Episode Show Notes
Episode 1 features Spearhead TEI President Dr. Tony Lopez. Tony explains what ransomware is and how it works, the types of ransomware that exist and possible entry points, what happens when a company falls victim to a ransomware attack, and what practices SMMs should consider implementing to prevent attacks.
Dr. Tony Lopez is President of Spearhead Training Enterprises, Inc. and works with Defense Industrial Base Companies in the San Diego area to help train them on the latest DoD and Federal Cyber Security requirements. He is one of the lead creators and an instructor of the Cyber Security Resilience Online Laboratories and DoD Cyber Requirements Executive and Management Training Course. Prior to starting Spearhead, Dr. Lopez was the Vice President of Information Systems and the Chief Information Security Officer at INDUS Technology, Inc. and was responsible for the development and implementation of both the Company’s NIST 800-171 and Internal Threat Program. Dr. Lopez has firsthand knowledge of the NIST 800-171 R 2, DFARS 7010, 7012, 7019, 7020, 7021, and the Cyber Maturity Model Certification (CMMS) requirements and what it takes to meet those requirements. Dr. Lopez chaired a NIST 800-171 Small Business Task Force to study the impact of NIST 800-171 R 1 and DFARS 7012 on small business conducted by the San Diego NDIA Chapter. This Task Force conducted a research study and published a final paper discussing the impact of Cyber Security requirements on small business. Dr. Lopez has spent over 30 years working in the Defense Industry and for Federal Agencies, 16 of those years as Director of Information Systems INDUS Technology and later as Vice President of IS and CISO. Other recent experience includes Director of Instructional Systems and Technology at the Navy Center for Information Technology and Program Manager of NASA's SOLAR e-Learning Program. Dr. Lopez’s education includes a bachelor’s degree from Cal State San Luis Obispo in Mechanical Engineering, a master’s degree in Business Administration from University of Phoenix, and a Ph.D. from Cal Southern University in Business Administration with concentration in Computer Science.
00:00:00 - Introductions
00:02:03 - Definition of ransomware and how it works
00:04:56 - What happens when a company falls victim to a ransomware attack
00:06:13 - Why a hacker may target SMMs
00:07:44 - Discussion of recent attack and method of access to system
00:10:10 - Requirement for reporting attack
00:12:04 - Which systems, devices, and applications are at risk
00:14:49 - Impact on business following an attack
00:15:54 - Types of ransomware and possible entry points
00:22:22 - How hackers decide which company to target
00:24:11 - What practices to implement to prevent attacks
00:34:07 - Importance of proper insurance
00:38:33 - Simple things to implement for planning, simulating, and testing level of security
00:41:30 - How some prevention steps relate to NIST cybersecurity framework
00:44:39 - What to do if a ransomware attack occurs
00:47:51 - What not to do
00:50:38 - How one company changed following an attack
Gregg Profozich [00:00:02] In the world of manufacturing change is the only constant. How are small and medium-sized manufacturers, SMMs, to keep up with new technologies, regulations, and other important shifts let alone leverage them to become leaders in their industries? Shifting Gears, a podcast from CMTC, highlights leaders from the modern world of manufacturing, from SMMs to consultants to industry experts. Each quarter we go deep into topics pertinent to both operating a manufacturing firm and the industry as a whole. Join us to hear about manufacturing sectors' latest trends, groundbreaking technologies, and expert insights to help SMMs in California set themselves apart in this exciting modern world of innovation and change. I'm Gregg Profozich, Director of Advanced Manufacturing Technologies at CMTC. I'd like to welcome you. In this episode, I’m joined by Dr. Tony Lopez, President of Spearhead TEI. Tony explains what ransomware is and how it works, the types of ransomware that exist and possible entry points, what happens when a company falls victim to a ransomware attack, and what practices SMMs should consider implementing to prevent attacks.
Welcome, Tony. It's great to have you here today.
Tony Lopez [00:01:08] Gregg, it's great to be here with you today.
Gregg Profozich [00:01:12] Tony, please take a minute and tell me and our listeners just a little bit about yourself.
Tony Lopez [00:01:16] I have been in the information systems business for at least 20 years now. I actually started working for DOD over 30 years ago and eventually ended up getting a Ph.D. in computer science, which is what led me into information systems and, of course, security. But I come with quite a bit of experience in actually helping companies meet requirements for being a DOD contractor to be able to do work with the government and help them get all of their NIST requirements done, and also as part of that became the developer of a course that we're now providing to help other contractors meet the requirements.
Gregg Profozich [00:01:56] Excellent. Well, thank you. I'm really excited about our conversation today. I'm looking forward to hearing your perspectives and your insights. We're here to talk today in general about cybersecurity but in particular about what manufacturers need to know about ransomware and recovery. In a recent internet search I did for ransomware statistics 2021, I found the following statistics from a number of sources, and they're quite sobering:
- Ransomware remains the most prominent malware threat. (Datto, 2019)
- Malicious emails are up 600% due to COVID-19. (ABC News, 2021)
- There is a company hit by ransomware every 11 seconds (Cloudwards, 2021)
- The United States is the most targeted country with 54.9% of the victim (Cognyte, 2021)
- 37% of respondents’ organizations were affected by ransomware attacks in the last year. (Sophos, 2021)
- The top industry being targeted in manufacturing (Cognyte, 2021)
- The average ransom fee requested has increased from $5,000 in 2018 to around $200,000 in 2020. (National Security Institute, 2021)
- The average downtime a company experiences after a ransomware attack is 21 days. (Coveware, 2021)
- From a survey conducted with 1,263 companies, 80% of victims who submitted a ransom payment experienced another attack soon after, and 46% got access to their data but most of it was corrupted. (Cybereason, 2021)
- 29% of respondents stated their companies were forced to remove jobs following a ransomware attack. (Cybereason, 2021)
Those are some staggering, sobering statistics. Ransomware is clearly a threat. What we'll be discussing today is absolutely critical information that manufacturers need to know. To make sure we're on the same page, Tony, what exactly is ransomware, and how does it work?
Tony Lopez [00:03:32] Well, essentially, ransomware is malware that infects a system and encrypts all of the files within that system or within that device, and it essentially just renders everything useless. You're not able to either access the information or work with that information, primarily because it's been encrypted. But typically, these malicious actors is what I call them, then will demand some form of a ransom from the company or the organization in exchange for giving you the decryption key to release the information. It's interesting because you just gave some great statistics about all that is going on. But incidents of ransomware and malware have increased substantially and really are tending to be a lot more prevalent today among nation-states, local, tribal, and even territorial governments. But the bottom line is that manufacturers, small businesses, are being targeted over and over again. Just these ransomware incidents can really, really impact a small business or any company, any organization's ability to conduct business.
