Applying the NIST Cybersecurity Framework to Magnetek

Executive Summary

An executive order called Improving Critical Infrastructure Cybersecurity was signed by

President Obama in 2013 to advance cybersecurity among the critical infrastructure sector.
Magnetek, an industrial power and motion controls company, would benefit from increasing its
cybersecurity efforts and applying the resulting framework. Magnetek produces drives that
power cranes and elevators across the globe, making the company directly linked to the critical
infrastructure sectors defined by Homeland Security. Having an important role in the supply
chain means that the tolerance for cybersecurity risk is low. Magnetek has not yet suffered a
catastrophic cybersecurity attack, but after looking at the damages on companies such as
Equifax, whose costs are now reported at $87 million, it is easy to see the benefits of
cybersecurity protection.

A proactive approach to cybersecurity can lessen Magnetek’s cyber risk and aid Magnetek in
the protection of its assets. This paper presents an application of the Framework for Improving
Critical Infrastructure Cybersecurity by the National Institute of Standards and Technology.
Within the framework, there are 5 core functions: Identify, Protect, Detect, Respond, and
Recover. Within each of these functions are categories and subcategories that describe
activities related to each function. A few key areas where Magnetek should focus its attention
are within the Protect and Respond functions. Conducting employee training and establishing
security policies are a few ways in which Magnetek can increase protection of assets. Once
policies have been established, Magnetek should focus on adhering to and regularly updating
these policies. To address low scores in the Respond function, Magnetek should develop
concrete response plans for cybersecurity events. A dedicated cybersecurity team would help
with the development and compliance to policies and plans. Currently, Magnetek does not have
the resources to hire such a team but appointment of cybersecurity roles within the IT
department at Magnetek will help in the adoption and adherence of cybersecurity practices.

An action plan for Magnetek includes assigning cybersecurity roles, defining risk management
goals, updating security policies and developing response plans. If Magnetek can accomplish
these four tasks, it will be well on its way to protecting its assets and becoming more secure
against cyber threats.
Introduction and Scope

Magnetek, a leader in power and motion controls technology, is a 300-employee company

headquartered in Menomonee Falls, WI. Increasing cybersecurity would benefit any company,
but especially a technology company such as Magnetek. Magnetek’s drives power cranes and
elevators across the globe and could be considered as part of the critical manufacturing sector,
which is one of the 16 critical infrastructure sectors (Department of Homeland Security, 2017).
It’s important for any company to have a cohesive strategy to combat and recover from
cybersecurity attacks. As such, adhering to the NIST Framework for Improving Critical
Infrastructure Cybersecurity would greatly benefit Magnetek. Creating a current and target
profile for Magnetek will help in assessing the risk landscape and establishing the risk appetite
for the company. With these tools in hand, Magnetek will be able to strengthen its
cybersecurity strategy.

I’ve worked for Magnetek since May 2017 as a Software Engineer Intern. During this time, I’ve
been introduced to Magnetek’s policies and procedures, gone through ISO and safety training,
and discussed with coworkers about cybersecurity efforts within Magnetek. However, since I’m
still new to the company, I only have limited knowledge of Magnetek’s cybersecurity efforts.
Assumptions have been made in determining Magnetek’s current and target profile and may
not reflect the actual status.

Two years ago, Magnetek was acquired by Columbus McKinnon (hereafter referred to as
CMCO) for $189 million. In the past few years, CMCO has been expanding and acquiring several
other companies such as STAHL CraneSystems and Unified Industries. While day to day
activities mostly remained the same, the acquisition of Magnetek has changed some aspects of
the business environment and governance. For example, Magnetek has replaced its own
policies and procedures with that of CMCO, some of which have not been updated as recently
as they should be. Many of the recommendations for Magnetek could also apply to and be
implemented in CMCO.

Risk Tolerance and Assessment

It’s important to determine how much risk Magnetek is willing to tolerate in relation to its
business goals. Since Magnetek provides important manufacturing services that directly relate
to critical infrastructure, it is safe to assume that Magnetek has a relatively low tolerance for
risk. Explicitly determining the risk tolerance will guide business objectives and practices.

