A recent global survey by Protiviti and N.C. State University’s ERM Initiative focused on the top risks of boards of directors and senior executives. It ranked cybersecurity as the third highest risk in 2024 for manufacturing organizations – and it's projected to be their second highest risk looking out 10 years. This should not be surprising given the growing number of bad actors seeing manufacturing organizations as opportunities, due to factors such as:
- The inherent insecure nature of older manufacturing technology.
- Historically less investment in operational technology (OT) vs. IT security.
- An increase in the connectivity of manufacturing networks to the outside world (including the deployment of IoT devices).
- Insufficient collaboration and coordination between enterprise IT/security teams and plant personnel.
- A lack of visibility into what is connected to and communicating with the shop floor.
- The rapid evolution of new technology supporting both the business and operations.
- And of course, the growing talent gap in cybersecurity resources across all organizations.
Recent breach examples such as Clorox (2023), Kronos (2022), and Maersk (2017) highlight the potential reputational and financial impacts that can occur from a ransomware attack or other cybersecurity incident. U.S.-based companies have an added degree of difficulty in determining the materiality of cybersecurity-related incidents in meeting SEC disclosure requirements.
Given these challenges, manufacturing leaders must be more proactive in identifying and managing cyber-related risk. Below are five recommended strategies for managing and getting in front of the most prevalent and emerging cyber threats to the manufacturing industry:
1. Increase Network Visibility
Having a strong asset management function and “source of truth” device/system/application inventory is a challenge for many organizations. In the manufacturing environment specifically, it is not uncommon to hear cybersecurity leaders say, “I don’t know what all could be plugged in out there.” While certain business IT concepts translate to the OT environment to identify risks, tools and processes to gain visibility to OT specific risks will be different.
Consider implementation of an asset discovery and threat detection solution designed for OT networks, where device discovery and enumeration is conducted passively. Leverage the results from the discovery solution to identify and document the systems that are critical to site operations and prioritize those devices in your security monitoring strategy. Additionally, organizations may consider standing up a test network reflective of the production environment, to enable safe methods to evaluate patches and identify potential vulnerabilities.
2. Enhance Network Segmentation
Restricting the flow of network traffic between the corporate IT and manufacturing (OT) networks can serve as the first line of defense against potential cyber-attacks. Companies should conduct analysis to understand what systems or applications they need to communicate between these two unique environments and restrict/limit all other traffic where possible.
A cyber-attack could originate in either IT or OT and then proliferate and migrate into the other, so it is important to implement bi-directional restrictions where possible, while ensuring that sufficient planning and coordination is taking place to ensure that the configuration of security enhancements do not impede or disrupt operations.
3. Train and Educate All Users
If the foundational elements of an organizational cybersecurity program (people, process, technology) can be illustrated as a stool with three supporting legs, then the “people” pillar is widely considered to be the weakest link that can cause the entire program to be structurally unsound.
It is critical to design a security awareness and training program for corporate/business users that emphasizes the most relevant threats and how to identify and report them (e.g., phishing emails). However, it is equally important to ensure shop floor personnel are educated on OT-specific risks and indicators of compromise. The training program should also include specific guidance for how to appropriately escalate a potential cyber incident impacting operations.
4. Define a Unique Governance Structure for OT
As distinct risks are present in IT and OT environments, there is also a need to manage them in a unique way. Certain elements of a corporate security policy may be leveraged for an OT environment, such as policies, procedures, standards, and guidelines. But other elements must be different for an OT environment, so a separate governance structure for OT (i.e., resources with dedicated responsibility to secure manufacturing networks/devices), tools and technology should be defined.
5. Implement Security by Design
Of course, security design should be in the forefront of any discussion for a business implementing new systems or applications – and OT environments are no exception, especially considering that manufacturing environments are becoming increasingly more connected.
Invite the organization’s cybersecurity function into the conversation early and often and build security into the design and requirements of manufacturing solutions. Embedding security controls and practices upon deployment reduces the level of exposure and the amount of time that a vulnerability, such as insecure design or missing security update, could be identified and exploited.
It is clear that cyber risk is here to stay for manufacturing organizations, especially evidenced by the number of incidents and ransomware attacks increasing in recent years in this sector, but these foundational steps can help mitigate the risk to a lower priority on boards and management’s radar.