Gregg Profozich [00:04:49] From your direct experience, how big is the ransomware problem, and what are the realities of what happens to a company when it falls victim to a ransomware attack?
Tony Lopez [00:04:58] Well, just to give you some examples, in 2019 there was this barrage of ransomware attacks that took place. I'm going to quote some statistics here. Over 948 government agencies, educational institutions, and health care providers were impacted. We're talking here in the vicinity of about $7.5 billion. It's a substantial problem. A lot of multinational manufacturers have also been hit to the tune of almost $176 million responding to some of these attacks. It's not just limited to small companies; it's across the board. But I think important to note is that in 2020 organized gangs... Because that's what we're seeing today. It's not just nation-state governments that are perpetrating the attacks. These are criminal gangs that are going out and getting into company systems and attacking those systems. But they got away with over $350 million in ransom payments in 2020 alone. It's a substantial problem.
Gregg Profozich [00:06:06] Wow. Those are some huge numbers. Help me understand. Why would a hacker target a small- to medium-sized manufacturer for a ransomware attack? What's the rationale there?
Tony Lopez [00:06:17] Well, I think it's the easiest target, the path of least resistance if you will. If you attack a small company, in all probability that small company is going to have very low defenses; it's not going to be well protected; they're not going to have the personnel to handle it. What will happen is they're going to lose their ability to conduct business, but more importantly it's a step to the bigger fish. That's exactly what it is. What they're doing is they're going through the small companies to get to the bigger primes. This is especially the problem for the defense industrial base, where a lot of these small manufacturers are working for large prime contractors. They're providing support and services and have direct ties from a communication standpoint with those organizations.
Gregg Profozich [00:07:05] Okay. The small manufacturer can be seen as the open door to the OEM.
Tony Lopez [00:07:10] That's a great way to describe it. Yeah.
Gregg Profozich [00:07:13] I'm a small manufacturer. I've got your drawings, because I'm doing parts, and my systems are integrated with yours for passing information back and forth, be it supply chain production numbers, design drawings, et cetera. If you can get into my organization and then travel through that open door into the larger company, you can run the gamut inside them.
Tony Lopez [00:07:30] Very, very much so. It's amazing because these organizations have the expertise to be able to do that very, very easily.
Gregg Profozich [00:07:38] Can you tell us about some recent ransomware attacks and the weaknesses that the victim had that allowed the attack to be successful?
Tony Lopez [00:07:45] I think the most prominent this year was the Colonial Pipeline. It became very obvious very quickly that it was going to be a huge issue. Indeed, the East coast practically shut down, because they didn't have fuel that could go around. That Colonial Pipeline incident was very much at the forefront in the media. In that particular case, they just had a weak organizational system, which is typically the case. You would think that infrastructure organizations or companies that are providing the kind of fuel and support that Colonial Pipeline provides would have the capability to protect themselves. But it just shows the tenacity of some of these organizations. Right here in San Diego another great example, Scripps Hospital. They were able to get into their health system. Essentially, they were forced to shut down, literally. In one of the cyber labs that we were teaching, one of the individuals that was taking the course, his wife worked at Scripps. He basically said they were completely shut down. They couldn't do payroll; they couldn't do managed care.
Gregg Profozich [00:08:56] Wow.
Tony Lopez [00:08:56] Yeah. It was a real problem for them. That was another great example. In that particular case, they were able to get in through their patients' sign-up system. JBS Foods, another huge one. It's international. They're all over the world. Their IT systems were severely impacted. They had to shut them down and then start from scratch. The interesting thing with a lot of these attacks is that it could be very, very simple things that start the proliferation of the attack, especially when it deals with ransomware, something as simple as an email somebody opens. I've got an example of something that happened to the company that I was with before, where the comptroller opened up an email thinking it was an invoice, proliferated the ransomware. Now, fortunately, we were well prepared. We were able to take care of the threat and the issue within four hours. We restored from backup. Had segmented networks. But you know what? Not everybody is that fortunate. We were lucky.
Gregg Profozich [00:10:04] I would imagine that we hear about the big ones. Colonial Pipeline, there was no way to hide it, in a sense. It was news no matter what you tried to say or do about it. But do we hear about all of the attacks? If a small mom-and-pop machine shop, or metal bender, or food production company gets ransomware, are we going to hear about it? Is there a requirement for reporting?
Tony Lopez [00:10:21] First of all, if you're a DOD contractor, you have the requirement. According to NIST 800-171 R 2, thou shalt report any incident. You have to have an incident response plan that you have to put in place for your organization, and then test and practice your responses. But if you look at the executive order that President Biden issued several months back, incident response is a big issue. Some organizations are afraid to say anything because they're afraid of what the government's going to do. The government can be a big help. It's important that you either contact the FBI, contact SISA, or some of these federal organizations. In the case of DOD, contact the CIO’s office if you're doing work with DOD. But I believe it's truly important to make sure that you're reporting it and you're letting somebody else know because there are decryption keys that may be available that the FBI has. It could save you a lot of time, energy, and money, most importantly, if you go ahead and contact them and find out what's there. They have been able to develop decryption systems that can be used for some of these different types of ransomware. I'm sure that if the FBI gets a copy of whatever the decryption key is, they're able to go through, and tear it apart, and reverse engineer it. But by the same token, just because you get a decryption key does not mean that it's going to work or it's going to do what it's supposed to do.
Gregg Profozich [00:11:58] Yeah, that number was scarily low. Only 46% of the companies got access to their data, and most of it was corrupted. That's the one that really rang with me. If I get myself in this situation even if I pay, it doesn't mean that things are going back to normal. I'm still going to suffer for a long time if I get into this situation. Let's put this in a personalized way, then. If I own a manufacturing firm, which of my systems, and devices and applications are at risk for a ransomware attack?
Tony Lopez [00:12:28] Pretty much anything that you have on your system. If it's related to the network, if it's related to communications, if it's digital, it can be subject to that ransomware attack. Unfortunately, once the software is proliferated, it's very, very difficult to stop. Within 15 minutes it could have traveled through your entire network encrypting files.
