Another week, another major cyberattack, and both the attack and the victim are massive. In case you missed it, the target this time was Johnson Controls, employer of some 100,000 people worldwide, and the ransom demand from the Dark Angels group is a staggering $51 million. They claim to have extracted more than 25 terabytes of data from Johnson’s servers.
As if all that weren’t bad enough, Johnson Controls, which manages HVAC systems, security systems and other industrial controls, is a contractor for the U.S. Department of Homeland Security (DHS). At this writing, investigators are trying to determine whether sensitive information, which might include floor plans of DHS facilities, was compromised.
And a bigger unknown is the potential downstream effect of the breach. The “controls” in Johnson Controls refers in part to countless internet-connected building automation devices at client locations worldwide. Will any of those be compromised as well?
This perfect storm of trouble shines a spotlight on the revised Cybersecurity Maturity Model Certification (CMMC) from the Department of Defense (DoD). As detailed in a previous post, CMMC was developed by the DoD to create environments conducive to safeguarding government information. The latest version, CMMC 2.0, remains in the rulemaking process, and the phase-in period might be as long as five years.
Without getting too far into the weeds of CMMC details, three main provisions highlight version 2.0, and it’s not hard to imagine that any or all of them might have made a difference in the Johnson breach:
- CMMC features a tiered model, progressively advancing security requirements depending on the sensitivity of the information.
- CMMC allows the assessment of cybersecurity standards by the DoD.
- Future contracts involving sensitive information will be contingent upon achieving a CMMC level appropriate to the information.
The one constant in cybersecurity is change, and the bad guys are always innovating. Therefore, there’s no guarantee that even a fully-implemented CMMC 2.0 would have mitigated the Johnson Controls disaster. The incident makes it clear, though, that stronger standards are needed, and sooner rather than later.
The other takeaway here is that cybersecurity controls aren’t just for government contractors. While the breaches of large organizations like Johnson Controls make the news headlines, countless smaller businesses are attacked daily also, and are less equipped to withstand this existential threat. Make sure your business is protected and your team is trained.
Questions about cybersecurity for your business? Contact Hill Tech Solutions.