IAC logo
IAC Cybersecurity Resources
Sponsored by:
DOE MESC
IAC logo
IAC Cybersecurity Resources
Implementation Grant Funding Opportunity Open
IMPORTANT: The grant program operates on a rolling basis and applications may be submitted at any time, with quarterly reviews.
Learn More
Implementation Grant Funding Opportunity Open
Qualifying* small and medium-sized US manufacturers, that received IAC or Combined Heat and Power Technical Assistance Partnership assessments between 2018 and 2024, can now apply for grants for implementation of assessment recommendations up 50% of qualifying* project costs with a maximum of $300,000 per manufacturer.
IMPORTANT: The grant program now operates on a rolling basis and applications may be submitted at any time through the year, with quarterly reviews.
*See Full Grant Solicitation for full qualification and selection details.

As systems to control energy-using manufacturing equipment become more connected to the internet, it is important for plant operations staff to have an understanding of cybersecurity risks and to coordinate risk management activities within their organization.

Small businesses may not consider themselves targets for cyber-attacks. However, they have valuable information cyber criminals seek, such as employee and customer records, bank account information, and access to larger networks. They can be at a higher risk for cybersecurity attack because they have fewer resources dedicated to cybersecurity.

By addressing risk areas, you can protect your business from damage to information or systems, intellectual property theft, regulatory fines/penalties, decreased productivity, or a loss of trust with customers.

IAC Cybersecurity Assessments

Industrial Assessment Centers work with manufacturing clients to increase awareness of cybersecurity risks and potential mitigation activities. As part of facility site visits, IAC clients may elect to receive cybersecurity risk assessments to identify security and privacy deficiencies to the business infrastructure, with a focus on vulnerabilities associated with industrial controls systems.

The IAC Industrial Control Systems Cybersecurity Assessment Tool includes 20 simple questions to characterize industrial controls systems and plant operations. The tool then provides a high level assessment of risk (high, medium, or low). The companion User Guide provides additional context for the questions included in the tool, to help clients understand how certain business practices lead to cybersecurity risk. Upon conclusion of the assessment, the tool generates a customized list of action items associated with the risks identified. For additional guidance, IACs refer clients to additional technical resource materials available through the NIST Manufacturing Extension Partnership (MEP) and other organizations.

IAC Industrial Control Systems Cybersecurity Assessment Tool

Download Asssessment Tool Download User Guide

Cybersecurity Fundamentals for Small and Medium Sized Manufacturers

Most plant operations managers are not cybersecurity experts, but can benefit from a basic understanding of cybersecurity risks and mitigation activities. A guidance document provided by NIST, NIST Small Business Information Security: The Fundamentals, provides a thorough and easily readable overview of cybersecurity basics.

As a first step, organizations need to understand their cybersecurity risks, to determine where the organization is vulnerable and may be subject to disruption of systems and processes. Organizations can use helpful checklists from the NIST document, or other cybersecurity assessment tools, to conduct the following activities:

  • Identify what information your business stores and uses
  • Determine the value of your information
  • Develop an inventory of technologies used to store and process information
  • Understand your threats and vulnerabilities

Once risks are understood, organizations can determine appropriate mitigation activities. Example activities are shown below, grouped into the five broad categories of the NIST Cybersecurity Framework:

IDENTIFY

Identify and control who has access to your business information
Conduct background checks
Require individual user accounts for each employee
Create policies and procedures for information security

PROTECT

Limit employee access to data and information
Install surge protectors and uninterruptible power supplies (UPS)
Patch your operating systems and applications
Install and activate software and hardware firewalls on all your business networks
Secure your wireless access point and networks
Set up web and email filters
Use encryption for sensitive business information
Dispose of old computers and media safely
Train your employees

DETECT

Install and update anti-virus, -spyware, and other –malware programs
Maintain and monitor logs

RESPOND

Develop a plan for disasters and information security incidents

RECOVER

Make full backups of important business data/information
Make incremental backups of important business data/information
Consider cyber insurance
Make improvements to processes/procedures/technologies

Additional Cybersecurity Assessment Tools

Once an organization has a basic understanding of cybersecurity risks and vulnerabilities, a more detailed assessment can be used to determine mitigation actions and security controls. Some of the common tools used to perform assessments are listed below. The CSET tool is one of the more comprehensive tools available for small and medium-sized manufacturers. Organizations can explore resources available to help conduct assessments (e.g., IACs, MEPs, third party vendors).

Additional Resources

National Institutes for Standards and Technology Manufacturing Extension Partnership (MEP)
Provides cybersecurity resources for small manufacturers, based on the NIST Cybersecurity Framework
Department of Homeland Security National Cybersecurity and Communications Integration Center (NCIC)
Provides resources focused on industrial controls systems
Department of Homeland Security Stop. Think. Connect. Campaign Federal Communications Commission Industry and University Cybersecurity Studies