‘Critical’ Cyber Criteria Added to Manufacturing Readiness Levels

‘Critical’ Cyber Criteria Added to Manufacturing Readiness Levels

Manufacturing Readiness Levels (MRLs), which are guidelines that manufacturers use to assess processes and risks ahead of full-scale production, now include a new criteria: cybersecurity.

In its latest Manufacturing Readiness Level Deskbook, the Department of Defense (DoD), which collaborated with industry partners to create the widely used guidelines, added a four-page appendix on operational technology (OT) cybersecurity. It outlines the growing cybersecurity threats that manufacturers face and lists ways to help safeguard factory floors.

“Malicious actors have increasingly targeted the manufacturing industrial base with software attacks that could disrupt manufacturing operations and degrade the quality of the products being produced without being detected,” the Deskbook says. “Therefore, manufacturing readiness must include the protection of shop floor computer networks and equipment.”

MxD is a member of the Joint Service/Industry MRL Working Group that worked with the DoD to develop the new cybersecurity criteria.  

“Adding that cyber component to the MRLs was critical,” said MxD Chief Technology Officer Federico Sciammarella. “As we incorporate more and more digital technology into manufacturing, there has to be some basic level of cybermaturity to avoid increasing risk.”

Used commonly in industries including defense, aerospace, automotive, and medical devices, MRLs provide a blueprint that takes a new product through 10 levels, starting at experimental phases and moving to fully vetted, final production stages. 

Organizations can assess readiness at each level, evaluating factors including design, manufacturing process, cost, and supply chain. These assessments are used on a range of projects, Sciammarella said, particularly in the development of complex products such as a new jet fighter or tank. 

In the Deskbook, the DoD says that MRL assessments using the new criteria “are not intended to be detailed cybersecurity audits. Instead, the purpose is to ask simple, fundamental questions to assess whether or not OT cybersecurity has been considered by the organization and determine whether or not basic, common-sense controls have been implemented.”

“The end goal,” the Deskbook says, “is to identify risks or major potential gaps in OT protection.”

It also says that flexibility is crucial as “manufacturing SMEs who are conducting MRL Assessments are not expected to be cybersecurity experts.”

The DoD provides definitions of OT equipment, directing users to the National Institute of Standards and Technology (NIST) Special Publication 800-37. For more information on Industrial Control Systems Security, manufacturers can also reference the NIST SP 800-82

And the Deskbook lists ways to mitigate OT cybersecurity risks including: 

  • Address cybersecurity throughout the MRL process, starting with manufacturing concept development to full-rate-production (FRP) manufacturing capability.
  • Implement a network topology for information technology (IT) and OT networks that have multiple layers, with the most critical communications occurring in the most secure and reliable layer.
  • Provide logical separation between corporate and IT and OT networks.
  • Employ a DMZ [or demilitarized zone] network architecture (i.e., prevent direct traffic between the corporate and IT and OT networks of the manufacturing environment).
  • Ensure that critical components, such as those of a process control system (PCS) are on redundant networks.
  • Consider protecting manufacturing process-related data, including recipes, configuration control information, test parameters, and results. (This may be a counterintelligence challenge.)
  • Where possible, use operator authentication on OT equipment.

For more on the latest in cybersecurity news and tools, visit the MxD Cyber Resource Hub.