New cybersecurity compliance a potential boon for local manufacturing firms

Jayme Rahz, CEO of precision parts maker Midway Swiss Turn, admits that company leadership may have been a little naïve at first when considering its cybersecurity protections.

While the Wooster manufacturing business had basic backups safeguarding its network, a recent push to achieve the next level of protection revealed just how deep the rabbit hole goes.

“We’ve been learning about all the dangers and how aggressive cybersecurity crooks are to take data,” says Rahz. “They target small- and medium-sized businesses because they are vulnerable. It was a real eye-opener for us.”

Midway, an 11-person shop that builds components for a broad range of industries, is about halfway through its efforts to achieve Cybersecurity Maturity Model Certification (CMMC). Driven by the Department of Defense (DoD), the accreditation clears companies to handle sensitive data when performing work for the U.S. government.

Jayme RahzJayme Rahz Although the business already works on its share of government projects, Midway officials recognized a competitive advantage over similarly sized companies unwilling or unable to take the next cybersecurity step, says Rahz, whose business is getting vital guidance from local experts like Cleveland’s Manufacturing Advocacy and Growth Network (MAGNET).

The industry support group is currently navigating the shop along its accreditation path, including providing funding connections for the costly CMMC integration process.

“The scope of the program means there would be many companies that wouldn’t go for compliance,” Rahz says. “Our hope is to pick up more government contracts. If we can go from 10%-12% to more like 35%, that would be pretty big growth for us.”

Heading in the right direction

Manufacturing firms busy meeting their bottom line may have one critical question—what is CMMC?

Put simply, CMMC is a unified standard for implementing cybersecurity across the defense industrial base. Per DoD guidelines, the certification “provides the Department increased assurance that contractors and subcontractors are meeting the cybersecurity requirements that apply to acquisition programs and systems that process controlled unclassified information.”

In 2021, the DoD introduced CMMC 2.0, a revised version of its original standard. The new designation includes audits for handling classified data, which Midway will be doing more of upon completing certification.

Midway CNC machines used to make components for many different industriesMidway CNC machines used to make components for many different industriesThe pandemic introduced Midway to CMMC, notes CEO Rahz. During state-mandated lockdowns, the business needed new inroads into government work while also pursuing protections for its recently cloud-migrated network.

The lack of an established IT staff had Midway seeking outside advice. Enter MAGNET, which is shepherding the company through key CMMC implementation steps. Additionally, the organization introduced Midway to Cleveland-based Vestige Digital Investigations, a firm specializing in cybersecurity and digital forensic services.

“MAGNET is making sure we’re headed in the right direction,” says Rahz. “This program is so new, and we are a small company. Without help, this work would be overwhelming for a smaller shop.”

‘Start yesterday’

Though headlines about major cyberattacks are not top-of-mind for many manufacturers, these firms are far from under the radar for savvy hackers, says Ethan Karp, president and CEO of MAGNET.

Karp points to ransomware—malware used to literally hold a company’s data or devices for ransom—as a particular pain point for producers of all sizes.

Ransomware is a major threat to the manufacturing industry from criminals targeting operational systems. As manufacturers can’t afford long shutdowns, they are more likely to acquiesce to hacker demands and pay large sums of bitcoin in exchange for getting their networks back. Karp says a lack of robust cybersecurity protections makes the industry even more of a tempting mark for opportunistic wrongdoers.

“The simplest attack that takes your system down can have a huge impact,” says Karp. “Companies won’t know their orders or how to schedule them. [Hackers] don’t need any complicated system knowledge—they will just shut you down and lock you out.”

Enterprise resource planning (ERP) networks are vulnerable to breaches, with hackers focusing mainly on disruption of supply chain production systems.Enterprise resource planning (ERP) networks are vulnerable to breaches, with hackers focusing mainly on disruption of supply chain production systems.Every company has an operating system containing contract data, customer information and other foundational materials. These enterprise resource planning (ERP) networks are vulnerable to breaches, with hackers focusing mainly on disruption of supply chain production systems.

Hardening and shielding these systems is a must for any firm looking to do business with the DoD, says MAGNET vice president of operations Michael O’Donnell. As cyber hygiene is embedded into CMMC compliance measures, it is imperative to educate employees about faulty links and emails. These messages have evolved from typical “Nigerian prince” scams to detailed impersonations of a company’s banks or clients.

“People will click on a link and get their system shut down,” O’Donnell says. “But companies think this will never happen to them.”

MAGNET has worked with more than two dozen companies to ensure they are CMMC compliant. Officials keen on making a change cannot just task their IT team to implement certification, says O’Donnell. Rather, upper management should be the driving force for an accreditation that will fundamentally change how data flows through their operation.

Understanding your vendor and customer base is another step for manufacturers considering a system swap. That is because partner companies that don’t use CMMC will shut your shop out of DoD work. By the same token, businesses must determine how much work would be lost if they choose to forgo CMMC, Karp says.

“If the FBI can’t scare you enough [about cybersecurity], the only thing that will make a difference is if a customer tells you (about CMMC requirements),” he says.

Rahz of Midway believes all manufacturing companies mulling the certification should begin the process immediately.  

“It’s a ‘start yesterday’ kind of thing,” Rahz says. “Lots of companies have DoD work coming through, so this certification is going to change the landscape along the supply chain much more than people think.”

Douglas J. Guth
Douglas J. Guth

About the Author: Douglas J. Guth

Douglas J. Guth is a Cleveland Heights-based freelance writer and journalist. In addition to being senior contributing editor at FreshWater, his work has been published by Midwest Energy News, Kaleidoscope Magazine and Think, the alumni publication of Case Western Reserve University. A die-hard Cleveland sports fan, he also writes for the cynically named (yet humorously written) blog Cleveland Sports Torture. At FreshWater, he contributes regularly to the news and features departments, as well as works on regular sponsored series features.