Manufacturing companies have a lot to gain from digitizing their operations. Becoming connected and data-driven has numerous benefits, not least of which is increasing efficiency, improving quality, and better managing the entire supply chain. To achieve these, manufacturers need systems that control the entire manufacturing flow, from sourcing to final delivery to customer service. However, directly, or indirectly connecting these systems to networks and the rest of the infrastructure dramatically increases the risks of cybersecurity incidents and the attack surface.
To mitigate these risks, manufacturers must adopt a proactive cybersecurity posture—one that is integrated into every facet of their businesses.
Complex digital environments accentuate the need for robust cybersecurity
Manufacturing is complex, with many different digital parts, industrial control systems (ICS), the Internet of Things (IoT) and operational technology (OT). This fusion of hardware and software, intended to allow data to flow seamlessly, creates an interconnected environment that requires greater planning and thought when it comes to security.
Many manufacturing companies also have very intricate supply chains with many stages, from raw materials, components, processing and production to transportation, delivery and service. This requires subcontractors to be included when considering security, further complicating the picture.
Socially critical responsibilities of manufacturing companies
For manufacturing companies, cybersecurity incidents can have far-reaching consequences. If production stops, there is often a significant loss of revenue. But repercussions can extend far beyond financial losses to reputational damage, regulatory penalties and safety hazards to critical infrastructure.
For instance, we need water, electricity, food and medicine, which manufacturing companies also produce. The fact that this type of essential production could be vulnerable to security incidents or data breaches makes it even more important to protect. It is critically important to check that all those involved in the supply chain—both inside the organization and across the ecosystem of suppliers, service providers, subcontractors and so on—are aware of and resilient to cybersecurity threats.
The socially critical aspects of addressing cybersecurity vulnerabilities in manufacturing are also included in new directives, such as the NIS2 Directive, a European Union (EU)-wide legislation on cybersecurity that provides legal measures to boost the overall level of cybersecurity in the EU. The previous NIS Directive did not have any specific requirements for manufacturing companies, but NIS2 does. This will also have implications for global manufacturers that operate and do business in the EU.
Historically, manufacturing systems have not been connected to the grid. This means that they did not have to cultivate as strong a tradition of strategic cybersecurity as some other industries. As plants become more connected and data-led, addressing cybersecurity preparedness is urgent. Management must take the lead in this effort, working with the right partner to develop a reliable and cost-effective strategy to ensure security controls are based on risk. The security controls can be technical, but they can also be about routines and processes that make the organization more secure.
Working with security at all levels
Unlike other digital systems with regular updates and security patches, many digital production systems remain unchanged for years. This can lead to security gaps that go unaddressed for long periods of time.
In the EU, there is an additional directive that impacts manufacturing companies, called the European Cyber Resilience Act, which requires manufacturing companies to ensure they do not have any known security vulnerabilities in products with digital components marketed in the EU. In tests conducted in 2020, half of all products with digital components still had known vulnerabilities.
Such cybersecurity regulations and directives are only expected to increase.
Manufacturers must take a systematic approach to cybersecurity. Businesses need to work from the ground up with management buy-in to embed a security-first culture within the organization. They need to get a handle on exactly what assets they have, determine the security risks of those assets, and then apply security solutions that can address them. At the same time, it is crucial to have a strategic mindset, perform risk analysis, and plan for compliance.
Here are five steps to get started.
- Evaluate your threat and risk landscape.
- Assess your supply chain. What requirements can you place on your most important vendors?
- Investigate the vulnerabilities in your IT and OT environment.
- Patch systems that are possible to update.
- Update and train employees on incident management and your business continuity plans.
Contact me to learn how we can help you evaluate your organization’s security maturity.
About this author
Jennie Hagman
Director, Consulting Expert
Jennie Hagman is the cybersecurity practice lead in CGI’s Sweden operations. With more than 20 years of experience in IT and cybersecurity, Jennie guides global organizations in achieving compliance with cybersecurity regulations like NIS2, GDPR and frameworks such as ISO 27001.
