The manufacturing sector faces an increasingly daunting cyber threat landscape that puts production operations, intellectual property, and entire supply chains at risk. In a white paper released this month, the World Economic Forum (WEF) has issued a call to action for industrial companies to foster a pervasive culture of cyber resilience.
Titled "Building a Culture of Cyber Resilience in Manufacturing," the report provides a comprehensive framework for instilling cybersecurity priorities and readiness across manufacturing enterprises. It advocates moving beyond traditional cybersecurity compliance checklists toward holistic resilience.
"Simply checking boxes is no longer sufficient to withstand escalating cyber attacks from criminals, nation-states, and insiders," the paper states. "Manufacturers must make cyber resilience a fully institutionalized part of their organizational identity."
The WEF's recommendations span three core dimensions of cyber resilience in manufacturing:
Governance and risk management
- Formalize cybersecurity governance with clear roles, responsibilities, and accountability
- Adopt a risk-based approach to cyber resilience investments and prioritization
- Conduct comprehensive cyber risk assessments across processes, people, and technology
- Establish cyber resilience performance metrics integrated with business objectives
Technology enablers
- Leverage security-by-design principles for products/systems from initial concept
- Implement core cybersecurity controls like identity/access management and monitoring
- Prioritize operational technology (OT) and industrial control system (ICS) security
- Adopt Zero Trust security architectures to limit attack surfaces and data exposure
Workforce development and awareness
- Foster a cyber-conscious workforce through robust training and awareness programs
- Attract and retain top cybersecurity talent through innovative recruiting and compensation
- Cultivate interdisciplinary cyber-physical skillsets for OT/ICS security
- Promote open collaboration and knowledge-sharing on cyber resilience
The paper highlights several real-world examples of manufacturing cyber incidents that illustrate escalating risks, from costly ransomware attacks to intellectual property theft by nation-state actors. It warns that by 2030, damages from cyberattacks on manufacturing could total $1.5 trillion annually.
"We can no longer accept divergent cultures in IT and OT. The risk is too great, and key business partnerships are required," said Amy Bogac, former CISO at The Clorox Company. "If you are a CFO, COO, or supply chain leader, please engage with your security partner like your (professional) life depends on it."
Bogac added: "I wholeheartedly agree that manufacturing companies must engage with these three guiding principles:
- Make cyber resilience a business priority: Embed cyber resilience in the organization's DNA or foundational structure, from the leadership to the shop floor.
- Drive cyber resilience by design: Integrate cybersecurity into people, processes, and assets.
- Engage and manage the ecosystem: Build trusted partnerships, manage third-party risks, and raise security awareness by identifying the key stakeholders."
To overcome this existential threat, the WEF advocates cyber resilience as a strategic imperative requiring C-suite leadership, cross-organizational cultural change management, and a mindset of continuous adaptation to evolving cyber threats.
"Safety is always the number one priority in manufacturing organizations," said Tammy Klotz, CISO at Trinseo. "Security practitioners who embed security into their company's safety program will be most successful. All workers should go home at the end of the day as safe and secure as they arrived!"
"Protecting manufacturing operations requires a shared responsibility model, which includes local plant leadership, manufacturing engineering and operations, and information technology and security teams. Active executive sponsorship from the Chief Operating Officer, Chief Information/Digital Officer, and Chief Information Security Officer sets the tone from the top and drives everyone to the same common goals."
While implementing the WEF's recommendations requires significant investment, the paper argues the potential impacts of a single major cyber incident could prove far more devastating to manufacturers' bottom lines, competitiveness, and reputations.
"In the realm of building control systems, each structure can harbor anywhere from four to eight distinct systems. These systems are managed by a single service provider, who, in turn, may employ four to five technicians with round-the-clock access," said Fred Gordy, National Practice Lead, Building Cybersecurity, at Michael Baker International. "Unfortunately, most service providers rely on a single username and password across all systems, granting access to both current and former employees. Remarkably, the majority of building owners lack service agreements that govern provider access. Consequently, in an average building with six systems, an alarming 24 to 100 or more individuals can have unrestricted, uncontrolled access to critical infrastructure. Addressing this significant gap is imperative."