Gregg Profozich [00:12:53] I'm sitting at my desk one day, and I'm that CFO who thinks it's an invoice, and I open up a file from an unknown source, or I thought it was a known source, but somebody did a really good job of spoofing an email address or something, and I didn't notice it. I click that file. Fifteen minutes later it's across the entire network and on everybody else's PC?
Tony Lopez [00:13:11] That is correct, especially if you have a flat network.
Gregg Profozich [00:13:14] Is it on my cell phone?
Tony Lopez [00:13:15] Probably not, not unless you open the file in your cell phone. It would depend on the type of cell phone it is, what applications you have on there. But no, if it went into your system, into your network, it wouldn't necessarily automatically go into your cell phone.
Gregg Profozich [00:13:33] Okay. Could it get into my production floor equipment, my operations technology that's maybe connected to a network?
Tony Lopez [00:13:38] Very much so. Yes. If it's connected to the network and not segmented out, yes, it could.
Gregg Profozich [00:13:43] I don't just lose email capabilities; I can lose payroll, and I could lose production capabilities, also?
Tony Lopez [00:13:48] Yes, you can.
Gregg Profozich [00:13:49] I'm shut down. Everything's locked. I have a machine. It's a brick at this point because I can't do a thing with it until I get it unlocked.
Tony Lopez [00:13:54] Yeah. Let me go back to the example of what happened at the company that I was with. The immediate thing we did—we went in, we shut everything down to freeze everything. That was only corporate because we were segmented. Only our corporate network was affected. We were able to shut down every computer. We had to go back, clean out every computer, reinstall everything, et cetera, et cetera, et cetera. Unless you're able to do that, it's going to proliferate throughout the network, and you're going to lose total capability. For those four or five hours that we were doing that, we had employees sitting around that were collecting a paycheck, the manpower to clean it up that it took...
Gregg Profozich [00:14:37] For a small manufacturer a lot of times, five hours of production means I don't make shipping this week.
Tony Lopez [00:14:43] Exactly.
Gregg Profozich [00:14:43] I miss a couple of key components or key items to complete an order and get it out the door. Cash flow impacts, customer service, and on-time delivery impacts, everything.
Tony Lopez [00:14:51] Oh, sure. Then just the mere fact that they may not be able to know who their contacts are. They may not have access to their contacts to let them know that there's an issue.
Gregg Profozich [00:15:02] Ah, okay. I clicked that email, I clicked that attachment, and now I can't get to my ERP system to figure out who I was supposed to ship to and let them know it'll be late.
Tony Lopez [00:15:09] Exactly. Pretty substantial.
Gregg Profozich [00:15:17] Okay. It's operations technology; it can be my computer systems; it could also be my cell phone if I open the attachment on there. Potentially, if my cell phone is integrated with some other app on my cell phone as well as my desk, could it get through?
Tony Lopez [00:15:22] Your cell phone could be impacted. People used to say that Apple was really the way to go because you were protected. You know what? No, not anymore. These different types of ransomware have gotten so sophisticated that if they want to get in, they're going to get in, whether it's through a cell phone, through a network. The fact is telephones can be contaminated, also.
Gregg Profozich [00:15:48] Are there different types of ransomwares that we could see out there, and what are some of the entry points? Let's get into that behavioral side of I usually have to do something unsafe—I won't say wrong—to allow the attack in, don't I?
Tony Lopez [00:16:03] It doesn't necessarily have to be something unsafe, because it could very well be something you do on a daily basis. It just happened that this time you're clicking on something that is unsafe. But there's different types of ransomware. There's lockerware, where it just basically takes over your operating system. It just locks up the interface, and you're not able to access any of the resources within that particular system or computer. But interestingly enough, just this morning... I like to read different periodicals. I was reading Tripwire, and they were talking about the Ranzy locker brute force credential attacks targeting remote desktop protocols in different networks. There's over 30 companies that have gotten hit by this. It's a brute force attack, they'll just destroy. There's memory sticks, which are basically a device you plug into your computer that could proliferate it. There's crypto-ransomware, which essentially will just totally encrypt all of the files within your device or your system. Then, of course, they'll come back and threaten the organization with destroying the files if you don't pay for that decryption key. Probably the most benign that is out there is your scareware. Usually, these are just warning signs that pop up that say, "Hey, you've been infected." They're really nothing but pop-ups, but you need to be aware of them, and just make sure that you're not clicking on anything that you don't know and understand. I've always said verify at least with three sources. If you get anything, if it looks strange, verify it with three different sources, whether it's via email, or call, or in person, walking up to the other person and asking whether or not they did send it. But there's different types of entry points that these organizations will use. Typically, the way they're able to get in it's because they've got very, very weak organizational security systems. Even the first level of CMMC, which is up-and-coming requirements for DOD, is relatively benign when it comes to security, but you want to have at least some minimum type of security available. But they'll either come in through an email, where somebody clicks on a file or clicks on a link, and then something—a program—will be proliferated throughout the network which then causes the encryption of these various files. Sometimes it can be searching the Web and clicks on something. That in itself could have the ransomware package. Individual—it could be in the background. The individual may not even have any idea that the ransomware is being proliferated. Chatting, social media, messaging—these are all paths that these organizations are using and have used in the past. There's an example of one that we call drive-by ransomware. Essentially, you'll be working on doing some search on the internet or the Web, and they're able to download a package into your system without you even knowing that package has been downloaded to your organization. There's all kinds of different types of entry points that they can use. But you just have to make sure that you have the right protections in place. I always say, and I always repeat it: an ounce of prevention is worth a pound of cure. That really does apply here with ransomware.
Gregg Profozich [00:19:48] I hear you saying no clicking on an email—I think a lot of us have heard about that—but always know the source before you click on any attachment. Right?
Tony Lopez [00:19:55] That's correct.
Gregg Profozich [00:19:56] Do a mouse-over on the email address. Make sure it looks like a real one. Look for those misspellings or improper grammar in a message that sounds like or looks like it's coming from someone, all those kinds of things. I can click on an email. I've heard of infected flash drives. Right?
Tony Lopez [00:20:11] Yeah.
Gregg Profozich [00:20:11] In conversations with some cybersecurity professionals in the past, the best way to infect companies in the past was take a bunch of flash drives and put your malware on it, and then take a piece of masking tape on the outside of the flash drive and write payroll, and then just go drop it in the parking lot. Who doesn't want to know what everybody else in the company is making? Somebody sees it next to their car in the parking lot; they pick it up; they plug it in, and away we go. There's no payroll information, but now you're the courier through the firewall into the internal system. Infected flash drives can be dangerous. We're looking at a policy—I think our policy is pretty much cemented in—for our company that flash drives aren't permitted anymore. They're too dangerous. They're too easy to manipulate.
