There’s no question that computing advances like artificial intelligence (AI), big data analytics, and the internet of things (IoT) have had a big impact on electronics manufacturing. These and related technologies have enabled manufacturers to streamline design and production, as well as tighten the supply chain through greater integration with suppliers and improved communication with customers. But these new technologies have also introduced new manufacturing cybersecurity risks. A 2024 report by ABI Research and Palo Alto Networks found that 25.7% of industrial enterprises have experienced shutdowns due to cyberattacks. And according to Statista, over a quarter of detected cyberattacks in 2023 were against manufacturing firms.
Of course, the answer isn’t to go back to the days of fax machines and proprietary data systems. But to make sure that the latest cyber technologies work for you, it’s important to take steps to safeguard your systems and your data—especially from malicious actors.
Why Cybercriminals Target Manufacturers
Today’s cybercriminals are sophisticated, often able to adopt the personas of co-workers to ask what appear to be routine, work-related questions in order to obtain sensitive information.
Many people assume that finance-related firms are a higher target for cybercriminals than manufacturers. But that’s not the case. The manufacturing industry has over 40% more attacks than the finance or insurance industries, according to Statista. And ABI/Palo Alto has found that 70% of industrial organizations experienced cyberattacks in 2023.
So, what makes electronics manufacturers such a prime target?
One reason electronics manufacturers are attractive to cybercriminals is their large repositories of valuable data. Manufacturers often have extensive databases filled with personal information. That’s a virtual gold mine for hackers, who can sell that data to unscrupulous third parties for a large profit. Manufacturers also have valuable trade secrets and other proprietary information that make them a tempting target for ransomware attacks.
Cautionary Tales
A number of manufacturing companies have been targeted for ransom in recent years. The 2020 ransomware attack against Foxconn may be the most famous of these cyberattacks. In that breach, cybercriminals infiltrated Foxconn’s data systems and demanded a ransom of over $34 million in Bitcoin to prevent the release of sensitive data. And in June of that same year, Honda was hit by a cyberattack that took manufacturing plants in Ohio and Turkey offline.
A 2023 cyberattack on consumer products giant Clorox took many of its automated systems offline, including systems used by the likes of Walmart and Target to order products, costing the company $356 million.
As these examples illustrate, the damage from a successful cyberattack can cost hundreds of millions of dollars—making cybersecurity a paramount concern.
Two Factors Contributing to Manufacturing Cybersecurity Risk
Hackers have been around as long as there have been systems to hack. However, recent advances in technology, coupled with the global pandemic in 2020, set the stage for a rapid escalation of cybercriminal activity.
When the pandemic first hit, there was a mass movement of workers from onsite offices to less-secure remote workspaces—a cybercriminal’s dream. Companies now found themselves vulnerable and ill-prepared for a shift that came on suddenly and had exponential growth. Few companies had robust plans that accounted for the specific security requirements of offsite work. Cybercriminals quickly took advantage of the situation, and ransomware demands skyrocketed. According to the Harvard Business Review, in 2020, the ransom amount paid to cybercriminals increased by more than 300%.
Another challenge to manufacturing cybersecurity is the introduction of more technology into the manufacturing process. While advances such as industrial robots and artificial intelligence can increase productivity and improve supply chain management, these technologies can likewise increase security risks. For example, the rise in connected devices within a manufacturing facility has given cybercriminals new points of attack. Now, if criminals can locate a vulnerability in one area, they potentially have access to a company’s entire interconnected landscape.
Five Ways to Enhance Your Manufacturing Cybersecurity
Cybercriminal activity has caught the attention of the U.S. government, which is trying to increase manufacturing cybersecurity by bringing chip production back home. The 2022 CHIPs and Science Act, for example, requires all semiconductor manufacturing facilities to be located in the United States in order to qualify for funding. The assumption is that facility-wide sabotage will be harder to conduct under U.S. laws and the watchful eye of U.S. counterintelligence officers.
The duty to combat cybercriminals, however, is not solely a government responsibility. There are many steps that companies can take to increase their own manufacturing cybersecurity.
1. Implement Zero Trust Architecture
Zero trust architecture (ZTA) is a security framework based on a simple concept: Don’t automatically trust any user or device, regardless of their location or network.
This strict approach to cybersecurity came about a couple of decades ago. At the time, the standard security model was based on a hardened perimeter around a corporate intranet. While there were protocols in place to ensure that only trusted users gained access to company systems, once inside a company’s online environment, a user could roam freely. This model worked well for a time, back when work was contained in a physical office building and employee devices were limited. But it proved ineffective once remote work became common. And even before the explosion of connected personal devices—i.e., tablets, smartwatches, and mobile phones—cybersecurity experts were getting worried.
One of the pioneers in solving the interconnected-device problem was John Kindervag, considered one of the world’s foremost cybersecurity experts. In 2009, he coined the term “zero trust model.” Its foundational principle comes from a Russian proverb—”trust but verify”—and it’s proven to be solid advice for many organizations. If you want to ramp up your company’s cybersecurity, be sure to adopt all three components of a zero trust model:
- Ensure all resources are accessed securely regardless of location.
