Who’s Responsible for Cybersecurity in Industrial and Manufacturing Settings?
One of the most significant challenges in industrial cybersecurity is a lack of experience and clarity.
- By Devin Partida
- Aug 24, 2021
The vast majority of industrial and manufacturing safety discussions center around physical dangers. Workplace hazards like falls and contact with machinery are still relevant and deserve attention, of course. The industrial world faces digital threats, as well. Cybersecurity must now play a role in every industrial company’s safety consideration.
By 2018, 60 percent of heavy industry companies experienced a data breach in their industrial control or supervisory control and data-acquisition systems. Since then, digitization has only increased and cybersecurity standards have yet to match new technology’s adoption rate. One of the most significant challenges in industrial cybersecurity is a lack of experience and clarity.
These technologies and the threats they bring are new to industrial and manufacturing businesses. Many do not have a dedicated IT department or a chief information officer (CIO). As such, it is often unclear who is responsible for ensuring these companies stay safe from cyber threats.
What Cyber Risks Do Industrial Businesses Face?
The first step in establishing a new security architecture is determining what risks these businesses face. Perhaps the most pressing is internet of things (IoT) vulnerabilities. Hackers can use facilities’ seemingly innocuous IoT devices as a gateway to their network, accessing more sensitive data.
As manufacturers and other heavy industry businesses collect more data, they become more valuable targets. Ransomware attacks can threaten to destroy mission-critical data or leak sensitive client information unless companies pay a hefty sum. Similarly, these industries’ reliance on digital technologies means any downtime could lead to significant disruptions and bottlenecks.
Since heavy industries are new to many digital technologies, breaches from human error are more likely. These companies and their employees may be more vulnerable to phishing or accidentally exposing sensitive information.
When businesses start to understand these risks, the path forward grows clearer.
Ensuring Industrial Companies Comply with Standards
Some cybersecurity standards already exist for heavy industries, most notably the Cybersecurity Maturity Model Certification (CMMC). While the CMMC is designed for Department of Defense (DoD) contractors, it can be a helpful guide for all industrial and manufacturing companies. The responsibility, therefore, falls upon company leadership to embrace these standards even when they do not legally have to.
Cybersecurity experts point out that the CMMC is necessary but not sufficient, so companies must also go beyond these standards. Steps to take after meeting these guidelines are less clear for heavy industries, so their executive leadership must evolve. These sectors would benefit from creating a CIO or chief security officer (CSO) position to guide company-specific actions.
Creating a permanent position devoted to cybersecurity gives companies the organization they need for effective cybersecurity. The CIO or CSO can ensure compliance with standards like the CMMC, approve new technology investments, design company security infrastructure and train other employees. Without executive leadership, these industries’ cybersecurity efforts risk being uncoordinated and insufficient.
Changing Industrial Cybersecurity Culture
While hiring a CIO or CSO is a necessary step, cybersecurity should not end in the boardroom. Given the day-to-day risks of human error and attacks that capitalize on them, industrial cybersecurity must be a company-wide effort. It starts with industry standards that an executive then interprets and plans around, but then the responsibility of implementation trickles down.
Not every worker needs to be a cybersecurity expert, but they should receive basic training. According to a Deloitte survey, four out of 10 top threats to industrial cybersecurity involve employees. Teaching workers about relevant cyber risks and how to avoid them is essential to preventing these threats.
Industrial companies should stress how cybersecurity is a company-wide responsibility. Holding regular training and refresher sessions can help ensure workers do not make potentially damaging mistakes. Workers already learn to avoid physical harm in industrial settings, and cybersecurity should become a part of that on-boarding process.
Cybersecurity is Everyone’s Responsibility
Industrial cybersecurity is so pressing, and there is a widespread concern in which the responsibility does not fall to one person. Rather, it should be a shared and organized effort, starting at the top of the company leadership and flowing down to every worker. Industrial and manufacturing businesses must create a culture of cybersecurity just as they have with physical safety.