OT/IT Cyberthreats: A Call to Action for Manufacturers, Customers, and Policymakers

Posted on by Ismail Mohammed

According to the Cybersecurity and Infrastructure Security Agency (CISA), the manufacturing industry is under constant cyber threats. A recent study found that 83% of vulnerabilities in Industrial Control Systems were deeply embedded in the networks1, highlighting the increasing concern for industrial automation security. Though manufacturing systems and products are becoming more connected to the cloud, mobile, and social applications, legacy systems were not designed with cyber threats in mind and remain exposed.

In recent years, the number and severity of cyberattacks on manufacturers and industrial organizations has surged. Ransomware attacks are increasing, causing financial losses and safety hazards threatening businesses. The Industrial Internet of Things has become a prime target for cybercriminals due to the availability of tools, economic incentives, complex regulations, culture, and geopolitics.

A study on the autonomy of manufacturing systems2 analyzed the levels of independence in manufacturing systems, focusing on the role of data, information, and knowledge. It emphasized the importance of data structure, processing, and integration in manufacturing. It also highlighted the need for effective control structures in any assembly system layout. However, it noted the inability to foresee potential attack vectors, suggesting more robust cybersecurity controls are needed.

The escalating threat, contributing factors, and the urgency for manufacturing to prioritize security are pressing issues. Manufacturers and customers also face challenges dealing with fragmented regulations and the need to synchronize cybersecurity policies and solutions among all stakeholders to ensure optimal security.

Policymakers have a role to play in incentivizing cybersecurity investments, promoting information sharing, and developing risk management frameworks. Customers should demand that security be built into systems and products. Manufacturers must prioritize cybersecurity, assess risk, protect infrastructure and data, detect threats, respond to incidents, and recover from attacks. Partnerships across sectors can help address systemic issues.

Governments worldwide are actively developing and implementing policies that address critical infrastructure cybersecurity risks, including IoT and OT device security, to maintain a consistent and well-coordinated approach across various sectors and technologies. The emergence of these policies is prompting the creation of draft and new standards, such as IEC 62443, NIST SP 800-82, and others, with a specific focus on OT security.

Collective action is required to improve cybersecurity maturity and resilience in manufacturing. By grasping the magnitude of the issues, stakeholders can work to strengthen systems, share intelligence and build trust to counter the threats targeting industrial automation. Overall progress depends on the commitment of each party to play their part in securing the digital future of manufacturing.


1Riccetti, Simone. 2019."Industrial Control Systems Security: To Test or Not to Test?." Securityintelligence. April 25, 2019.
2Mo, Fan, Monetti, Fabio Marco, Torayev, Agajan, Rehman, Hamood Ur, Alberola, Jose A. Mulet, Minango, Nathaly Rea, Nguyen, Hien Ngoc, Maffei, Antonio and Chaplin, Jack C.. 2022. "A maturity model for the autonomy of manufacturing systems." The International Journal of Advanced Manufacturing Technology volume 126 :pages 405–428.

Ismail Mohammed

Director, AlixPartners

Technology Infrastructure & Operations

hackers & threats critical infrastructure infrastructure security industrial control security Internet of Things ransomware

Blogs posted to the RSAConference.com website are intended for educational purposes only and do not replace independent professional judgment. Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA Conference™, or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.

Share With Your Community

Related Blogs