Podcast: Cybersecurity best practices every manufacturer needs in 2025
Rob Larsen is a security advisor for the cybersecurity firm SilverFort. As a former chief security architect for General Motors, Rob is intimately familiar with cybersecurity from a manufacturing point of view. Rob recently spoke with Dennis Scimeca, senior editor for technology at IndustryWeek, about why manufacturers are being targeted by hackers, and how companies can implement basic cybersecurity protections.
Below is an excerpt from the podcast:
IW: Manufacturers are one of the most popular targets for ransomware attacks. Whenever I get a report on cybersecurity, ransomware is at the very top, by which we mean when threat actors, hackers, bad guys will either encrypt or capture a company's data and then request payment before unlocking or returning the data. And if that incident, that breach, pauses the production line, the amount of lost revenue from not being able to produce has inspired manufacturers to go ahead and quietly pay the ransomware demand to get their data back or to unfreeze their operations. So, ransomware is something that manufacturers really need to be prepared for. Rob, are there other recurring attack types that manufacturers specifically when setting up their cybersecurity measures really need to prepare for?
RL: For manufacturing, ransomware has been a real big threat, But manufacturing environments suffer from supply chain attacks. If they have intellectual property inside the manufacturing facility, those intellectual properties could be stolen. Phishing attacks, equipment sabotage, manufacturing data leakage and breaches, nation state attacks, all sorts of attacks are, I would argue, not specific just to manufacturing. These attacks are starting to go from both enterprise into manufacturing. And what that means is that more and more manufacturing needs some of the protection that the enterprise has been deploying for several years.
IW: As manufacturers are deploying connected worker systems, tablets, for example, do manufacturers need to put specific effort into OT or does good cybersecurity hygiene naturally cover that territory or does it need to be a separate, concerted vein of thought around OT?
RL: I really believe that when you're tackling the manufacturing cybersecurity problem, you really have to design a security strategy that fits that manufacturing facility and what that manufacturing facility is producing. However, the same principles that you use on the enterprise can be applied in the manufacturing facility. You just may go about the security strategy differently.
And that's, I think, the difference between the enterprise and manufacturing. They have different systems in the data center for the enterprise than they do on the plant floor. And you do have to craft a strategy that makes sense for the devices and for the production style of that company. But the principles can be the same. You need to know the devices that are in that manufacturing facility. You really need to know how you are deploying your identity management strategy. Is it centralized to AD, or are they a bunch of local accounts? You need to figure out what your remote access strategy is. You need to understand what intellectual property might exist inside that manufacturing facility.
You need to understand how the systems inside that manufacturing facility call out or call home. Is it cellular? Do they traffic through the path through the manufacturing out through a corporate proxy? All these sorts of things that the enterprise has been looking at for years, the manufacturing folks now need to look at it from a pure manufacturing cybersecurity perspective. And that's a really healthy approach because I think if you do that, you can take things that the enterprise has already used and deployed and use it inside the manufacturing facility. It's just an extension of some of the capabilities in the enterprise applied to manufacturing, but maybe the policies are different. But some of the products are the same.
IW: Some of the most common advice IndustryWeek receives from cybersecurity experts to pass along to our readers is the importance of training and awareness. It kind of touches upon the previous question talking about OT and people on the plant floor. Is that accurate?
RL: I think that the manufacturing security awareness program has to be built and tailored for the constituency in those buildings, meaning you need to figure out who's running the line here, how does that line operate, and begin to build out security awareness content that fits the persona of that individual in the manufacturing facility and aligns with some of the big problems that manufacturing facilities have. Ransomware is a big deal. A lot of times that happens because maybe an unmanaged or semi-managed device connects to the manufacturing floor. It's already infected or they brought in a USB key and they're updating PLCs with the USB stick, and the next thing you know, you've got some sort of crisis on the manufacturing floor.
Awareness and training help people either stop themselves from doing really bad things or recognize that they've got a problem and immediately help contain it more quickly. Awareness and training tailored to the audience and the persona that fits the way the manufacturing folks operate is a great approach to accelerate your ability to protect the environment. And the other thing that's interesting about that approach is it actually begins to help the cybersecurity people learn about what the factory does. A lot of cybersecurity professionals that are associated with a company, with a manufacturing presence, they never even go into those buildings. And it's really, really interesting when you walk into a General Motors manufacturing facility that's 4,000,000 square feet under roof. That's a really big building. Every six minutes, they make a car. Walking through that building, you begin to realize just how massive an effort it is to make a car or a plane or a truck or whatever you guys are making, and all the piece parts that it takes.
And all the machines that work on the line, on the conveyor belts, on the cranes, all have computers in them. They're all part of a network communicating throughout that factory to ensure that the line works properly and delivers on time. They’re all an integrated game plan, and if you tailor both the security strategy and the complimentary security awareness capabilities together, you really have a powerful story that says we’ve got a game going on. We know who's in the building. We know what's in the building. We know how people can connect to the building and how connectivity leaves the building. We've got our identity strategy understood. And we're actively testing and we're actively patching where we can. And we're really focusing on it, because that's the way you get strong protection and quick remediation.
About the Podcast
Great Question: A Manufacturing Podcast offers news and information for the people who make, store and move things and those who manage and maintain the facilities where that work gets done. Manufacturers from chemical producers to automakers to machine shops can listen for critical insights into the technologies, economic conditions and best practices that can influence how to best run facilities to reach operational excellence.
Listen to another episode and subscribe on your favorite podcast app
About the Author
Dennis Scimeca
Dennis Scimeca is a veteran technology journalist with particular experience in vision system technology, machine learning/artificial intelligence, and augmented/mixed/virtual reality (XR), with bylines in consumer, developer, and B2B outlets. At IndustryWeek, he covers the competitive advantages gained by manufacturers that deploy proven technologies. If you would like to share your story with IndustryWeek, please contact Dennis at [email protected].