Since Magnetek has a low tolerance for risk, each of the core functions have a target profile of
at least 3, which means that formal cybersecurity and risk management practices that are
established as organizational-wide policy and policies, processes, and procedures are defined,
implemented, and reviewed (NIST, Cybersecurity Framework, 2014). Magnetek currently has
many policies in place, including some cybersecurity policies. There is a need, however, to align
policies already set in place, to update these policies, and have individuals within the company
adhere to these policies.
Magnetek has not had a catastrophic cybersecurity event, which is both a positive and a
negative. It’s positive for obvious reasons, but it can also be negative because Magnetek has
not been proactive about cybersecurity. I feel it is more out of luck than preparedness that
Magnetek hasn’t been majorly affected by a cybersecurity event. Many companies only
strengthen their cybersecurity efforts after an attack has occurred but if Magnetek takes the
time now to adhere to the NIST framework, the company will be more secure and the risk of an
event will be reduced.

Current Profile

After evaluating Magnetek’s rating for each subcategory of the NIST framework, I averaged
scores for each of the functions to determine Magnetek’s current profile. The scores are
illustrated in the chart below. Magnetek is Risk Informed (Tier 2) in four out of the five
categories. Magnetek does have risk management practices in place, but they may not be
followed by the entire company. Target profiles for each of the five functions will be covered in
a later section.

Identify 2.3

Protect 2.3

Detect 2.4

Respond 1.6

Recover 2.5

1 2 3 4

Below is a heat map of the framework. Green indicates that the current profile and target
profile have the same rating. Yellow indicates that the current profile score is one point lower
than the target profile. Red indicates that the current profile is more than one point away from
the target profile.
 Identify

Protect

Detect

Respond

Recover

While applying the framework to the company, I noticed several areas where Magnetek
performs well. The first area is Asset Management. The IT department in Magnetek ensures
that all assets are identified and managed. Resources are also tracked and managed well. If
employees need any physical devices or software applications, there is a very specific and well-
documented process that they must go through. Another area where Magnetek excels is
delivery of services and quality control practices. Magnetek understands its role in the supply
chain and the success rate of on-time deliveries is closely monitored. Issues and reasons for
missed deliveries are tracked and reviewed and changes are implemented in a timely manner.

Magnetek adheres to the ISO 9000 Quality Management System Standards and all employees
go through ISO training shortly after hire (ISO, 2015). The HR department oversees internal and
external audits for quality control and living documents are easily accessible. Magnetek also
does a good job on continuous security monitoring. The IT department uses several third-party
monitoring tools and the monitoring system is finely tuned. Internal and external audits are also
conducted for the monitoring system. One final area that Magnetek manages well is recovery
strategies (not specifically related to cybersecurity) and public relations.

There are several areas in Magnetek’s current profile that have room for improvement. I will go
through each of the functions and point out categories and subcategories that I think should be
addressed. The first core function of the framework is Identify. The purpose of the Identify
function is to figure out what the company has in terms of assets, systems, data, and
capabilities, to decide what needs to be protected, and to “establish processes to achieve risk
management goals” (NIST, 2013). The first step in becoming more cyber secure is to identify
what within the company requires protection. Once Magnetek understands its needs, risk
management goals can be set.

Within the Identify function are the following categories: Asset Management, Business
Environment, Governance, Risk Assessment, and Risk Management Strategy. Using the Identify
function as a guide, an assessment of where Magnetek currently lies in relation to cybersecurity
risk can be made. From this assessment, Magnetek will be able to take steps toward improving
its risk management strategy. The average current rating for this section is 2.3, which is below
the target profile for this function. Within the Identify function, two areas that are especially
low are ID.AM-3 and ID.AM-6.

The subcategory ID.AM-3: Organizational communication and data flows are mapped, is an area
in which Magnetek has some room to improve (NIST, Cybersecurity Framework, 2014). Since
the acquisition of Magnetek by Columbus McKinnon, Magnetek has been in the process of
adopting CMCO policies. Before the acquisition, Magnetek had its own policies and procedures.
Moving over to CMCO has been difficult because there are some policies in which Magnetek, as
a smaller company, may need to take a different approach than CMCO. Magnetek would be
able to understand its position within CMCO if communication and data flows were better
mapped.

