• A cyberattack on a manufacturer can have significant knock-on effects that can even spread beyond the industry to other organisations along the supply chain.
  • The expense and business impact of pausing production makes it difficult for manufacturers to make system changes or upgrades to address cybersecurity, but this also makes them a prime target for cyberattacks.
  • By following three key principles, manufacturers can integrate cyber resilience into their organizational culture to help boost their own security – and that of the other organisations in their business networks.

The manufacturing sector, an essential element of the global economy, encompasses diverse industries such as consumer goods, electronics, automotive, energy and healthcare. Due to its global reach and impact, it plays a significant role in exports, innovation and productivity growth, fuelling economic development worldwide.

The global spread of manufacturing production facilities creates complex supply chains in which producers are also often consumers. Manufacturing is also inherently intertwined with other sectors such as logistics, energy and information technology. And so, any disruption to the manufacturing process can cascade throughout many other sectors – and around the world.

Over the past decade, the manufacturing sector has undergone rapid digital transformation, embracing innovations such as digital twins, robotics, artificial intelligence, cloud computing and the industrial internet of things (IIoT). While these advances drive growth and efficiency, they also expose the sector to cyber threats.

Timeline showing how tech advances and digital connectivity have also increased cyberattacks; manufacturing, cyber resilience

Cyber resilience in manufacturing must increase in response to the growth over digital connectivity over time.Image: Building a Culture of Cyber Resilience in Manufacturing, World Economic Forum

The rise of cybersecurity attacks

The transition from isolated systems to interconnected ones alongside the rise of the internet and then cloud computing has heightened cybersecurity challenges for industrial organisations – especially since different organisations don’t always put the same emphasis on investing in cybersecurity. Increased data exchange throughout the entire supply chain only amplifies these risks. The result is that cyber risk is systemic, contagious and often beyond the understanding or control of any single entity.

In fact, heightened connectivity and data transparency has made manufacturing the most targeted sector for cyberattacks for three years in a row. It now accounts for 25.7% of attacks, with ransomware involved in 71% of these incidents. Manufacturing organizations are a particularly lucrative and accessible target for ransomware due to their low tolerance for downtime and relatively low level of cyber maturity compared to other sectors.

Manufacturing companies also often lag behind when it comes to investment in cyber resilience because of their extended production cycles and the hefty investments needed to redesign manufacturing lines. In February 2024, for example, a German battery manufacturer had to halt production at 5 plants for over 2 weeks due to a cyberattack on its IT system.

With the costs of attacks on this sector increasing by 125% each year, cyber risk is now seen as the third biggest external risk to manufacturers.

The cost of cyber crime; cyber resilience, manufacturing.

The growing cost of cyberattacks.Image: Building a Culture of Cyber Resilience in Manufacturing, World Economic Forum

Building a cyber resilient culture

The manufacturing sector faces challenges building cyber resilience across five dimensions. Chief among these is the cultural mindset gap between enterprise (or office-based) and industrial environments, with the latter often prioritizing physical safety over cyber safety. This gap poses a significant hurdle to cyber resilience efforts.

Technical challenges are also a major barrier. Outdated legacy systems combined with the number of connected assets within industrial control systems has left many manufacturing organizations unprepared to fend off sophisticated cyber threats.

Manufacturers are also often reluctant to take factories offline to make upgrades in security or deal with cyberattacks. Along with the industry’s extended ecosystem dependencies, this also makes maintaining cyber resilience difficult. Additionally, strategic challenges arise from dynamic tensions between economic factors, market forces and geopolitical issues. For example, manufacturing is influenced by external forces such as the global inflation and rising energy costs. In a recent report, Rockwell highlighted cyber risks as the third biggest obstacle for manufacturers behind these other factors.

Another complication is that manufacturers must navigate various regulations and industry standards concerning human and product safety, data protection and cybersecurity. This is made even more difficult if companies have decentralized operations – most manufacturers have factories around the world, as well as working with subsidiaries that may have their own decision-making practices and priorities. Operating across diverse regulatory landscapes only adds more complexity.

3 ways to make manufacturing cyber resilient

Regardless of these complexities, the manufacturing sector must deal with cyber challenges so it can explore new technologies in a secure manner. In this context, the World Economic Forum’s Centre for Cybersecurity and the Centre for Advanced Manufacturing and Supply Chains recently convened a community of cyber leaders across manufacturing to discuss the key challenges and identify best practices.

The resulting playbook, Building a Culture of Cyber Resilience in Manufacturing, outlines three cyber resilience principles:

1. Make cyber resilience a business priority. This principle emphasizes the need for cultural change and a comprehensive cybersecurity governance. It also covers the importance of securing budget and resources, while also creating incentives to ensure that cybersecurity is an objective embraced by all stakeholders.

2. Drive cyber resilience by design. This means integrating cyber resilience into every aspect of processes and systems. A risk-based approach must be used to incorporate cyber resilience into the development of new products, processes, systems and technologies.

3. Engage and manage the ecosystem.

This principle underlines the importance of fostering trusted partnerships and raising security awareness among stakeholders. Rather than having one organization exert control over a supply chain of other actors, an ecosystem approach involves encouraging all entities in a business network to collaborate to address issues like cybercrime.

This kind of increased connectivity should not mean more risk, in fact it can actually help to shift or even gradually improve the risk exposure of an organization. As such, connectivity can provide tremendous benefits to an organization’s cybersecurity programme. It means that systems that were once isolated, providing companies with little visibility, can be managed more effectively at a larger scale.

Infographic showing the three principles manufacturing companies can use to build a culture of cyber resilience.

The three principles manufacturing companies can use to build a culture of cyber resilience.Image: Building a Culture of Cyber Resilience in Manufacturing, World Economic Forum

These three principles are interlinked and mutually supportive. They are supported by 17 real-world manufacturing use cases and so are applicable across any manufacturing industry and location. And as digitalization progresses, organizations in the manufacturing sector must use these principles to prioritize building a robust cyber resilience culture. This will help the industry navigate the growing cyber threat landscape more effectively.


Source: WEFORUM – by Blake Moret – Kiva Allgood
Legal Notice: The information in this article is intended for information purposes only. It is not intended for professional information purposes specific to a person or an institution. Every institution has different requirements because of its own circumstances even though they bear a resemblance to each other. Consequently, it is your interest to consult on an expert before taking a decision based on information stated in this article and putting into practice. Neither Karen Audit nor related person or institutions are not responsible for any damages or losses that might occur in consequence of the use of the information in this article by private or formal, real or legal person and institutions.