Looking back at the records, 1969 appears to have been one of the safest years in modern manufacturing history. There were, by some accounts, only 34 safety complaints filed in total and only two citations issued across the entire U.S. industrial landscape. From that perspective, it means between 1969 and 2019, we saw a 21,638% increase in complaints and a 1,446,600% increase in citations—an objectively dismal and damning record based on these “facts” alone.
So what happened here? Did manufacturing really get a million percent more dangerous? No, of course it didn’t. What really happened was the establishment of OSHA in 1970—the first step to real tracking for these metrics, even before the institution grew its regulatory teeth.
The reality—or at least the closest thing we have to it—is that between 1970 and 2019, manufacturing has become much, much safer—62% fewer workplace fatalities, 75% fewer serious injuries, and so on.
So why am I writing about this? My headline here promised to talk about cybersecurity but so far all I’ve done is talk about safety. Two very different fields, I know. But I argue the overall story is the same.
Before 1970, talk of workplace dangers, injuries and fatalities was taboo. If your customers or investors found out about all the people you were mangling and killing, they would move their money elsewhere. So there were two options for you—you could invest time, money, and effort to stop mangling and killing people, or you could just… ignore it. Just brush it under the rug and never mention it again. Of the two, the latter seemed much easier (and cheaper).
This was the real transformative power of OSHA—it took the easy option off the table. We were forced to acknowledge these incidents, forced to disclose the reality of the situation—we were forced finally to talk about it. And that’s when things began to change.
In 2017, a Statista report calculated there were 71 total confirmed data breaches in the manufacturing sector. Just 71—a figure as preposterous and as fictitious as any pre-OSHA safety report. But that’s the data we had. Why? Because we don’t talk about cybersecurity. Because if our customers or our investors knew about all the infiltrations and attacks, they would move their money elsewhere. Which leaves us with two options… Hopefully you can see the parallel here.
The difference here is, there is no OSHA for cybersecurity forcing us to begin the conversation. There is no external incentive to do anything but brush everything under the rug, patch up the holes and pretend everything is totally fine.
But everything is not totally fine. Even with our limited data, we know that there was at least a 141% increase in data leaked last year and a 7X increase in ransomware attacks. We see reports of attacks everyday—Bombardier, Tesla, Steelcase, Honda, Foxconn, Nissan, the list doesn’t end.
From this, we know three things: We know that today’s hackers are not kids experimenting with code; these are highly sophisticated criminal organizations and nation states directly targeting the manufacturing industry. We know their arsenal of weapons and their tactics have evolved. And, most importantly, we know that our current approach to defense isn’t working.
As the industry grows “smarter,” as more devices and systems come online, this rug-sweeping, deny-everything tactic to cybersecurity isn’t going to cut it. The attacks will continue, their financial impact will grow, and, eventually, people will start getting hurt. It is as volatile and dangerous a situation as I can imagine.
We need to stop this. We need to act.
This starts, just like with safety, by fully addressing the reality of the situation. Both in the walls of your companies and in the industry as a whole, we need a cyberdefense movement—a concerted effort to build up defenses, organize plans and create a real strategy (both behavioral and software) to change the direction of this cyber war.
In 1969, it was unimaginable that the manufacturing industry could ever be safe. In 2021, it seems unimaginable that smart manufacturing can ever be safe. But we have the safety example to guide us, we know what’s possible when we focus on the problem.
And it starts with one simple step: We need to talk about cybersecurity.