Another subcategory that should be addressed is ID.AM-6: Cybersecurity roles and

responsibilities for the entire workforce and third-party stakeholders are established. While
there are those at Magnetek that assume cybersecurity roles, there are no official
titles/positions directly related to cybersecurity. Explicitly establishing cybersecurity roles will
aid in the adoption and adherence of cybersecurity practices at Magnetek.

The second core function of the framework is Protect. The purpose of the Protect function is to
“develop and implement the appropriate safeguards…to ensure delivery of critical
infrastructure services” (NIST, 2013). Once needs have been identified, measures need to be
taken in order to protect assets within the company. This function I feel is particularly
important for Magnetek. As I will discuss later, the target profile for this function is rated at the
highest tier, known as the Adaptive tier. Like the Identify function, the average current rating
for this section is 2.3.

Out of 35 subcategories, I feel it is important to mention 9 of them. The first is PR.AC-4 which is
“Access permissions are managed, incorporating the principles of least privilege and separation
of duties”. Magnetek is currently working on switching over to CMCO’s system and has some
places in which it can improve access control within the company.

The Awareness and Training subcategory of the Protect function looks for cybersecurity training
within the organization. PR.AT-1 and PR.AT-2 state “all users are informed and trained” and
“privileged users understand roles and responsibilities”. With the pains that come with
acquisition, it is sometimes difficult to train/retrain employees. I think Magnetek could benefit
from having cybersecurity training for employees. There are some safeguards in place, such as
firewalls and system monitoring that mitigate the threat of a cybersecurity attack. However,
since a single successful phishing attack is all that it takes for an attacker to gain access to a
system, it’s important to inform and train employees. An updated password policy that adheres
to NIST’s Digital Identity Guidelines, which includes removing periodic password change
requirements, removing arbitrary password complexity requirements and screening new
passwords, would also be beneficial (NIST, 2017). Currently, Magnetek (and CMCO) requires
passwords to be changed every six months, which can lead to employees using generic and
therefore weak passwords.

Within the Protect function, the Data Security category deals with ensuring confidentiality,
integrity and availability of information (NIST, Cybersecurity Framework, 2014). Two
subcategories with lower scores than others are PR.DS-2 and PR.DS-5, which deal with
protection of data in transit and data leaks. Most of the data is transmitted using secure
protocols such as SSL, TLS, and HTTPS, but there are a few areas that could use more
protection. For protection against data leaks, there are firewalls in place, but some of the
servers could use some extra safeguards.

The Information Protection Processes and Procedures subcategory states “Security policies
(that address purpose, scope, roles, responsibilities, management commitment, and
coordination among organizational entities), processes and procedures are maintained and
used to manage protection of information systems and assets” (NIST, Cybersecurity Framework,
2014). The acquisition by CMCO and resulting change of policies, procedures and overall
governance have been a lot to take on, as it would for any company. As such, Magnetek isn’t as
mature regarding security policies as it could be.

There are several subcategories in PR.IP that Magnetek handles well, including backups of data,
physical security, policy over physical operating environment, audits, and data destruction.
Magnetek conducts internal audits and has external audits and utilizes several third-party
security tools. One area that should be a focus for Magnetek is PR.IP-10: Response and recovery
plans are tested. CMCO already tests response and recovery plans. Magnetek has recovery
plans and is currently preparing to test these plans, but they have not yet been implemented.
Unlike CMCO, Magnetek does not have concrete response plans for different situations.
Developing response plans is an action that Magnetek can take that will have many benefits.

Protective Technology, part of the Protect function, deals with technical security solutions. Two
subcategories, PR.PT-2 and PR.PT-3, have low current ratings. Access control, both physical and
logical, should be more restrictive at Magnetek. The transition to CMCO has affected user
access. Some employees have more access than they should and yet some employees can’t
access resources that they need. I am not sure whether Magnetek uses Discretionary Access
Control (DAC) or Role Based Access Control (RBAC) or if access control is managed by CMCO.
Reviewing and updating access control procedures will aid in ensuring the security of
Magnetek’s systems.

The next core function of the framework is Detect. The purpose of the Detect function is to
“develop and implement the appropriate activities to identify the occurrence of a cybersecurity
event” (NIST, 2013). As mentioned before, Magnetek has a continuous monitoring system and
logs to detect security events, which is one of the reasons why the current profile is relatively
close to the target profile. For the Detect function, Magnetek’s average current rating is 2.4,
which is the second highest current rating of the core functions. While Magnetek is moving in
the right direction regarding detection, there is always room for improvement. One
subcategory that needs attention is DE.DP-3: Detection processes are tested. Some processes
aren’t currently being tested or are “tested in production”, so anomalous events could be more
damaging than if there were tests in place.