Some snippets from the white paper:
- "Heightened connectivity of the manufacturing digital ecosystem to various enterprise systems, the internet, cloud providers and service providers presents significant challenges in the industrial OT
environments. This transition from traditional airgapped systems to hyperconnected environments augments cybersecurity risks. Furthermore, discrepancies in investments between low- and high-revenue organizations exacerbate these challenges. The boost in data exchange with the entire supply chain, including small and medium enterprises (SMEs) that are typically low-tech, has
increased this risk."
- "The upsurge in connectivity and data transparency in the manufacturing ecosystem has expanded the sector's exposure, making it, for three years in a row, the sector most targeted by cyberattacks, accounting for 25.7%, with ransomware comprising 71% of these attacks. Given the complexity of modern supply chains, disruptions along the manufacturing process can have systemwide cascading effects, beyond the control of any single entity."
- "Ransomware remains the top-of-mind concern for manufacturers with 40% of the Cyber Resilience in Manufacturing survey respondents ranking it first. According to recent research, ransomware attacks on industrial organizations increased by nearly 50% in 2023, with 71% of attacks directed at manufacturers."
- "Manufacturing organizations present an attractive target for ransomware attacks, given their low tolerance for downtime and their relatively low level of cyber maturity compared to other sectors.
Furthermore, these industries frequently underinvest in cyber resilience, primarily due to the substantial costs associated with redesigning manufacturing lines and upgrading equipment."
- "With production facilities spanning the globe, each interconnected entity acts as both a producer and a consumer, creating a complex network vulnerable to cyberthreats. Consequently, a cyberattack on
one company can trigger ripple effects across the entire ecosystem, leading to costly consequences.
- "The resulting risks are systemic, contagious and often beyond the understanding or control of any single entity. According to the Global Cybersecurity Outlook 2024, 54% of organizations lack adequate visibility into the vulnerabilities of their supply chain. Additionally, 41% of organizations that suffered a material impact from a cyberattack reported that the breach originated from a third party."
- "Divergent organizational culture between enterprise and industrial environments presents the most significant obstacle to cybersecurity efforts, according to the Cyber Resilience in Manufacturing
survey. Issues include distinct priorities: IT and OT teams traditionally work at different ends of the technology stack and data flow; distribution of responsibilities: with the increased pressure on business to cut cost and increase profitability, many organizations tend to have people wearing multiple hats and performing various tasks, ignoring the importance of segregation of duty and the associated risks; fragmented cybersecurity governance: Many organizations lack a comprehensive cybersecurity governance framework, leading to decentralized decision-making at the manufacturing site level and hence increased risk; and talent shortage: the global cybersecurity talent shortage, reaching nearly 4 million, is further exacerbated in the manufacturing sector, where the shortage surpasses 67%."
- "Technical challenges have been recognized as the second largest hurdle to cyber resilience. The convergence of outdated legacy systems with the proliferation of connected assets within industrial control systems has engendered an environment inadequately prepared to withstand the sophisticated tactics and capabilities wielded by cybercriminals."
- "Operational challenges hinder manufacturing resilience, ranking third among the challenges in the survey, given the digitalization and automation of manufacturing operations and their often-continuous throughput requirement."
- "Manufacturing organizations must adhere to various regulations and industry standards related to human and product safety, data protection and cybersecurity. The decentralized operational
environment and fragmented and diverse local, regional and industry-specific regulatory landscapes add another layer of complexity to cybersecurity efforts."
