MRL Deskbook Includes Cybersecurity Criteria

An appendix to the DoD Manufacturing Readiness Level Deskbook can help you shore up your OT cybersecurity.

By Laura Elan, MxD

Attention manufacturers! The Department of Defense has released a new set of cybersecurity criteria to help manufacturers assess network and equipment security on their shop floors. The Manufacturing Readiness Levels (MRLs), guidelines that manufacturers use to assess processes and risks ahead of full-scale production, now include this cybersecurity criteria.

In its latest Manufacturing Readiness Level Deskbook (dodmrl.com), the DoD added a four-page appendix on operational technology (OT) cybersecurity. The appendix outlines the growing cybersecurity threats that manufacturers face and lists ways to help safeguard factory floors.

“Malicious actors have increasingly targeted the manufacturing industrial base with software attacks that could disrupt manufacturing operations and degrade the quality of the products being produced without being detected,” the Deskbook reports. “Therefore, manufacturing readiness must include the protection of shop floor computer networks and equipment.”

“Adding that cyber component to the MRLs was critical,” said MxD Chief Technology Officer Federico Sciammarella. “As we incorporate more and more digital technology into manufacturing, there has to be some basic level of cyber-maturity to avoid increasing risk.”

Used commonly in industries including defense, aerospace, automotive, and medical devices, MRLs provide a blueprint that takes a new product through 10 levels, starting at experimental phases and moving to fully vetted, final production stages. 

Organizations can assess readiness at each level, evaluating factors including design, manufacturing process, cost, and supply chain. These assessments are used on a range of projects, Sciammarella said, particularly in the development of complex products. 

MRL assessments using the new criteria “are not intended to be detailed cybersecurity audits. Instead, the purpose is to ask simple, fundamental questions to assess whether OT cybersecurity has been considered by the organization and determine whether or not basic, common-sense controls have been implemented.”

“The end goal is to identify risks or major potential gaps in OT protection.” The book also notes that flexibility is crucial as “manufacturing SMEs who are conducting MRL Assessments are not expected to be cybersecurity experts.”

The DoD provides definitions of OT equipment, directing users to the National Institute of Standards and Technology (NIST) Special Publication 800-37. For more information on Industrial Control Systems Security, manufacturers can also reference the NIST SP 800-82. 

The Deskbook lists ways to mitigate OT cybersecurity risks including: 

• Address cybersecurity throughout the MRL process, starting with manufacturing concept development to full-rate-production (FRP) manufacturing capability.

• Implement a network topology for information technology (IT) and OT networks that have multiple layers, with the most critical communications occurring in the most secure and reliable layer.

• Provide logical separation between corporate and IT and OT networks.

• Employ a DMZ [or demilitarized zone] network architecture, i.e., prevent direct traffic between the corporate and IT and OT networks of the manufacturing environment.

• Ensure that critical components, such as those of a process control system (PCS), are on redundant networks.

• Consider protecting manufacturing process-related data, including recipes, configuration control information, test parameters, and results. 

Where possible, use operator authentication on OT equipment. EP

Laura Élan is Senior Director of Cybersecurity for MxD Cyber: The National Center for Cybersecurity in Manufacturing, Chicago (mxdusa.org). Elan supports MxD’s cybersecurity projects and initiatives and leads the company’s Cybersecurity Steering Committee.