NIS2: What manufacturers need to know? Your Questions Answered.
A Comprehensive Guide for IT Managers in the Manufacturing Industry: NIS2 Directive and Cybersecurity
As an IT manager/ CIO in the manufacturing industry, you play a crucial role in ensuring that your company’s digital assets, sensitive data, and production processes are secure and protected from cyber attacks. The NIS2 Directive, which came into effect in December 2020, expands on the previous directive and requires manufacturing industries to comply with new cybersecurity rules. In this guide, we’ll discuss everything the manufacturing industry needs to know about NIS2 and cybersecurity, including why compliance is essential, the scope of NIS2 in terms of manufacturing, penalties for non-compliance, the consequences of a cyber attack, and best practices to enhance cybersecurity.
Why Does the Manufacturing Industry Need to Comply with NIS2?
Compliance with NIS2 is essential for the manufacturing industry because it helps protect critical infrastructure from cyber attacks. Manufacturing companies possess valuable intellectual property, trade secrets, and sensitive data, making them attractive targets for cyber criminals. Compliance with NIS2 helps manufacturing companies identify potential vulnerabilities in their network infrastructure, implement security measures, and continuously monitor and assess their security posture.
Manufacturing was the most targeted sector for ransomware cyber-attacks and the most extorted industry in 2022, according to IBM Security’s 2023 X-Force Threat Intelligence Index.
It was the second consecutive year the manufacturing sector held the top spot in the index.
NIS2 and Manufacturing
Manufacturing industries that are identified as operators of essential services (OES) must comply with NIS2. OES are organisations whose services are essential for the maintenance of critical societal and economic activities. Manufacturing industries that fall under OES include those involved in the production of chemicals, pharmaceuticals, food and beverages, and critical machinery. Such industries must identify their critical assets, assess the risks, and implement appropriate security measures to protect their systems and networks from cyber attacks.
Penalties for Non-Compliance with NIS2
Non-compliance with NIS2 can result in significant penalties, including fines of up to €10 million or 2% of the organization’s global turnover, whichever is higher. Furthermore, companies that fail to comply with NIS2 may face reputational damage, loss of business, and legal action from customers or partners affected by a cyber attack. IT managers/ CIO’s in the manufacturing industry should ensure that their company is compliant with NIS2 to avoid these penalties and protect their company’s digital assets.
Consequences of a Cyber-Attack on Manufacturing Industry
The manufacturing industry is particularly vulnerable to cyber attacks due to the interconnectedness of production systems and the increasing use of IoT devices. A cyber attack on the manufacturing industry can result in significant financial losses, production downtime, and reputational damage. In some cases, a cyber attack on critical machinery can also result in safety risks for workers and the general public. IT managers in the manufacturing industry should ensure that their company has appropriate security measures in place to protect against cyber attacks.
Best Practices to Enhance Cybersecurity in the Manufacturing Industry
To enhance cybersecurity in the manufacturing industry, IT managers/ CIO’s should implement the following best practices:
- Conduct regular security audits to identify potential vulnerabilities in the network infrastructure.
- Develop and implement security policies that are in compliance with NIS2.
- Train employees on cybersecurity best practices, such as how to identify phishing emails, create strong passwords, and report suspicious activity.
- Implement appropriate security measures to protect endpoints, such as computers, mobile devices, and IoT devices.
- Keep up-to-date with the latest cyber threats and emerging trends in the industry to ensure that the company is adequately protected against these risks.
Real-Life Examples of Cyber Attacks in the Manufacturing Industry:
In recent years, we have witnessed several high-profile cyber attacks that have impacted manufacturing companies worldwide. These attacks have highlighted the importance of cybersecurity in the manufacturing industry and the need for companies to take proactive measures to protect their systems and data from cyber threats.
1. ASCO Industries Ransomware Attack (2021) – Belgian aircraft parts manufacturer ASCO Industries suffered a ransomware attack that disrupted its operations, leading to production downtime and financial losses. The attackers demanded a ransom payment of $15 million, but the company refused to pay. Link: https://www.reuters.com/business/aerospace-defense/asco-industries-hit-by-cyber-attack-after-refusing-pay-hackers-15-million-2021-01-19/
2. Honda Cyber Attack (2020) – Honda suffered a cyber attack that disrupted its global operations, including production and customer support. The company was forced to shut down some of its manufacturing plants, leading to production delays and financial losses. Link: https://www.reuters.com/article/us-honda-cyber-idUSKBN23J1I8
3. Norsk Hydro Ransomware Attack (2019) – Norwegian aluminum company Norsk Hydro suffered a ransomware attack that affected its operations across Europe and North America. The attackers demanded a ransom payment of $10 million, but the company refused to pay and instead chose to restore its systems from backups. Link: https://www.reuters.com/article/us-norsk-hydro-cyber-idUSKCN1R30R7
4. Mondelez International NotPetya Attack (2017) – The global food and beverage company Mondelez International suffered a cyber attack as part of the NotPetya malware outbreak. The attack disrupted the company’s operations across the globe, leading to significant financial losses. Link: https://www.reuters.com/article/us-cyber-mondelez-intl/multinational-companies-reeling-from-massive-cyber-attack-idUSKBN19N1JL
5. Merck & Co. NotPetya Attack (2017) – Pharmaceutical giant Merck & Co. was also hit by the NotPetya malware outbreak, which disrupted its global operations and led to financial losses. The company had to replace thousands of infected computers and reinstall software on its systems. Link: https://www.reuters.com/article/us-cyber-merck/massive-cyber-attack-slams-merck-idUSKBN19O1X0
In conclusion, cyberattacks pose a significant threat to the manufacturing industry. As the industry continues to embrace digital transformation and the Industrial Internet of Things (IIoT), it becomes increasingly vulnerable to cyber attacks. The examples discussed in this article highlight the impact cyber attacks can have on manufacturing operations, leading to production downtime, financial losses, and reputational damage. By taking the proactive steps that we previously mentioned, to protect your operations, manufacturers can reduce their risk of cyber attacks and ensure the safety and continuity of their business.