Tony Lopez [00:20:49] Yes. You are so right. You hit it on the hip. But more importantly, the problem with having access to USB and being able to use those devices, that you also need to be concerned—which is a whole other topic—about insider threat, because they can do a lot, take a lot if they're there. But you're totally correct. Great examples.
Gregg Profozich [00:21:09] Network vulnerabilities is another thing and then Web searches. Where am I searching? Am I downloading things and clicking links on pages? Is anything coming along with those Web searches? Keeping your business computer and your business systems focused on business Web searches only is a great best practice. Right?
Tony Lopez [00:21:27] Yeah, sure is.
Gregg Profozich [00:21:28] No online shopping during lunch.
Tony Lopez [00:21:30] Well, you shouldn't be doing that, to begin with at work.
Gregg Profozich [00:21:32] I said during lunch. I'm on my lunch hour. I'm sitting at my desk eating a sandwich, but I got to get some things done for Christmas shopping. I go on my favorite eCommerce site. Well, not necessarily, because those can also be a source that adds risk to your personal network at home but also to your business network.
Tony Lopez [00:21:49] Yeah. Well, just think about how widespread it is. The media, that's all they've been talking about is what's going on with Facebook. Unfortunately, it's become — maybe this is not the best term to use—a cesspool of misinformation. We just have to be very, very careful when we're using social media and any devices that are foreign.
Gregg Profozich [00:22:14] Is there such a thing as a ransomware attack profile? Is there a certain kind of company? How do these hackers figure out and target people, or is it just completely indiscriminate? What's their approach?
Tony Lopez [00:22:25] Small businesses are big targets because of the fact that they are easy prey to some of these organizations. But as you start to look at the different ways that they begin these attacks, what they'll do is they try to put the ransomware in the system. It could sit there for months dormant, not be activated until they decide that they want to activate it. But there's also the fact that once they proliferate it, it'll encrypt the entire operating system, shutting everything down, especially if they're targeting something like a Windows or... That could be any operating system, I should say. It could be Unix; it could be Mac, et cetera, et cetera. Then, of course, they require this custom encryption which they can develop themselves that has the ability to totally bypass any form of security software. If you think as an organization because you have an antivirus that you're going to protect yourself, you're wrong. You're not, because they're going to figure out a way to get around it. You have to be very, very, very careful as to how you do that.
Gregg Profozich [00:23:33] Antivirus is one tool, an important tool, but it's not the entire answer.
Tony Lopez [00:23:38] No, it isn't. It's one in many actions that a company should be taking to protect themselves, which takes us back to NIST 800-171 R 2, which is really a framework for protecting your organization from all of these different things because it's not just ransomware. There's all kinds of other ways that organizations can penetrate your system.
Gregg Profozich [00:24:03] Okay. Let's start getting into the conversation about... Okay, we've talked about ransomware and how it can get in, what a threat it is, how big of an issue it is, and how detrimental it can be to a company. What do we do about it? If you owned a small manufacturing firm, knowing what you know about ransomware, what practices would you implement to prevent attacks?
Tony Lopez [00:24:20] We recommend two things. Number one I mentioned earlier—an ounce of prevention is worth a pound of cure. You got to do some prevention, first of all, to protect yourself. Those are things like establishing strong content protection within the organization, making sure that you have good identity management, and implement those policies so that all personnel are aware of what they are and are following them. You want to make sure that you implement some form of early threat detection capability. Early threat detection can be as simple as making sure that you're continuously monitoring your logs. But there's applications today that are very good applications that will help you do that and will alert you if something is taking place. Implementing strong compute layer security at that level, making sure that active directory is being protected, establish continuity planning, and then, of course, insurance. The worst mistake companies make is not to get the right kind of insurance to protect themselves. Now, as far as best practices, I talk about NIST, and it's definitely following these steps. You want to make sure you have good what I call credential hygiene. In other words, make sure that you're managing the rights of the people that are using the systems. They have to use strong passwords. You have to protect your entry points. Limit them as much as possible. Do you have wireless in your organization? Maybe consider not having wireless to help protect and manage of user accounts and the applications. Who's able to use what, what they can download. This is all very important. Principle of least privilege. If you don't need to know, you shouldn't know. Therefore, you shouldn't have access. Multifactor authentication—it's a really critical one. I think you're seeing this really proliferating in every area of commerce and business. If you go into your credit card, you're going to get a little text asking you to put in that code word or number that they have given you. Multifactor authentication. Protecting your active directory, making sure that it's all set up correctly. Segmenting your networks is critical because if they hit one portion of the network, they won't be able to get to the other portion. Creating an enclave if you're working with highly secured information. Having a strong backup policy and then making sure that you're protecting your backups because now some of these ransomware packages are also encrypting backup. You want to make sure that you do have strong backup policies within the organization. Encryption goes unsaid. Logging, versioning capability. Then really critical is that ability to respond to incidents. You have to live by that. You have to have a plan. Then, more importantly, you have to train your employees to know what to do in the event of an incident and how to recognize it. Then finally, the bottom line is you have to simulate; you have to test, and test, and test. That's the only way you're going to know if you're really ready to handle some of the very sophisticated attacks.
Gregg Profozich [00:27:48] Okay. There's an awful lot of information there. I think I heard the two main areas, though, is prevention and then the ability to respond.
Tony Lopez [00:27:57] Exactly.
Gregg Profozich [00:27:57] Okay. Under prevention let's decompose a little of these just to make sure because I know a few terms; I don't necessarily know all the terms. Let's make sure that our listeners have an assessment of what each of them mean. Prevention, establish content protection, I think was the first thing you said. What is content protection all about?
Tony Lopez [00:28:12] Essentially, it's making sure that you have the mechanisms in place to make it difficult for these perpetrators to get to the content that you have within the organization. That could be documents. It could be anything of that nature. How do you protect it? You can encrypt. There's other ways that you can also protect that content.
Gregg Profozich [00:28:33] Got you. You mentioned NIST 800-171. One of the graphics, I took a look at that. One of the graphics I saw on the NIST webpage I remember is IPDRR. Number one, identify, protect, detect, respond, recover. Those are the five buckets. I think what you're talking about here in content protection is that first identify piece.
