Securing the smart (and not so smart) factory
24th April, 2025 • Online
Cybersecurity is not just about downtime, it’s the key to staying ahead of competitors and staying within key supply chain ecosystems
Cybersecurity is also the foundation of business competitiveness
Over the past decade, the manufacturing sector has undergone rapid digital transformation. While these advances drive growth and efficiency, they also expose the sector to cyber threats.
Numerous pieces of research globally, including research from the World Economic Forum, have shown how many manufacturing firms have been affected by a security incident (60% of UK manufacturers for example). And those same pieces of research have also, sadly, shown that manufacturing remains one of the industries least prepared for the impact of cyber-attacks.
According to one recent study, 80% of companies have critical vulnerabilities, and more than two-thirds had at least one vulnerability from the Cybersecurity and Infrastructure Security Agency’s (CISA) Known Exploited Vulnerabilities (KEV) Catalog, which details flaws that have been exploited in the wild. Approximately 30% have critical vulnerabilities in web applications – often the entry point for cyberthreat actors.
Poor patch management practices are a problem across the industry, as are data leaks and issues with SSL and TLS. And this is before we get to the expanded digital footprint caused by the rise of smart and connected manufacturing, which brings operational technology (OT) and industrial control systems (ICS) into TCP/IP networks at least periodically giving hackers access to them via standard business networks.
The effects of all this are clear: manufacturing is up there with healthcare and financial service as a target; it is a leading recipient of sophisticated ransomware, DDoS and BEC attacks; in fact, ransomware that encrypts data on IT networks is now a significant issue in OT security. Part of the reason for this is the sector’s low tolerance for downtime – firms are likely to pay up so they can resume operations quickly. And of course, attacks on IT/OT systems at third-party suppliers can then be weaponised against downstream IT/OT systems.
Cybersecurity is also a problem for manufacturers in another way: because they have historically been poor at cyber-defence, and have known it, manufacturers have tended to slow the adoption of new, smart, connected operational technologies. This in turn affects their competitiveness. To keep up with their peers, manufacturers need to invest in new technology, and so they also need to invest in the solutions that secure that technology.
A failure to improve their security will not only increase risks and decrease competitiveness, it will start to exclude the laggards from the supply chains of security-minded firms in the extended supply chains that now exist between manufacturing and other sectors. Businesses and regulators are now focusing on the disruptions that can be caused to critical economic and infrastructural players by their reliance on insecure third parties. Manufacturers need to make sure they respond.
So, what are the solutions?
Manufacturers must make cybersecurity and resilience a business priority. This means cultural change, better cybersecurity governance and acceptance of the right budget and resources.
They must drive cybersecurity by design. This means integrating cyber resilience into every aspect of processes and systems. A risk-based approach must be used to incorporate cyber resilience into the development of new products, processes, systems and technologies.
They must also develop a better understanding of technical solutions and security design paradigms. Is Zero Trust the answer? What does layered security in an IT/OT environment look like? How do you deal with the issue of false positives? What kinds of solutions are not dependent on online updating? And how can firms stop advanced threats from cross-propagating business and OT systems?