A chief information security officer, a chief information officer and a chief manufacturing officer walk into a bar. Unfortunately, this isn’t the opening line of a joke – they’re in the bar because they need a stiff drink. These are harrowing times for manufacturing professionals who, in an era of Industry 4.0, are trying to integrate their information technology and operational technology while defending against the dramatically rising threat of cyber criminals.
It’s not like they have a choice on whether to integrate their IT with OT such as machine automation, industrial control systems (ICS), robotics, programmable logistics controllers (PLCs) and building management systems (BMS). Successful IT/OT collaboration is critical to modern manufacturers’ digital strategies. Unfortunately, it’s also the portal where cyber criminals gain entry to the lifeblood of the company: factory operations.
In fact, IBM’s X-Force Threat Intelligence reported that in 2021, manufacturing surpassed finance and insurance as the top targeted sector of cyber bad actors. Today, 1 out of every 4 cyber-attacks on business are against manufacturers. And no wonder: Despite FBI guidance, manufacturers pay the requested ransom more often than other industries – and at typically higher rates.
The biggest challenge? Cybercriminals with a track record of innovation set the pace of change. But manufacturers aren’t simply circling the wagons. Just the opposite – they’re meeting the challenge head on.
Catching Up Quickly
Manufacturers Alliance partnered with Fortinet recently to update a joint 2020 study on IT/OT convergence. They found that American manufacturers’ level of cyber maturity is catching up to their accelerated pace of digital transformation. This is vital because, while financial extortion related to data theft is a serious risk, infiltration of operating systems with the intent to sabotage or even shut them down poses an existential threat to manufacturers. (The cyber-attack on Clorox this August, which paralyzed manufacturing operations for weeks and led to shortages of Clorox products in stores across the country, is the most recent poster child for the risk that factories face.)
The Alliance-Fortinet survey of 155 U.S.-based mid-cap to large-cap industrial companies showed that a growing percentage of manufacturers are well on their journey with advanced anti-cybercrime programs and policies yielding impressive results. That journey, of course, starts with a large dose of reality. When asked to rank cybersecurity as a business risk, 80% put it in the top five, 10 percentage points higher than three years ago. And no wonder: that same percentage experienced at least one breach resulting in unauthorized access to data in the previous 12 months.
Thirty-six percent of respondents fell victim to a ransomware attack, up from 23% in our 2020 survey. And more specifically, the impact of OT breaches has significantly increased over the past three years. While 43% of manufacturers in both 2020 and 2023 said they experienced cybersecurity-related operational outages affecting productivity –
- 29% saw operational outages that affected revenue in 2023, a jump of 10 percentage points from 2020
- 26% saw a loss of business-critical data, 14 percentage points higher than in 2020
- 21% experienced a loss of IP, a jump of 10 percentage points in three years
So, how can manufacturers come out ahead of cybercriminals? Strategies are changing quickly. For starters, more than 90% of manufacturers say they’re focused on implementing new solutions to address risks specifically affecting OT, more than twice the percentage of just three years ago. Roughly the same percentage of manufacturers are now subjecting OT equipment to IT or cyber review prior to procurement. Among that group, many are deploying network access controls, including quarantining new devices until approved by the internal cyber team.
Finding Cybersecurity Talent Is Tough
Even with growing sophistication on managing OT threats, manufacturers face one primary obstacle to ultimate success: finding in-house expertise to oversee the cyber threat, a high hurdle considering the broader skilled talent shortage being experienced. In our recent survey, roughly 8 out of 10 manufacturers pointed to scarcity of talent and expertise as a key barrier to effective breach response within the last year.
Of course, manufacturers are in the business of making stuff, not securing networks. So given the scope of OT cybersecurity, from vetting new equipment to responding to breaches, fewer than 10% of companies handle all aspects with in-house resources. Two-thirds combine in-house and external expertise, and about 20% rely on third-party service providers for most of their security needs.
Remember the CIO, CISO and chief manufacturing officer walking into a bar? A decade ago they would never have been seen together. Today, their collaboration, and the smooth and rapid integration of IT and OT, is the key to a successful and safe implementation of Industry 4.0.
Stephen Gold is president and CEO, Manufacturers Alliance.
