Cyberattacks in manufacturing are on the rise. So how should the industry respond to this increasing threat? It takes organization, buy-in and cybersecurity maturity.
Awareness of the need for cybersecurity has been growing, as attacks like SolarWinds, Oldsmar and Verkada regularly hit newsfeeds. But while awareness is growing, the way industrial organizations handle their cybersecurity processes often is not.
According to Pranav Patel, CEO of ResiliAnt, an industrial cybersecurity brand, and MediTechSafe, a health care cybersecurity brand, this all comes down to cybersecurity maturity – a combination of a robust strategy, organizational engagement and operational excellence. Achieving maturity is essential for industrial organizations, but it requires a real paradigm shift in thinking to make it a reality.
“NIST (National Institute of Standards and Technology) and other standards, or guidance, are suggesting companies take a broader approach to cybersecurity,” Patel said. “Now they’re having organizations focus on processes and policies that cut across and span across multiple functions, such as operations, HR, physical security, sourcing, legal. This is way beyond the involvement of a single information technology or information security function. So what’s needed is really flipping the pyramid where everybody is involved in cybersecurity.”
According to Patel, this sea change will require a major management effort across organizations. The problem is most companies are hard-wired to equate cybersecurity with information technology. While technology professionals have a role to play and have done a solid job thus far, that approach is reaching a point of diminishing returns. This is especially true when you consider that almost three-quarters of attacks in manufacturing involve some sort of human error.
“As soon as you talk about cybersecurity, they’ll point you straight to the technical team. But just like any other change process, you have to show them how it impacts them,” Patel said. “A cyberattack in a small-to-midsize manufacturing firm would cost them about 7% of their annual revenue. Most of companies’ operating profit falls within that range. So, in other words, you’re saying if you got hit by a cyberattack, you’re probably wiping out your whole year’s operating profit. Let alone all the brand impact that you’ll face.”
The responsibility for cybersecurity needs to be spread out across organizational functions, but this doesn’t happen organically. It takes the kind of buy-in that comes from being advocated for at the highest levels.
“The approach to cybersecurity has to change,” Patel said. “It requires championship for CEOs, CFOs, rather than just only the CIO. It needs a more programmatic approach, and then the focus has to be on maturity, in addition to the breadth of controls, if you will. So now you’re changing that pyramid and really making it a part of your DNA.”
In Part 1 of our interview with Pranav Patel, he talked about the rising threats and vulnerabilities manufacturers face, and what smart companies can do to combat them. And watch for future installments from our expert interview series on Industrial Cybersecurity Pulse in the coming weeks.