5 principles to develop a culture of cyber resilience in manufacturing

The increasing adoption of Industry 4.0, characterized by the pervasiveness of digital technologies in manufacturing processes, has opened up new avenues for cybercriminals to exploit.

Recently, there has been a surge in cyberattacks targeting manufacturing, posing not only operational and financial threats but also potentially life-threatening disruptions to critical infrastructure. For manufacturers, the question is no longer if a cyberattack will happen but when.

This article explores five essential principles to help manufacturers develop a culture of cyber resilience.

A single cyber breach within your supply chain can trigger operational disruptions, financial losses, regulatory non-compliance and, increasingly, physical consequences. Therefore, the first step is to shift mindsets and attitudes, positioning cyber resilience as a business priority embraced throughout the entire supply chain organization.

Culture change starts at the top, making it critical for supply chain leaders to personally champion the mindset shift and act as role models, seamlessly integrating this focus into the existing culture, like people safety or product quality.

This translates into driving education and training campaigns so employees at all levels understand their role in maintaining cyber resilience as part of their daily jobs. This also requires adjusting reward systems to incentivize adherence to cybersecurity protocols, from proactive threat identification to systematic incident reporting and response. Finally, it entails integrating cybersecurity in governance structures with clear policies, pragmatic procedures, regular checks, and ongoing monitoring to address deviations promptly.

Cyber resilience is not a one-time effort but rather a continuous journey. The threat landscape is perpetually evolving, with new tactics emerging that exploit the convergence of traditionally isolated and often outdated Operational Technology (OT) with the more connected Information Technology (IT). This convergence, coupled with product and system vulnerabilities, creates a broader attack surface for cyber threats.

Considering how critical the IT/OT ecosystem has become to enable the realization of long-term benefits – from supply chain efficiencies to product innovation and customer service – it is paramount for manufacturers to nurture and relentlessly enhance their cyber resilience capabilities and their associated governance.

This begins by allocating dedicated cybersecurity resources, both centrally and in proximity to the manufacturing and supply chain operations, to ensure seamless collaboration. Their tasks should include proactively inventorying assets, upgrading obsolete infrastructure, implementing cybersecurity policies, and conducting regular assessments. They should also train for incident response and crisis management, report and respond to incidents, and importantly, nurture a security culture through ongoing education and training programmes.

Remember that your employees are both your first line of defence and a potential weak link, so it is key they have clear accountability and empowerment, supported by the necessary skills, knowledge, and tools to safeguard your organization.

Cybersecurity should not be an afterthought, merely attached once a project is completed. Instead, it should be integrated “by design” into every process and system, with design principles interwoven into the very fabric of organizations. This means treating cybersecurity as a fundamental requirement in the development of new products, processes, systems, and technologies.

Embedding cyber resilience into the industrial DNA also hinges on enforcement mechanisms. As an illustration, Schneider Electric enforces directives from the executive level: new projects and internal labels such as “Smart Factory” or “Smart Distribution Center” can only be granted to plants or distribution centres that meet the expected cybersecurity performance targets. Moreover, since 2022, every new production line must comply with industry-recognized standards.

In addition to these measures, cyber resilience should be integrated into decision-making processes, becoming an integral part of the company’s governance. This proactive approach promotes security as a fundamental consideration from the outset rather than a reactive measure.

As the digitization pace accelerates, risk profiles also evolve, requiring organizations to tap into a wealth of expertise, both internal (e.g. industrialization) and external (e.g. robotics, artificial intelligence).

Internally, this starts by partnering with IT, leveraging their expertise to navigate the complex digital landscape and drive a pragmatic and secure IT/OT convergence. It also requires building and preparing a cyber talent pool by nurturing a network that empowers your IT/OT and cybersecurity experts to stay updated on the latest threats and mitigation strategies.

Externally, it involves collaborating with suppliers, customers, industry groups, and public sector organizations on leading practices for risk mitigation, threat information like new vulnerabilities, regulatory requirements for posture and products, etc. Any fresh perspective can uncover hidden weaknesses and recent trends, helping refine the cyber resilience strategy and reinforce ties for the times when incidents occur.

Amidst the technical complexities of cybersecurity, leaders should embrace the principle of simplicity. Simplifying the messaging and strategies around cyber resilience makes it more accessible and engaging for the entire organization is a must.

By making cyber resilience a business and collective priority, relentlessly improving cyber capabilities, driving cyber resilience by design, partnering with the extended ecosystem, and keeping it simple and exciting, manufacturers can bolster their capacity to safeguard vital assets, sustain operations, and preserve their reputation amidst cyber threats.

Let’s collectively embrace these five principles to fortify manufacturing against the perils of cyber threats and forge a safer, more secure future for all.