Tony Lopez [00:28:55] Exactly.
Gregg Profozich [00:28:55] When we talk about the identify piece, I think you're saying figure out of all the information you have, what's the critical stuff that you need to protect, and what's the stuff it doesn't matter about. Right?
Tony Lopez [00:29:05] Exactly.
Gregg Profozich [00:29:05] If we think about it in terms of our house, well, I have locks on my door so that people can't come in my house. My wife's jewelry maybe is in the safe up in the bedroom closet, whereas plates and dishes I bought at Costco don't care about. I can get those again tomorrow. It doesn't really matter. They're not that expensive or that valuable. I would look to protect the things that are really important and the other things I don't have to build protection around necessarily. That's the idea here?
Tony Lopez [00:29:29] Exactly. I think your points are very well taken. You protect that information which is really critical. If you're talking to a manufacturing organization that's part of the defense industrial base and they're working with CUI, they're going to have to protect that information. Those would be the jewels that you would be protecting. You would do that by segmenting that network, by separating it, and then putting whatever protections you need to have in place to make sure that it's not accessible in any way.
Gregg Profozich [00:39:57] Right. It's really a question of if somebody got this information, what's the so-what value? If somebody got critical drawings on a protected part that is CUI, I should be protecting it. If somebody got into my ERP system and found out that my janitors used 17 gallons of soap to clean the floors last year, who cares. Right?
Tony Lopez [00:30:11] Exactly.
Gregg Profozich [00:30:16] All that information's in the systems. It's all there. Most of the data probably doesn't really need to be protected; just certain things need to, which really, I think, cuts down the territory. I've got 100,000 files on my systems. There's only 200 of them that matter.
Tony Lopez [00:30:29] Exactly. That is a really, really important point, by the way, because you have information that is like you said, not important, but then you have company proprietary information which you want to protect from competitors—proposals, bids, things of that nature. But now after that, there's an additional category that you have to consider if you're doing DOD work, and that's federal contract information. That can include anything like contracts; it could include proposals, emails, any communication exchange between the company and the government. Then you start to get into your CUI. Then you start to get into your classified information now. Hopefully, if you're a small company, I sure as heck wouldn't want to have any classified information on my systems, but you may have to deal with that CUI if you have to.
Gregg Profozich [00:31:17] Then, of course, health benefits and payroll has to be protected, too. Social Securities can't get out there, health histories can't get out there, et cetera. But there's information that matters; it's important to protect. It's the stuff you put in the safe in your house. Identity management policies—well, what are they all about?
Tony Lopez [00:31:32] Well, essentially, it's how and who you're going to be allowing to access the network. The way you do that is you put together a policy, and you say this is going to be your password policy, this is going to be the sign-in policy. It's important to make sure that you have these policies, they are written down, but then you got to take that next step. That's make sure that whoever's using your system is acquainted with those policies, is aware of them. Actually, something we did where I worked before—I purposely mandated this, because I wanted to make sure that every employee read the policy—was they had to sign the policy and return it. That guaranteed that they could not come back later on and say, "Well, gee, I didn't know I couldn't do that." It becomes important to make sure that those policies are in place and that your personnel are acquainted with the policy, especially when it comes to identity and who's accessing your system.
Gregg Profozich [00:32:34] Does that go into profiles, also?
Tony Lopez [00:32:36] Yes. Sure, it does.
Gregg Profozich [00:32:38] There's an administrator-level; there's a user level. There's this level of user can only see this information; this level of user can see a little bit more; this level as an administrator can see everything, et cetera. That's also part of identity management. Right?
Tony Lopez [00:32:52] That is correct. Yeah. That has to do with what I call rights management. In other words, if you have a need to know, you can get access; if you don't have a need to know, then you don't need access.
Gregg Profozich [00:33:02] Okay. You mentioned implementing computer-level security. Tell us about what that means.
Tony Lopez [00:33:06] Well, it's basically the compute layer, and it's at the layer where you're running your system. A good example would be active directory. Making sure that everything that you have in place from a system standpoint has the correct settings to protect your organization. Actually, as part of the boot camps that CMTC does, there's an individual that does an excellent discussion on rights management, and compute layer, and what you should do to protect it. It's just making sure that all of the settings within your operating system, within your systems, are correctly set so that you will protect the organization. There's a whole long list of different actions that you should do with the operating system to help protect that compute layer.
Gregg Profozich [00:34:00] Okay. You mentioned insurance, cyber insurance. Got to have it these days.
Tony Lopez [00:34:02] It's like car insurance. Are you going to drive around without car insurance? You're buying it just in case. But as an example in our case, had insurance; we were fully insured. We found out we were only insured to $10,000. Trust me, it didn't cover.
Gregg Profozich [00:34:19] Twenty-one days of non-operating; $10,000 goes pretty quick, doesn't it?
Tony Lopez [00:34:25] Oh, yes. The other thing, too, is I had the opportunity to work with a group. We did research and put together a document on insurance. We basically found that the majority of small businesses don't really consider ransomware insurance or cyber insurance to be critical. Let me tell you, nowadays insurance is critical. You need to talk to your insurance agent. You need to understand what your policy covers and what kind of coverage you need to get because you're going to need it. Eventually, you will need it.
Gregg Profozich [00:35:01] Credential hygiene and strong passwords.
Tony Lopez [00:35:05] The problem, I think, with people, in general, is they're going to find the path of least resistance. They're going to try to make it as easy as possible. I literally used to go into offices and look for little stick-up notes...
Gregg Profozich [00:35:20] Post-it notes of what the password is so we don't forget?
Tony Lopez [00:35:22] Yeah. If I found anybody that had any, I would slap him in the hand and say, "You can't do that." Very critical to have strong passwords. Those passwords should be changed at a minimum every 30 days. They should be at least minimum 12 characters with numbers, and characters, and letters. But yeah, very, very important. You got to have a strong password because that's your first line of protection. Your second one is your two-factor authentication. That comes immediately following.
Gregg Profozich [00:35:56] When I add onto that strong password the fact that I have a device that I'm going to say yes, this is me a second time, that is a device only I should have. That's another level of security. It's not foolproof, necessarily, but it's certainly a huge step.
Tony Lopez [00:36:08] Yes. Just make it very difficult for a perpetrator to get past both of those layers.
Gregg Profozich [00:36:12] Right. Well, I have to hack your computer and your cell phone now. If I hack them both, I'm in, but I have to hack them both. You double the amount of hack success that's required to be able to successfully get in and launch the ransomware.