The SecureWorld Manufacturing & Retail virtual conference on August 28 will tackle all things cybersecurity related to the two sectors. Here are speakers and topics already locked in on the agenda:
- Tammy Klotz, CISO at Trinseo, "Protecting Against OT and IoT Threats"
- Mike Muscatell, Sr. Director, Cyber Security, Acumatica, Inc., "Insider Threat Actors & Artificial Intelligence"
- Al Lindseth, Principal, CISO Advisory Services LLC, "Integrate Transformative OT Cybersecurity Programs to Increase Effectiveness"
- Fred Gordy, National Practice Lead, Building Cybersecurity, Michael Baker International, "Managing Smart Buildings Service Provider Fragmentation"
- David van Heerden, Product Evangelist, Automox, "Secure by Default: Evolving Security Expectations"
- Stephen Dougherty, Financial Fraud Investigator, Global Investigative Operations Center, U.S. Secret Service, "Pig Butchering, BEC, and Artificial Intelligence: What the Secret Service Wants You to Know"
- Arvin Verma, Sr. Strategic Advisor & vCISO, Sentinel Technologies, "Iluminating the Dark Universe: A New Frontier in Third-Party Risk"
- Col. Cedric Leighton, CNN Military Analyst; U.S. Air Force (Ret.); Chairman, Cedric Leighton Associates, LLC; and VJ Viswanathan, Founding Partner, CYFORIX (Former CISO & Sr. Executive at Keurig Dr Pepper, Comcast, HD Supply, and GE), "Cyber Intel Briefing: Manufacturing"
Col. Leighton had this to say about the white paper:
"The WEF is recognizing what many of us in the industry have long known: compliance checklists provide a false sense of security to anyone who uses them, he said. "Cyber threats have morphed. Cybercriminals and nation-states engaged in nefarious cyber activities are exceptionally creative. These bad actors now hide their activities within the very logs companies use to track the health of their IT networks. The manufacturing sector has to get smarter at spotting anomalies both in their logs and in their IT networks."
"VOLT TYPHOON is a prime example of how 'living off the land' techniques can be used to hide cyberattacks in plain sight," Col. Leighton added. "In this case, it's the Chinese doing the 'bad acting,' but the principle remains the same: disguise your activity as part of the legitimate traffic on a given network. It's very difficult for cybersecurity professionals to detect this kind of activity, even if they are looking for it."
As manufacturing digitization and connectivity expand attack surfaces, the World Economic Forum has issued a clarion call. Building enterprise-wide cultures fully imbued with cyber resilience disciplines may be manufacturers' best path toward surviving the gathering cyber storm.
"The huge advantage attackers have over defenders has widened even more with more sophisticated attacks and AI, particularly regarding OT, as we see that as a desired target amid increasing convergence and modernization," Al Lindseth said. "Critical infrastructure and industrial operations really need to take heed and start applying better and more effective top-down risk/resiliency approaches versus following checkbox regulatory driven mandates and relatively simple assessments and mitigation actions."
The report is filled with suggestions, based on survey data, for improving cybersecurity for organizations with manufacturing at their core; including case studies from Unilever, KDD, Siemens, Rockwell Automation, Schneider Electric, Flex, Engro Corporation, and Volkswagen Group.
The WEF white paper concludes:
"Recognizing the complexity and scale of integrating cyber resilience across the manufacturing ecosystem, this playbook offers guidance
to understand the impact of cyber risk on manufacturing and work together to drive a successful cyber resilience culture in manufacturing."
More from Col. Leighton: "It's becoming more and more evident that cybersecurity professionals need to be trained in cyber intelligence trade craft. Cybersecurity training programs need to teach people how the 'other side' thinks and acts. In essence, there's a need for cultural awareness training so we can better anticipate what bad actors might be up to."
"Corporate boards need to include members who are well-versed in cyber intelligence; and those board members who don't understand the cyber threat need to make an effort to understand the dimensions of the cyber threats out there, or they need to make way for those who do," Leighton continued. "Generally speaking, the WEF report is a step in the right direction. If manufacturers adopt its recommendations, they won't be immune from cyberattacks, but they will be far better prepared to deal with them."
