Workers in a factory working with metal on the shop floor.
Universal Images Group via Getty Images
In 2022, Finnish cybersecurity expert Mikko Hypponen published a book called If It’s Smart, It’s Vulnerable. The concept is strikingly simple: the more digitally connected our lives become, the more opportunities we create for bad actors to attack us.
It’s a warning that applies to all of us – at home, at work or on the move. But for manufacturers, it carries particular weight. As the industry moves into a new era of smart factories and connected operations, many firms find themselves still relying on technologies that weren’t originally designed with connectivity – or cybersecurity – in mind.
Long-time bedrocks of manufacturing operations, like SCADA systems, PLCs and RTUs have been transformative in optimizing throughput, minimizing downtime and delivering consistency. Yet asked to integrate seamlessly with cloud-based systems and AI-powered analytics and these same tools may open the door to cyber criminals.
When worlds collide
It’s a problem that’s not going away. According to figures from the manufacturing leadership council, over 70% of manufacturing equipment in North America is more than 20 years old – much of it operational technology (OT). And with every passing year, it gets more and more outdated.
This includes supervisory control and data acquisition (SCADA) systems, the backbone of plant production. Indeed, as more IoT devices and AI tools emerge, the attack surface for SCADA systems is growing and the threat of disruption and data loss increases. In an industry where uptime and quality are the name of the game, that’s not a risk any manufacturer can afford to ignore.
Yet cybersecurity in smart manufacturing isn’t just a technical challenge; it’s an organizational one. To create a truly connected and secure infrastructure, companies must find a way to bring together the two contrasting worlds of OT and IT.
For OT teams, the goal has always been clear: deliver resilience and efficiency through process stability, reliability, and consistency. IT, on the other hand, has a very different brief. By regularly implementing new tools and updated security protocols, their path to resilience is built on having the agility to stay ahead of an ever-evolving security landscape.
Risk leaders: the new connection-makers
Merging these dichotomous worlds is no easy task – which is where risk leaders come in. Unlike function-specific teams, risk managers see the bigger picture of how outdated systems, emerging technologies, and evolving threats converge to determine enterprise vulnerability. They also have the cross-functional credibility to bring together IT and OT leaders, not just for dialogue, but for strategic decision-making.
Of course, they can’t just snap their fingers and overcome years of differing aims and approaches. But here’s what they can do:
- Map system architecture. Understand what technologies are in use, where they sit, and how they connect. Identify which systems are most exposed and where legacy equipment creates defence gaps.
- Categorize risks. Different technologies carry varying types of risk. Categorizing threats – by equipment age, connectivity, and function – helps prioritize mitigation efforts.
- Define use cases. Look at how systems are used in practice and model potential failure scenarios. What happens if this robot goes offline? If this data feed is compromised? If this interface is spoofed?
- Simulate disruptions. Like red teaming, these exercises help stress-test response strategies and build readiness across teams in the event of a cyber breach or ransomware attack.
- Unify cultures. Facilitate cross-training between IT and OT leaders that allows them to collaborate and learn from each other. Build empathy, align KPIs, and co-develop security protocols that support both stability and protection.
- Engage the board. Cyber risk in manufacturing is now on a par with supply chain disruption and regulatory compliance as a business imperative. Boards need to treat it that way – and hold leaders accountable for integrated, actionable plans.
Shared mindsets, not siloed missions
If this sounds like a cultural shift, that’s because it is. This year’s Threat Intelligence Index makes it clear just how quickly and expansively cybercrime is growing. This requires a shift in how manufacturers view and act upon risk.
But it’s not a demand for OT to think like IT – or vice versa. Instead, it requires a blended mindset built on mutual understanding and a recognition that each group brings something essential to the table.
IT knows, for example, how to implement modern controls and drive awareness across the business. Whereas OT are the masters of keeping operations running smoothly. When those strengths are combined, not traded off, the result is a more secure and resilient organization.
Boards and executive teams have a role to play here too. Cyber risk should be treated as a critical component of operational performance, not a standalone IT issue. That means giving risk leaders a seat at the table and encouraging joint planning between functions that haven’t traditionally worked side by side.
More than the sum of its parts
As AI and other connected technologies become ever more embedded in manufacturing operations, now is the moment for leaders to act. Smart factories are no longer a vision of tomorrow; they are here and reshaping the industry today.
Contrary to what some leaders may think, building security into the tools and technologies that power modern manufacturing needn’t slows things down either. For manufacturers, it’s not a question of choosing between efficiency and security; true enterprise resilience is about designing for both.
From the shopfloor to the supply chain, Mikko Hyponnen is right: if it’s smart, it’s vulnerable. And nowhere more so than in manufacturing. However, if it’s connected and protected, then it’s something even more powerful. It’s future-ready.
