WEF initiates multi-stakeholder community to strengthen cyber resilience across manufacturing ecosystem

The World Economic Forum (WEF) is convening a multistakeholder community to strengthen cyber resilience across the whole manufacturing ecosystem, as the sector remains the ‘most targeted sector’ by cyberattacks. Experts assessed that while digitalization benefitted the manufacturing sector, the gains could be offset by the risks, as manufacturing is the most targeted sector by cyber-attacks. 

“There is no overarching ‘cybersecurity gold standard’ for manufacturers across different sectors and countries which considers the sector’s interdependencies,” Mansur Abilkasimov, vice president for cybersecurity governance and strategy deputy CISO at Schneider Electric, Dawn Cappelli, head of OT-CERT at Dragos, Filipe Beato, lead at Centre for Cybersecurity at WEF, and Giulia Moschetta, research and analysis specialist for the Centre for Cybersecurity at the WEF, wrote in a Monday blog post. 

The experts said that the WEF is convening stakeholders from the manufacturing ecosystem, including the public sector and academia, to strengthen cyber resilience across the industrial manufacturing ecosystem by building awareness among decision-makers and mobilizing global commitment. The new initiative will define key guiding principles and practices for collective responsibility across the manufacturing ecosystem, built upon five cyber resilience pillars of:

• develop a cybersecurity culture from the shop floor to the C-suite.
• adopt a risk-based approach to identify, protect, and monitor critical assets.
• plan an incident management process.
• harden the assets and the industrial control system environment.
• manage ecosystem risks.

The WEF move comes in the wake of the manufacturing sector being the most targeted sector by cyberattacks for the second year running. Throughout 2022 alone, ransomware attacks on industrial infrastructure doubled, with a potential systemic impact to supply deliveries. Cyberattacks may disrupt businesses and supply chains, offsetting the gains from digitalization and resulting in financial and productivity losses causing reputational damages.

The manufacturing sector contributes to global circular economies, such as consumer goods, electronics, automotive, energy, pharma, food and beverage, heavy industry and oil and gas. In the manufacturing ecosystem, production facilities are spread worldwide and each producer is also a consumer and vice-versa. Therefore a cyberattack on one company can have ripple effects across the ecosystem, with costly consequences.

“The resulting risks are systemic, contagious and often beyond the understanding or control of any single entity,” the experts said. “A new report found that 98% of organizations have a relationship with a third party that has been breached. In comparison, more than 50% have an indirect relationship, with more than 200 fourth parties experiencing breaches. A recent example is the ransomware attack on a large semiconductor industry supplier, which reportedly cost $250 million in the next quarter.”

The experts also said that the scaling of advanced technologies, such as the industrial internet of things (IoT) and automation, and the increased digitalization and connectivity taking place with the fourth industrial revolution, have greatly improved the efficiency and productivity of manufacturing companies globally. However, this progress has also exposed the manufacturing ecosystem to cyber attacks. 

“Considering the current rate of cyber attacks affecting the sector and as cybercrime is predicted to be one of the major global risks in the next two to 10 years, manufacturers must prioritize cybersecurity in the medium to long term,” they highlighted.

The five main threats that target the manufacturing sector are phishing attacks, ransomware, intellectual property (IP) theft, supply chain attacks and industrial IoT attacks. The IBM Security report also found that in 2022, victims in manufacturing accounted for 30 percent of incidents that resulted in extortion.

Manufacturing companies are a lucrative and accessible target for ransomware due to their low tolerance for downtime and the relatively low level of cyber maturity concerning other sectors. In addition, manufacturing industries often lag in investment into cyber resilience due to the extended production cycles and the hefty investments needed to re-design manufacturing lines.

In 2022, a ransomware-as-a-service group called Lockbit accounted for the largest number of ransomware attacks targeting industrial organizations and infrastructures. Last year, U.S. government agencies also warned about malicious custom malware targeting industrial control systems (ICS) and supervisory control and data acquisition (SCADA) devices.

“Cybersecurity companies have attributed the malware to a state-sponsored actor aiming to access, manipulate and disrupt OT environments and processes,” the experts said. “This malware, dubbed ‘pipedream,’ represents a genuine concern for the manufacturing sector due to its ability to target specific industrial equipment embedded in different types of machinery leveraged across multiple industries.”

Given the threat faced by the manufacturing sector, it must prepare itself against the growing threat landscape by becoming cyber-resilient to reap the benefits of digitalization. A key struggle in this industry is having a fragmented approach to managing cyber-related issues. In the European Union, a new legislative proposal, the Cyber Resilience Act, is being discussed to introduce the mandatory cybersecurity requirements for hardware and software products throughout their lifecycle.

Moreover, the new NIS 2 and Critical Entities Resilience (CER) directives classify certain manufacturing industries as important or ‘essential entities,’ requiring them to manage their security risks and prevent or minimize the impact of incidents on recipients of their services.

In the U.S., various federal regulations have been imposed on specific sectors like water, transportation and pipelines and a National Cybersecurity Strategy was recently released. Also, the International Electrotechnical Commission’s IEC 62443 is considered by many to be the primary cybersecurity standard for industrial control systems but it is complex. It currently includes nine standards, technical reports and technical specifications.

The U.S. government’s National Institute of Standards and Technology (NIST) established a cybersecurity framework for critical infrastructure, which is currently being updated and developed implementation details for the manufacturing environment. To support the industry, the SANS Institute, a leading cybersecurity training and research center, highlighted five ICS cybersecurity critical controls.

However, the experts cautioned that there is no overarching ‘cybersecurity gold standard’ for manufacturers across the different sectors and countries which considers the sector’s interdependencies and sets the security requirements beyond the existing frameworks and IT standards.

In February, the WEF said that a year after Russia invaded Ukraine, the geopolitical situation has become increasingly tense and volatile, increasing cyber risk while cyberattacks exacerbate geopolitical dynamics. The agency also assessed that given the likelihood of a prolonged war in Ukraine and of a renewed Russian offensive, malicious cyber operations can be expected as part of a concerted hybrid warfare effort. 

To deal with the situation, the WEF proposed achieving cyber resilience as one of the biggest cybersecurity challenges – it is not a one-time or a one-actor effort, but more of a harmonized approach that stretches across borders and businesses is necessary.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.