Tony Lopez [00:36:25] Yeah.
Gregg Profozich [00:36:25] Okay. Why 12 characters? Why is that the magical number? What does that complexity or that length do?
Tony Lopez [00:36:31] Degree of difficulty. It just makes it more difficult than if you have a six-character password or a four. Now there's software that these organizations can use that'll go through password generators. The more difficult you can make the password, the better. Which brings up another important point. A lot of folks use very simple IDs. You know what? It's not like the old days. It's a good idea to make sure that you have a more sophisticated ID. Whatever you do, don't use common words in your ID, and definitely don't use common words in your passwords, because it'll just make it a lot easier for somebody to break what those passwords and IDs are.
Gregg Profozich [00:37:17] A password breaker—if it has a 3-digit password or a 12-digit password. Three digits is what, 1,000 combinations if it's just numbers? If I put in the whole 26 letters in the alphabet, I don't know what that permutations out to or whatever the operation is, but it's a large number. But if I move it up to 12, it's staggeringly larger. It just takes that much longer for the password generator to run through every possibility until it comes to the one that you happen to be using.
Tony Lopez [00:37:43] Right. I think what's really important, though, is that the idea behind a lot of what we're talking about is make it as hard as possible for the perpetrator to get in. The harder you make it... They're going to try to hit and move on. If it's costing them too much effort, too much time, they're not going to waste their time, because they know that there's others they can go to where it might be a lot easier.
Gregg Profozich [00:38:09] Right. If I launch 1,000 attacks today, and 12 are successful, I probably make my nut. We want to be part of the 988 that were too hard for them to trouble with, and they moved on to somebody else. Right?
Tony Lopez [00:38:19] Exactly. That takes us back to prevention, making sure that you are ready.
Gregg Profozich [00:38:25] Planning and practicing. I know for a small- to mid-sized manufacturer they don't have a lot of extra resources. It's an unfair generalization but makes the point. The average small manufacturer is often too busy working in the business to work on the business. Sarah called off sick this afternoon. Betty, the owner of the company, is now not behind her desk doing her administrative stuff. She's out there running the machine because she's got to ship product to make payroll on Friday. How do I do this? What are some simple things I can do for my planning, and my simulating, and testing to make sure that I have a level of security? That working in the business won't matter when I can't access my machines, because they're locked out. Right?
Tony Lopez [00:39:03] Yeah, very difficult. I totally relate to what you're talking about here because in the cyber labs a huge portion of the companies that have taken those courses are very small businesses. We're talking anywhere from 1 employee to 10-50 employees. It becomes very difficult for those organizations to do all of the things. It's cost-prohibitive depending on what they're going to have to do. Something that we recommend: first of all, you want to do a thorough analysis of your organization. But more importantly, before you even take that step is bring together some of the key departments in your organization. If you're five employees, I would bring in all five employees and start talking about security. The greatest hurdle is changing company culture and getting it to think from a security standpoint. Bringing them in, making them a part of the process, and then getting help, going to organizations like CMTC who has a phenomenal program, getting that support. There's managed service providers out there that can come in and help you from a cybersecurity standpoint protect your organization. Yes, it's going to be a cost, but you have to consider the cost if you don't do it if you don't protect yourself, especially if you are a DOD contractor. It becomes very, very critical that you make sure that you are utilizing other resources that you may not have available. Taking the cyber labs is another great example. We take folks through the whole process, teach them the regulations, let them know what they're all about, what they need to do to meet them, how to generate a system security plan and a plan of action and milestones, how to put together an incident response plan, how to do a good risk analysis and risk assessment for the organization, what things to look for in configuration management. This is all information that a company can then use to help guide them in how they do the implementation of the various requirements.
Gregg Profozich [00:41:22] We've talked a lot about requirements, and we've mentioned NIST 800-171. You talked about some of the prevention steps that we would take. How do these relate to that NIST cybersecurity framework? Is that the cybersecurity framework? Is 800-171 the framework? Is it something more? What do I need to know as a small manufacturer about all this?
Tony Lopez [00:41:39] There are different frameworks, what we call different resilience frameworks. But to me, the bottom line is that NIST 800-171 is the best framework that we have today, which is why DOD has really adopted and why it's become so important because it covers every aspect of an organization and how they operate. In the case of the various examples that I gave above, it's basically taken from NIST. NIST has 110 controls, and each control has other subcategories within them that you can go in, and you can test for, and you can implement that are going to help to secure your organization. But definitely now with the DOD NIST assessment methodology, which every single DOD contractor/manufacturer has to have the ability to submit their score on the SPRS system so that the government can then see that they are in the process of implementing NIST 800-171.
Gregg Profozich [00:42:44] You were talking a little bit before about the need, and if you're a defense contractor you should do this. It sounds like it's moving in the direction that you're going to have no choice. You have to do these things, or the DOD is not going to contract with you. Is that the way you think it's going?
Tony Lopez [00:42:58] No, it's there. November 30, 2020, the government issued three new DFARs, Defense Federal Acquisition Regulations. One of them, 21, was not made official or completed. That was the mandate to create CMMC and get it established. 19 dealt with the NIST assessment methodology. If I may digress a little bit here, I'll give a little bit of background. In December of 2019 contractors were supposed to have met NIST 800-171, all of those requirements. However, at that point, it was only self-attestation. As a contractor I could say, "I meet the requirements," but the bottom line was that I hadn't done anything to meet those requirements. I think DOD realized that this was going on. Therefore, fast forward to '20, and they implemented the NIST assessment methodology, which essentially is a ranking of all of the various NIST controls that an organization has to meet. Then whatever score you derive from that then has to be entered into the SPRS system, which is DOD’s system for tracking past performance, and contractors, and information like that. This will impact your ability to compete for contracts. If you don't have a score, you're not going to be able to compete for contracts.
Gregg Profozich [00:44:31] Tony, we've talked a lot about the new requirements and a lot about practical steps you can take for prevention and ability to respond. Let's turn it to the next area. Okay, now it's already happened. I think I've been attacked, or I think I'm a victim of ransomware. What do I do, and what does my organization do to respond to an attack in those moments right then?
