5 principles to develop a culture of cyber resilience in manufacturing
Cyber resilience must become a business priority. Image: Getty Images/iStockphoto.
Listen to the article
- Cyberattacks pose operational, financial, and potentially life-threatening risks.
- Digitization of manufacturing has opened up new avenues for cyber crime.
- These five principles can help manufacturers build organizational cyber resilience.
The increasing adoption of Industry 4.0, characterized by the pervasiveness of digital technologies in manufacturing processes, has opened up new avenues for cybercriminals to exploit.
Recently, there has been a surge in cyberattacks targeting manufacturing, posing not only operational and financial threats but also potentially life-threatening disruptions to critical infrastructure. For manufacturers, the question is no longer if a cyberattack will happen but when.
This article explores five essential principles to help manufacturers develop a culture of cyber resilience.
How is the Forum tackling global cybersecurity challenges?
1. Make cyber resilience a business imperative
A single cyber breach within your supply chain can trigger operational disruptions, financial losses, regulatory non-compliance and, increasingly, physical consequences. Therefore, the first step is to shift mindsets and attitudes, positioning cyber resilience as a business priority embraced throughout the entire supply chain organization.
Culture change starts at the top, making it critical for supply chain leaders to personally champion the mindset shift and act as role models, seamlessly integrating this focus into the existing culture, like people safety or product quality.
This translates into driving education and training campaigns so employees at all levels understand their role in maintaining cyber resilience as part of their daily jobs. This also requires adjusting reward systems to incentivize adherence to cybersecurity protocols, from proactive threat identification to systematic incident reporting and response. Finally, it entails integrating cybersecurity in governance structures with clear policies, pragmatic procedures, regular checks, and ongoing monitoring to address deviations promptly.
2. Relentlessly improve your cyber capabilities
Cyber resilience is not a one-time effort but rather a continuous journey. The threat landscape is perpetually evolving, with new tactics emerging that exploit the convergence of traditionally isolated and often outdated Operational Technology (OT) with the more connected Information Technology (IT). This convergence, coupled with product and system vulnerabilities, creates a broader attack surface for cyber threats.
Considering how critical the IT/OT ecosystem has become to enable the realization of long-term benefits – from supply chain efficiencies to product innovation and customer service – it is paramount for manufacturers to nurture and relentlessly enhance their cyber resilience capabilities and their associated governance.
This begins by allocating dedicated cybersecurity resources, both centrally and in proximity to the manufacturing and supply chain operations, to ensure seamless collaboration. Their tasks should include proactively inventorying assets, upgrading obsolete infrastructure, implementing cybersecurity policies, and conducting regular assessments. They should also train for incident response and crisis management, report and respond to incidents, and importantly, nurture a security culture through ongoing education and training programmes.
Remember that your employees are both your first line of defence and a potential weak link, so it is key they have clear accountability and empowerment, supported by the necessary skills, knowledge, and tools to safeguard your organization.
3. Drive cyber resilience by design
Cybersecurity should not be an afterthought, merely attached once a project is completed. Instead, it should be integrated “by design” into every process and system, with design principles interwoven into the very fabric of organizations. This means treating cybersecurity as a fundamental requirement in the development of new products, processes, systems, and technologies.
Embedding cyber resilience into the industrial DNA also hinges on enforcement mechanisms. As an illustration, Schneider Electric enforces directives from the executive level: new projects and internal labels such as “Smart Factory” or “Smart Distribution Center” can only be granted to plants or distribution centres that meet the expected cybersecurity performance targets. Moreover, since 2022, every new production line must comply with industry-recognized standards.
In addition to these measures, cyber resilience should be integrated into decision-making processes, becoming an integral part of the company’s governance. This proactive approach promotes security as a fundamental consideration from the outset rather than a reactive measure.
4. Partner with the extended ecosystem
As the digitization pace accelerates, risk profiles also evolve, requiring organizations to tap into a wealth of expertise, both internal (e.g. industrialization) and external (e.g. robotics, artificial intelligence).
Internally, this starts by partnering with IT, leveraging their expertise to navigate the complex digital landscape and drive a pragmatic and secure IT/OT convergence. It also requires building and preparing a cyber talent pool by nurturing a network that empowers your IT/OT and cybersecurity experts to stay updated on the latest threats and mitigation strategies.
Externally, it involves collaborating with suppliers, customers, industry groups, and public sector organizations on leading practices for risk mitigation, threat information like new vulnerabilities, regulatory requirements for posture and products, etc. Any fresh perspective can uncover hidden weaknesses and recent trends, helping refine the cyber resilience strategy and reinforce ties for the times when incidents occur.
5. Keep it simple and exciting for the organization
Amidst the technical complexities of cybersecurity, leaders should embrace the principle of simplicity. Simplifying the messaging and strategies around cyber resilience makes it more accessible and engaging for the entire organization is a must.
- Begin by “storytelling” and communicating the importance of cyber resilience in straightforward language, steering clear of jargon and technicalities.
- Illustrate the potential consequences of cyberattacks in relatable terms, emphasizing how it impacts individuals’ work and the organization’s overall mission.
- Frame it as an opportunity for growth and innovation. Inject a sense of excitement into your cyber resilience initiatives.
- Encourage employees to become cyber champions by gamifying training, recognizing and rewarding proactive cybersecurity behaviours, and celebrating milestones and achievements in the journey toward cyber resilience.
A call to action: driving manufacturing cyber resilience
By making cyber resilience a business and collective priority, relentlessly improving cyber capabilities, driving cyber resilience by design, partnering with the extended ecosystem, and keeping it simple and exciting, manufacturers can bolster their capacity to safeguard vital assets, sustain operations, and preserve their reputation amidst cyber threats.
Let’s collectively embrace these five principles to fortify manufacturing against the perils of cyber threats and forge a safer, more secure future for all.
Don't miss any update on this topic
Create a free account and access your personalized content collection with our latest publications and analyses.
License and Republishing
World Economic Forum articles may be republished in accordance with the Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International Public License, and in accordance with our Terms of Use.
The views expressed in this article are those of the author alone and not the World Economic Forum.
Stay up to date:
Cybersecurity
Related topics:
The Agenda Weekly
A weekly update of the most important issues driving the global agenda
You can unsubscribe at any time using the link in our emails. For more details, review our privacy policy.