The fourth core function of the NIST framework is Respond. The purpose of this function is to
“develop and implement the appropriate activities…to take action regarding a detected
cybersecurity event” (NIST, 2013). When cybersecurity events occur, organizations that have
response plans in place are much better equipped to deal with these events. Magnetek’s
current rating for this function is 1.6, which is the lowest of all the functions. The reason the
score is so low is that Magnetek does not have concrete response plans or established criteria.
Since response plans are a part of several Respond subcategories, not having plans greatly
affects the current rating and the preparedness of Magnetek. The first subcategory within this
function, RS.RP-1, discusses having and executing a response plan. Response plans can help
lower the reaction and response time to cybersecurity events and help employees figure out
what is needed of them during such events.

Four subcategories of the Communications category that I will point out are RS.CO-1 through
RS.CO-4. Without concrete response plans, it’s impossible to have a high rating in these
subcategories. RS.CO-1 states “Personnel know their roles and order of operations when a
response is needed” (NIST, Cybersecurity Framework, 2014). Within Magnetek, the team that
handles cybersecurity events do not have specific roles assigned to them. Instead, when an
event occurs, it’s “all hands on deck” with everyone on the team assuming roles in response to
the event. As mentioned before, assigning cybersecurity roles would greatly benefit Magnetek.
RS.CO-2 states “Events are reported consistent with established criteria” (NIST, Cybersecurity
Framework, 2014). Currently, there doesn’t seem to be a process in place that allows
employees or monitoring systems to report events in an easy and reliable fashion. I feel that
consistent event reporting could be implemented with ease in Magnetek’s current system.
Event reporting can help employees make decisions about response plans and can reduce the
damage of an event by decreasing the time it takes for an event to be found. RS.CO-3 states
“Information is shared consistent with response plans” (NIST, Cybersecurity Framework, 2014).
Since response plans aren’t in place, it’s difficult for information to be shared in a consistent
manner. Currently, information about cybersecurity events are spread through email. Once
response plans are established, Magnetek should instantiate a better way to spread
information. The last subcategory of the Communications category states “Coordination with
stakeholders occurs consistent with response plans” (NIST, Cybersecurity Framework, 2014).
Again, the lack of response plans inhibits Magnetek from communicating effectively with
stakeholders. It is clear that response planning can greatly benefit Magnetek should a
cybersecurity event arise. I’d recommend that Magnetek develop some contingency plans for
cybersecurity events and assign specific roles to employees that will deal with such events.

The last category I’d like to point out in the Respond function is Improvements. RS.IM-1 and
RS.IM-2 deal with updating and improving response plans. Once Magnetek develops its
response plans, it will be very important to keep these plans updated and to continuously
review and improve the plans. These subcategories should also be considered for CMCO.
Regular review and updates of plans will help the parent company, which in turn will help
Magnetek, improve its strategies.

The final function is Recover. The purpose of Recover is to “develop and implement the
appropriate activities, prioritized through the organization’s risk management process, to
restore the appropriate capabilities that were impaired through a cybersecurity event” (NIST,
Cybersecurity Framework, 2014). As mentioned earlier, Magnetek has a solid recovery plan for
business interruptions/events. For example, if a recall needs to be made on a specific product,
Magnetek communicates swiftly and effectively to customers and employees. As stated in
Magnetek’s mission statement, the customer is always put first. Recovery plans for
cybersecurity events should mirror how Magnetek currently handles other business-stopping
events. Sensitive information that Magnetek stores includes customer information such as
names and credit card numbers as well as sensitive employee information. Therefore, it’s
important to have a recovery plan in case of a cybersecurity breach.