Tony Lopez [00:44:50] Yeah. I think there's two answers to that. I believe there's certain steps you want to take to respond to the attack, and then there's certain steps that you do not want to take. Let me cover those which you need to do. First of all, you want to isolate any affected systems. That's why I keep barking about segmenting networks. The better you're able to isolate the system, the more you will minimize the impact. You want to make sure that you have secure backups. At the company that I was with before we had triple redundancy on backup. We had on-prem; we had off-prem, and then we had in the cloud. It's a good idea to make sure your backups are good. If you have any sort of automated maintenance tasks that run automatically if you know you've been hit, shut those down immediately. Create backups of any infected systems just to make sure that you have what because you're going to have to provide this to government agencies, depending on the attack. Quarantine the malware. Make sure that that's taken place. Identify any ransomware strain, if you can. I mentioned earlier that the FBI now is tracking a lot of this information. SISA is also tracking it. I would definitely reach out to them to find out if they have anything similar. Then the bottom line is going to be making the decision as to whether or not you're going to pay the ransom, keeping in mind that there is a very high probability that even if you pay the ransom, you may not get the decryption key, and if you do, it may not totally decrypt everything that you have.
Gregg Profozich [00:46:43] The IDing the ransomware strain—is that helpful if I contact the FBI and they can tell me, "Well, we've had 50 cases of this, and 90% of the time you don't get your data back if you pay"? Do you get that kind of information from that or no?
Tony Lopez [00:46:55] Yes, I would definitely contact the FBI and let them know that you've been hit. They can then put you through to the right folks that handle these types of threats. They have a lot of information. They may be able to go into your systems, and look at the systems, and tell you exactly what it is that you have. Especially if you're really small, you're not going to have the capability to do that. If you have an IT person that's working part-time, maybe two, three days a week, in all probability they're not going to be security experts. You want to reach out to an organization like the FBI that has infinite resources.
Gregg Profozich [00:47:38] That gives you more information to make a better decision about what to do next.
Tony Lopez [00:47:41] Yes, sir. It really does.
Gregg Profozich [00:47:43] Let's talk about the don't do's.
Tony Lopez [00:47:45] You don't want to restart the impacted devices. Not a good idea, because they could once again proliferate. Do not connect any external storage devices to infected systems. That's the worst thing you can do because that device is going to get infected. This one's an interesting one. Do not pay the ransom immediately. Gather your facts. Find out, first of all, if there's an application that you can use to remove it that's already been developed by either the FBI or other organizations. Do not delete any files, because those files may be useful in doing the forensics. Then, finally, do not necessarily trust ransomware authors. You have to be aware that these people are criminals, and they're going to act as criminals. You definitely don't want to be very trusting of these individuals.
Gregg Profozich [00:48:42] Okay. So, I'm a small manufacturer. I made the mistake, and I clicked on what I thought was an invoice, and it launched a malware attack. I quickly unplugged my PC that was sitting on my desk. I called IT. We shut down everything. All the automated IT maintenance tasks we tried to isolate as best we could. We quarantined the malware. We identified the strain, et cetera. But it's still there, and my computer's locked. If I want to get my computer back, I got to pay. If I can't decrypt it, the FBI can't help me, nothing is there. What do payments look like? How do you do that? You're not going to go down to the bank and withdraw cash. What's that process look like?
Tony Lopez [00:49:15] First of all, triage. Find out what the situation is. Determine if you are able to clean up the system. If you're a small company, you might be able to clean up those systems without a lot of effort. If you're only talking five computers, one server, maybe one database server, you may be able to have your IT person go ahead and just shut everything down, clean it out, and then load from backup. But very important—make sure that your backup is a good backup. What you don't want to do is back up your system if you know you've been infected, because the backup is going to be infected. You want to make sure that you're continuously backing... You should be backing up at least daily anyway. If you're not doing that, I would be really concerned, because it could be any other catastrophic event. You can lose a lot of information. It's just a good idea. You restore from backup, and then you're up and running again. Is it really that simple? It can be if you're lucky, but it can be really devastating if you're not able to do that.
Gregg Profozich [00:50:30] Yeah. I would imagine you went through this. Somebody else in the company clicked on something to proliferate it through the system. How did your company culture change? Your awareness and training about cybersecurity—how was that impacted by that event? Let's learn from that now so we can not have to have the event. Let's start that training now, if we can, just for small manufacturers. What did you do different? What changed?
Tony Lopez [00:50:48] The biggest change was probably cultural. The bottom line was that it really was the catalyst for us to develop a good, strong training program and make sure that employees were taking that training annually. That was the first thing. Then we started an email program, where once a week I would send out an email related to information security, things to look for. If we heard of anything that a company had been impacted, we would include that in the emails. We also started an automatic on our news... We had a quarterly newsletter. We began to publish an article on a quarterly basis on information security, and things to look for, and how to protect the company. It really was a culture shift for the organization. But I think what's really important to point out here, that both the CEOs that I got to work for and the owners of the company were very, very much interested in making sure that the company was secure. It came from the top. That's what needs to happen. I'm talking now to CEOs and presidents of these manufacturing companies. Let me tell you, it has to come from you as the head honcho. You have to make sure that it rolls all the way down to the lowest employee, and they are aware of the importance of understanding how critical security has now become for your company.
Gregg Profozich [00:52:26] It's a moment or two at whatever level in the company of just not paying attention and mindlessly clicking something that can cause some major damage. That's a message that has to come from the top and be reinforced, I'm hearing you saying. Annual training, weekly security email, quarterly newsletter articles, continuously reinforcing, making it top of mind.
Tony Lopez [00:52:49] Yeah.
Gregg Profozich [00:52:49] In manufacturing companies often safety is top of mind. You start every meeting with a five-minute or two-minute safety briefing just to keep it top of mind. You’ve got to do the same thing with information security, it sounds like.
Tony Lopez [00:52:58] Oh, yeah, you do. Let me give you one other example, if I may. As part of the cyber labs, we have an executive course that we do, and it's strictly for managers. It's more of a higher level, not as technical course. But we just finished with a company. I won't mention the name of the company. But everybody from the CEO to the first-line managers participated in the course. It's because the CEO and the general manager of this company really believe how critical this is. Of course, they're DOD contractors. The best way for them to meet the requirements and to make sure that they're protected is to make sure that their managers are all knowledgeable and aware of what to look for.