- Adopt a least-privilege strategy and strictly enforce access control.
- Inspect and log all traffic.
Many companies now employ this guilty-until-proven-innocent approach across functions and departments. Most employees encounter the zero trust model whenever they’re asked to engage in multifactor authentication (MFA), which requires users to verify their identity at least twice to gain access to systems. In fact, MFA is one of the simplest ways to safeguard against cybercriminals, and even small to midsized manufacturers can easily implement this protocol.
2. Go Beyond Information Security
A cyber-physical system is a one that integrates sensing, computation, control, and networking between physical objects and infrastructure—connecting objects to the internet and to each other. An example of a cyber-physical system would be driverless cars that communicate securely with each other on smart roads.
The increased connectivity among engineered systems is bringing more risk than just information theft—it also introduces the possibility of harm to humans and the environment. Case in point: AP News reported in 2021 that someone attempted to poison a water treatment plant in Oldmar, Florida. Using a remote-access system, the hacker tried to increase the level of lye in the water supply to a dangerous level. The attempt was fortunately caught by an astute supervisor, and the city has since disabled the remote-access system.
Because of these types of risks, Gartner advises companies to take appropriate precautions, pointing out that CEOs could potentially be held personally liable for cybersecurity incidents. “In operational environments, security and risk management leaders should be more concerned about real world hazards to humans and the environment, rather than information theft,” a Gartner researcher said in 2023.
3. Create an Incident Response Plan
Even the most secure systems face risk. The question is not “if” your company will be targeted but “when.” Therefore, every company should create a thorough incident response plan: a set of written instructions with clear details on what to do in case of a data breach or other cybersecurity incident. And the time to plan is beforehand—not after an attack when every minute is critical to containing the breach. With emergency protocols and backup systems in place, you won’t waste valuable time figuring out the best response or obtaining the necessary permission to act.
Gartner suggests that an incident response plan have four phases:
- Preparation
- Detection and Analysis
- Containment
- Eradication and Recovery
Putting a response team in place and creating a plan can seem overwhelming, but it’s important to recognize the journey towards security is an evolution. As Andy Ellis, former CISO at Akamai, has pointed out, “You don’t have to do it all at once.” The focus should be on having a well-thought, actionable plan, and implementing it step by step over months, or even years if that’s what’s required.
4. Provide Employee Education and Training
Imagine pouring millions of dollars into your cybersecurity systems, only to suffer a breach when an employee unknowingly responds to a phishing email. Unfortunately, many employees still associate “phishing” with obvious scams involving foreign princes. But today’s cybercriminals are far more sophisticated, often able to adopt the personas of co-workers to ask what appear to be routine, work-related questions in order to obtain sensitive information.
While you can’t eliminate all risk of user error, proper instruction and training on cybersecurity best practices will go a long way in decreasing your company’s cybersecurity risk. And this training must be repeated on a regular basis. For example, don’t just teach employees how to identify phishing emails; send fake emails on a regular basis to test employee responses. For those who fall victim to the bait, additional training and support should be offered. Other best practices, such as requiring a second type of confirmation for sensitive requests, can also increase security.
5. Choose Your Third-Party Contractors Wisely
No matter how locked-down your own systems are, you’re only as secure as your third-party vendors and contractors—a fact exemplified by the infamous Target breach that affected 41 million consumers. Initially, no one knew how the breach occurred, but it was later discovered the hackers accessed the Target gateway server by stealing credentials from a third-party vendor.
Lesson learned? Be diligent in your screening of third-party contractors. The security of your supply chain is just as important as your internal cybersecurity.
Manufacturers in certain industries must be especially diligent. As cybersecurity company Palo Alto Networks has pointed out, “manufacturers that build national security-related products face additional types of cyber threat actors and thereby additional urgency to protect their sensitive data.” For these manufacturers, it is especially important to do business with reputable third parties that have the proper registrations and compliance programs in place. For instance, a manufacturer of defense technology should verify that its contract manufacturers are ITAR registered and have appropriate internal controls in place to secure sensitive products and all the technical data associated with such products.
Another industry that requires enhanced security is medical device manufacturing, which is why the U.S. government is attempting to increase security in this area. With the passage of The Consolidated Appropriations Act of 2023, the FDA is now required to include cybersecurity as part of its review for medical devices that contain software, such as heart defibrillators and continuous glucose monitors (CGMs).
No matter your industry, it’s not enough for your own data to be strongly encrypted. So don’t just monitor your own systems—protect your supply chain by ensuring that your vendors are doing the same.
Putting Manufacturing Cybersecurity at the Forefront
According to Forbes, the operational technology (OT) and industrial control systems (ICS) of manufacturers have traditionally focused on speed and efficiency, while cybersecurity has taken a back seat. And unfortunately, a lot of manufacturers still rely on legacy systems and outdated practices that are ill-equipped to handle today’s cybersecurity threats. If this describes your business, then now is the time to act in order to avoid becoming another cybersecurity cautionary tale. The five steps outlined above are a good way to start.
