In this Help Net Security interview, Filipe Beato, Lead, Centre for Cybersecurity, World Economic Forum, shares his expertise on the correlation between the digitization of the manufacturing sector and the rise in cyberattacks. He delves into the far-reaching impact of cyberattacks on manufacturing companies, their supply chains, and the global economy. Additionally, Beato discusses the unique nature of cyber threats faced by the manufacturing industry and the challenges of implementing effective cybersecurity measures.
How has the rapid digitalization of the manufacturing sector influenced the increase in cyberattacks on the industry?
The manufacturing sector is digitally transforming with the scaling of advanced technologies, by connecting their factories, production lines and products.
While the digitalization of manufacturing operations provided transformational opportunities and greater efficiency and sustainability, it also connected manufacturing environments and infrastructures that operated historically as isolated silos with limited external connectivity. This expanded the attack surface making manufacturers more vulnerable to cyberattacks.
In both 2021 and 2022, manufacturing was the most targeted sector by cyberattacks. Throughout the course of 2022 alone, ransomware attacks on industrial infrastructure doubled, leading to systemic impacts and disruptions.
What impact can a successful cyberattack have on a manufacturing company, its supply chain, and the global economy?
The manufacturing sector involves various industries essential for society. It contributes to global circular economies, such as consumer goods, electronics, automotive, energy, pharma, food and beverage, heavy industry and oil and gas. In the manufacturing ecosystem, production facilities are spread worldwide, where organizations are both producer and consumers.
Cyberattacks in the manufacturing sector can lead to significant systemic impacts in different levels, such as downtime of operations, physical and human impacts and even environment damages. While these can be seen as a company direct impact, given the complexity of the manufacturing ecosystem where most organizations are both consumers and suppliers, a cyberattack can create large cascading effects to the large supply of a wider product.
This has been seen recently with Toyota Motors in February 2022, that had their 28 production lines across 14 plants in Japan disrupted for at least a day after a key supply chain player was hit by a cyberattack. A year on, in February 2023, a large semiconductor industry supplier, Applied Materials, announced that a breach at one of its vendors would have a $250 million impact in the next quarter.
In March of this year, the electronics company Western Digital suffered a breach, with over 10 terabytes of data stolen and the hackers demanding a 8-figure ransom.
How do cyber threats in the manufacturing sector differ from those in other industries, and what unique challenges do manufacturers face in implementing cybersecurity measures?
The Forum’s Centre for Cybersecurity has been working with several sectors such as Oil and Gas, Electricity and Aviation to help strengthen their cyber resilience.
However, unlike most sectors that are fairly homogenous, manufacturing is rather diverse and therefore the challenges and therefore approaches to embed cyber resilience in this sector are rather unique. The manufacturing sector is struggling to successfully embed cybersecurity due to a series of constrictions. Production plants still operate using legacy and aging technology which have lower computational power and aren’t regularly updated. Other constraints are the low tolerance for downtime and the extended production cycles, which are limiting regular cybersecurity patches or updates. Unplanned downtime costs in manufacturing are among the highest (up to $250,000/h).
Moreover, due to low downtime tolerance manufacturing companies are a lucrative target for ransomware. Lastly, another issue is the divergent cybersecurity culture, there is often little alignment between IT & OT security teams due to divergent priorities and low awareness from production top management to secure cybersecurity budget and incorporate cybersecurity in quality and safety training.
How do current legislative efforts, such as the Cyber Resilience Act in the European Union and the NIS 2 and CER directives, aim to address cybersecurity challenges in the manufacturing sector?
There are several legislative efforts taking place globally, like the NIS 2 and the Cyber Resilience Act in the EU or the several executive orders from President Biden in the US, to push for an improved cyber resilience across different infrastructures. These have been seen as effective to push for industry action in Cyber Resilience and reducing an organization’s cyber risks. Even fragmented regulatory development will drive action globally.
The Cyber Resilience Act, for instance is being discussed to introduce mandatory cybersecurity requirements for hardware and software products throughout their lifecycle. The adoption of the Cyber Resilience Act would place obligations on manufacturers to maintain cybersecurity requirements for products sold in the European market, in the effort to harmonise rules and reduce cybersecurity risks for customers.
Early this year, in January 2023, two new EU directives also entered into force: the NIS2, which replaced the previous directive on security of network and information systems, and the Critical Entities Resilience (CER) directive which repealed a 2008 directive on European critical infrastructure. In 2021, following a request from the European Commission (EC) Energy Directorate, the Systems of Cyber Resilience: Electricity community from the World Economic Forum developed a collection of 15 lessons learned and recommendations for improving the new Cybersecurity Directive considering the implications of supply chain attacks and other systemic risks for cybersecurity in the energy industry.
The new legislations classify certain manufacturing industries, such as medical device and pharmaceuticals manufacturers as “important” or “essential entities,” requiring them to manage their security risks and prevent or minimize the impact of incidents on recipients of their services.
Under the NIS 2.0 directive, the EU will also join the United States and other countries in mandating stricter incident reporting requirements. The legislation will mandate that organizations across the board report cyber breaches and attacks within 24 hours of becoming aware of the incident.
NIS2 compliance also requires manufacturing companies to implement security measures, to continuously monitor and assess their security posture and to identify potential vulnerabilities in their network infrastructure.
How can collaboration among different sectors and countries lead to establishing a unified cybersecurity gold standard for manufacturers?
The manufacturing sector must be prepared against the growing threat landscape by becoming cyber-resilient. One of the manufacturing sector’s main struggles is having a fragmented approach to managing cyber-related issues.
The World Economic Forum is convening stakeholders from the manufacturing ecosystem, including the public sector and academia, to strengthen cyber resilience across the industrial manufacturing ecosystem by building awareness among decision-makers and mobilizing global commitment. This new initiative aims to define a common understanding of cyber resilience as guiding principles and practices for collective responsibility across the manufacturing ecosystem.