Gregg Profozich [00:53:46] Well, Tony, we've covered an awful lot of ground today. I really appreciate your time here. I'm going to try to do a real quick summary. Today we talked about cybersecurity, what manufacturers need to know about ransomware and recovery. We talked about what ransomware is. Ransomware is a malware that encrypts and holds data or devices hostage the victim must pay to unlock. There are a large and growing number of attacks. Every year there are more ransomware attacks, and the cost of those attacks is going up. Small to mid-sized manufacturers are often targeted. Many people think we're too small to matter. No, it's because you're small that you're actually seen as an easier target. Chances are you have less IT people; you have less security in place; you're more focused on doing your core competency than worrying about this IT threat that's ethereal and out there until it happens to you. They see that, and they view you not only as your data is important, but you may be an open door to your OEM, to your upper tiers in the supply chain that you serve. Small manufacturers, if there's a weakness there they can exploit and if they're connected systems with the OEM, they can go laterally into the OEM system and get even more of a treasure, if you will, for them. That's why it's important for everybody to pay attention. We've had some very public ones, very public ransomware attacks recently in the Colonial Pipeline, San Diego Scripps, a couple of others. We see them in the news on a regular basis. We're not always going to see all of them, though. A lot of small manufacturers may not report it, may not want their upstream or downstream trading partners to know. But there's actually a lot of wisdom in reaching out to the resources, reaching out to law enforcement, the FBI. Some cybersecurity organizations can be very helpful. If you're a DOD contractor, it can be a requirement that you have to report. It's also a requirement if you're a DOD contractor that you have a response plan, and you have to practice that response plan so that you're set up and can show that you can recover quickly. Ransomware basically proliferates across a network. It can run from your personal computer on your desk to your laptop to your phone to your operations technology equipment across your entire network and all the other computers, and printers, and hardware within your organization. Once it starts proliferating it can get anywhere. It's important to have a response plan in place to shut it down and isolate it as quickly as possible if an attack actually happens. Ransomware can get in through multiple means. It can be that someone clicks on an email that has malware in it. It can be using an infected flash drive. It can be a network vulnerability that somebody notices when they're trying to hack in and poking around your defenses, and your firewall, and your security. It can be through a Web search. It could be through social media. There's a very large threat surface for how ransomware can get in. Small businesses, again, are seen as easy targets for that. NIST, the National Institute of Standards and Technology, has published a framework for protecting an organization. It's titled NIST 800-171 R 2. It's a good framework for how to implement security for your company. The main things in terms of what to do, Tony mentioned two large areas: number one, prevention; number two, the ability to respond. There were a lot of things mentioned within prevention from establishing content production, figuring out what's important to protect and what's not, all the way through identity management and strong passwords, multifactor authentication. A number of things mentioned there. The secondary was the ability to respond, having a plan. What am I going to do? What do we do? How do we shut down the systems? How do we isolate? How do we pull up our data from backups and replace the infected stuff with noninfected systems and data? We have to have that plan, and then simulate a breach, and test, and test, and drill people so that we know how to do it and respond quickly. We talked about the DOD new requirements. If you're a DOD contractor, back in November of 2020 there were three new DFARs, Defense Federal Acquisition Regulations. The NIST methodology was one of them. It's now a requirement to do business with DOD. You have to be able to respond to these. If you find yourself being the victim of a ransomware attack, some do's and don't's. In the do column, isolate the affected system, or computer, or device as quickly as you can; have a system in place that you have secure backups so if something does become infected, you can wipe it clean and reinstate it with the backup data from a recent time. Shut down any automated maintenance tasks. If you have a task that updates the entire system and the ransomware is in there, it'll proliferate across a larger portion of the network. Quarantine the malware as best you can. Isolate that device. ID the ransomware strain, if possible. Then you got to make that decision about whether you're going to pay or not, knowing that payment, be it in Bitcoin, or money, or some other kind of currency, might get you an encryption key—might—and that encryption key also might get you your data back. Then that data might be useful and might not be corrupted. It's not a good situation to be in, obviously, with that many mights on the other end. On the don't do side if you get attacked, don't restart the infected device. Don't connect any external storage devices, because any external storage devices would then be infected and be able to proliferate the infection further. Don't pay the ransom immediately. Take some time; do some research; learn so you can make an informed decision. Don't delete any files, because the files you delete may have the ransomware on it, which might be some of the keys to can you get help, does the FBI have an encryption key for you. Maybe they can get you back up and running without having to pay a ransom. Then don't trust your ransomware authors. Then we talked, finally, about training and the cultural aspects of it. Commitment to IT security and information security has to start at the top and has to be reinforced. You're going to have to do with your employees some kind of training and reinforce that training to keep it top of mind. What are the best practices, and how do we make sure it's something that's top of mind that we're always thinking about so we don't inadvertently, while we're having a conversation with someone standing outside our cube, click an attachment without thinking about it? Those are the things that can get us in trouble. We have to have it top of mind and make sure that we behave as safely as possible to try to eliminate and minimize the threat. Tony, did I miss anything there?
Tony Lopez [00:59:49] No. Boy, talk about a great summary.
Gregg Profozich [00:59:53] Well, thank you. Just feeding back the information you shared. That's everything you covered.
Tony Lopez [00:59:58] You did a great job.
Gregg Profozich [01:00:00] Well, thank you very much. Tony, it's been a pleasure having you here today. I really, really appreciate it. Thank you for joining me, sharing your perspectives, your insights, and your expertise with me and with our listeners.
Tony Lopez [01:00:08] Thanks, Gregg. It was a real pleasure. I really enjoyed it, sir.
Gregg Profozich [01:00:11] As did I. As did I. To our listeners, thank you for joining me for this conversation with Dr. Tony Lopez in discussing cyber security, what manufacturers need to know about ransomware and recovery. Thank you so much. Have a great day. Stay safe and healthy. Thank you for listening to Shifting Gears, a podcast from CMTC. If you enjoyed this episode, please share it with others and post it on your social media platforms. You can subscribe to our podcasts on Apple Podcasts, Spotify, or your preferred podcast directory. For more information on our topic, please visit www.cmtc.com/shiftinggears.
CMTC is a private nonprofit organization that provides technical assistance, workforce development, and consulting services to small- and medium-sized manufacturers throughout the state of California. CMTC's mission is to serve as a trusted advisor, providing solutions that increase the productivity and competitiveness of California's manufacturers. CMTC operates under a cooperative agreement for the state of California with the Hollings Manufacturing Extension Partnership Program (MEP) at the National Institutes of Standards and Technology within the Department of Commerce. For more information about CMTC please visit www.cmtc.com. For more information about the MEP National Network, or to find your local MEP center visit www.nist.gov/mep.