Target Profile

Magnetek’s target profile is tier 3 for the Identify, Detect, Respond, and Recover functions and
tier 4 for the Protect function. The difference between tier 3 and tier 4 is the use of
cybersecurity activities to learn from lessons, predict future events, and continuously improve
processes. In tier 4, the organization can adapt to evolving threats and uses an organization-
wide approach to deal with potential and existing threats. The Protect function has a higher
target profile because I feel that protecting Magnetek’s assets will greatly improve the
cybersecurity of the company. Increasing protection will inherently aid the other core functions
of the framework. While all the core functions are important for Magnetek’s cybersecurity
efforts, I feel that bolstering areas within the Protect function will be very beneficial to
Magnetek. Another reason why I think the Protect function warrants a tier 4 target profile is
that Magnetek produces drives that control industrial equipment. On some of these drives, it is
possible to connect wirelessly. As a worst-case scenario, if a threat actor could gain access to a
drive that controlled an industrial crane in a restricted area, such as a nuclear power plant, it
could be devastating. Therefore, it’s important for Magnetek to be concerned with the
protection of its assets. The target profile for all the core functions is illustrated in the chart
below.
 Identify

Protect

Detect

Respond

Recover
1 2 3 4

Gaps

By subtracting the current profile scores from the target profile scores, a gap score is
calculated. While all the core functions have scores below the target profile, there are two
functions where there is a large discrepancy between profiles. The two functions with the
largest gap scores are Protect (with a score of 1.7) and Respond (with a score of 1.4). When
scoring the current profile for the Protect function, I noticed that none of the subcategories
received a score of 4 (the target profile score). I feel that the Protect function should be a top
priority for Magnetek. The Respond function also received a large gap score. As mentioned
before, developing and implementing response plans will help Magnetek increase its current
profile score.

Action Plan

Some key actions that Magnetek can take to achieve its target profile are defining risk
management goals for the company, assigning cybersecurity roles within the IT department,
updating security policies, and developing response plans. Adopting new frameworks can be
costly with a long return of investment. They can also be difficult to gain support from upper
management is the value isn’t apparent. This is made even more difficult by the fact that
Magnetek doesn’t have a dedicated cybersecurity team. Magnetek currently doesn’t have the
resources to hire an entire team, but adding a “cybersecurity czar” or at least assigning
cybersecurity roles within the IT team will help gain support for cybersecurity efforts. A
cybersecurity lead would be able to uncover the value of adhering to the NIST framework to
upper management at Magnetek and CMCO. Magnetek may also want to consider being
involved in a pilot project where the benefits of cybersecurity can be shown to CMCO, the
parent company. Intel recently conducted a pilot project where a subset of employees was
involved in assessing the cybersecurity risk within the company (Intel, 2015). Implementing a
project like this at Magnetek could show the benefits of improving cybersecurity to CMCO. This
could in turn encourage CMCO to implement organizational-wide cybersecurity efforts.
Bibliography
Curtis, J. (2017, November 13). Equifax Data breach: Hack costs Equifax $87.5 million, as
income plummets. Retrieved from ITPro:
http://www.itpro.co.uk/data-leakage/29418/equifax-data-breach-hack-costs-equifax-
875-million-as-income-plummets
Department of Homeland Security. (2017, July 11). Critical Infrastructure Sectors. Retrieved
from Homeland Security: https://www.dhs.gov/critical-infrastructure-sectors
Intel. (2015). The Cybersecurity Framework in Action: An Intel Use Case. Retrieved from
intel.com: https://supplier.intel.com/static/governance/documents/The-cybersecurity-
framework-in-action-an-intel-use-case-brief.pdf
ISO. (2015, September 23). ISO 9000. Retrieved from Quality Management:
https://www.iso.org/iso-9001-quality-management.html
Magnetek. (2017, January 01). Magnetek. Retrieved from Magnetek Mission Statement:
https://www.magnetek.com/Magnetek/Mission_Vision
NIST. (2013, December). Cybersecurity Framework Development Process Overview. Retrieved
from Cybersecurity Overview: https://csrc.nist.gov/CSRC/media/Events/ISPAB-
DECEMBER-2013-MEETING/documents/cybersecurity-framework_nist.pdf
NIST. (2014, February 12). Cybersecurity Framework. Retrieved from Nist.gov:
https://www.nist.gov/sites/default/files/documents/cyberframework/cybersecurity-
framework-021214.pdf
NIST. (2017, June 01). Digital Identity Guidelines. Retrieved from NIST Special Publication 800-
63B: https://pages.nist.gov/800-63-3/sp800-63b.html