Although cybersecurity has become a priority at many manufacturing companies, risks have increased at the same time. To better understand how companies are addressing heightened risks, Manufacturers Alliance and Fortinet partnered to study the strategies companies are using to cope with the new threat landscape, the state of collaboration between IT and operational technology (OT), the tactics that have promise, and the barriers to progress. Building on a related 2020 study, the 2023 study shows where companies have made progress and where they may have stalled over the last three years.
At a high level, the study revealed that the success of IT/OT collaboration may be the key to the success of many digital initiatives. IT and OT teams need to find ways to share scarce skilled talent. And rather than competing or remaining isolated from one another, they should work together on mutual goals that balance both security and operational priorities.
Manufacturers Are Focusing on Cybersecurity
For an increasing number of companies, the risk of cyberattacks has moved from theoretical to real, so it shouldn’t be a surprise that more manufacturers are focusing on cybersecurity now. In the past few years, companies in multiple industries have been targeted with high-profile attacks on food processing, consumer packaged goods, and energy companies.
When asked to rank cybersecurity as a business risk, 78% of survey respondents put it in the top five, up from 70% in the 2020 survey. Manufacturers identified extortion through ransomware as their top concern, and 36% fell victim to a ransomware attack last year, up significantly from the 23% in the 2020 survey. The rapid monetization of this tactic makes it a favorite in the world of organized cybercrime.
Last year, more than 80% experienced at least one breach that resulted in unauthorized access to data. And of those respondents, 15% experienced six or more breaches. The most common types of security incidents they reported were phishing, malware, spyware, and ransomware.
Progress in OT Security
Securing OT environments requires visibility into the systems. For equipment already in place, regular audits and assessments are critical elements in the cybersecurity equation. Manufacturers are increasing their efforts, with 48% of survey respondents saying that they have conducted audits or assessments related to OT security within the past six months, up from 44% in 2020. In terms of cadence, 23% perform these audits and assessments on a monthly basis, 49% quarterly. As far as acquiring new technology, 87% report that they are performing IT and cyber reviews before they purchase new equipment.
Many manufacturers are also taking a closer look at third-party vendors and service providers, such as system integrators, machine builders, and automation suppliers. The majority (54%) of companies indicate that they require third parties to undergo comprehensive assessment and management. The rest of the companies say their assessments and management are partial (27%), limited (8%), or non-existent (1%).
OT Challenges Continue
Many organizations continue to contend with securing old equipment, often with a “run it until it dies” mentality. Patching a 20-year-old device may be difficult or impossible, and for many companies, incrementally addressing the issues surrounding legacy equipment is the only way to make progress.
The lack of skilled personnel is another issue many companies face. The cybersecurity talent shortage is making it harder to fill open OT security positions, which can lead to team burnout and increased overall risk. When asked if they expect to have the right talent in place to address OT cybersecurity risks within the next three years, 22% of respondents said they are not confident, marking a slight deterioration since the 2020 survey (20%).
Although communication between IT and OT is critical, many manufacturers are struggling with IT/OT collaboration in the aftermath of a breach. Ineffective communication between IT and OT was ranked as a barrier to effective breach response by 82% of the companies surveyed.
As manufacturers evaluate how to blend new technologies for competitive growth, they must also build security into their plans and look at ways to facilitate IT/OT collaboration. The reality is that even though manufacturers have made progress over the past few years, they may not be moving fast enough to stay ahead of OT threats.