certain business practices lead to cybersecurity risk. Upon conclusion of the assessment, the tool generates a customized list of action items associated with the risks identified. For additional guidance, IACs refer clients to additional technical resource materials available through the NIST Manufacturing Extension Partnership (MEP) and other organizations.

IAC Industrial Control Systems Cybersecurity Assessment Tool

Download Asssessment Tool Download User Guide

Cybersecurity Fundamentals for Small and Medium Sized Manufacturers

Most plant operations managers are not cybersecurity experts, but can benefit from a basic understanding of cybersecurity risks and mitigation activities. A guidance document provided by NIST, NIST Small Business Information Security: The Fundamentals, provides a thorough and easily readable overview of cybersecurity basics.

As a first step, organizations need to understand their cybersecurity risks, to determine where the organization is vulnerable and may be subject to disruption of systems and processes. Organizations can use helpful checklists from the NIST document, or other cybersecurity assessment tools, to conduct the following activities:

  • Identify what information your business stores and uses
  • Determine the value of your information
  • Develop an inventory of technologies used to store and process information
  • Understand your threats and vulnerabilities

Once risks are understood, organizations can determine appropriate mitigation activities. Example activities are shown below, grouped into the five broad categories of the NIST Cybersecurity Framework:

IDENTIFY

Identify and control who has access to your business information
Conduct background checks
Require individual user accounts for each employee
Create policies and procedures for information security

PROTECT

Limit employee access to data and information
Install surge protectors and uninterruptible power supplies (UPS)
Patch your operating systems and applications
Install and activate software and hardware firewalls on all your business networks
Secure your wireless access point and networks
Set up web and email filters
Use encryption for sensitive business information
Dispose of old computers and media safely
Train your employees

DETECT

Install and update anti-virus, -spyware, and other –malware programs
Maintain and monitor logs

RESPOND

Develop a plan for disasters and information security incidents

RECOVER

Make full backups of important business data/information
Make incremental backups of important business data/information
Consider cyber insurance
Make improvements to processes/procedures/technologies

Additional Cybersecurity Assessment Tools

Once an organization has a basic understanding of cybersecurity risks and vulnerabilities, a more detailed assessment can be used to determine mitigation actions and security controls. Some of the common tools used to perform assessments are listed below. The CSET tool is one of the more comprehensive tools available for small and medium-sized manufacturers. Organizations can explore resources available to help conduct assessments (e.g., IACs, MEPs, third party vendors).

Additional Resources

National Institutes for Standards and Technology Manufacturing Extension Partnership (MEP)
Provides cybersecurity resources for small manufacturers, based on the NIST Cybersecurity Framework
Department of Homeland Security National Cybersecurity and Communications Integration Center (NCIC)
Provides resources focused on industrial controls systems
Department of Homeland Security Stop. Think. Connect. Campaign Federal Communications Commission Industry and University Cybersecurity Studies