5 key cybersecurity strategies for manufacturing executives

The manufacturing landscape is undergoing a radical transformation, and robust cybersecurity governance is no longer optional — it's a strategic imperative.

There is a “critical need” for secure-by-design technology in today's manufacturing landscape because of the convergence of information technology (IT) and operational technology (OT), paired with the rise of cloud and AI, has exponentially expanded attack surfaces, said Jeremy B. Smith, VP and information security officer, Avery Dennison.

“A truly robust cybersecurity posture in manufacturing is built on a foundation of personal responsibility, board-level engagement, and operational ownership,” he said.

Smith highlighted two important changes to how organizations can take advantage of the technological moment. First, cybersecurity conversations should be happening in the boardroom, where technical jargon has been translated into clearly-understood business risks.

Next, security should be a shared responsibility “from the shop floor to the C-suite,” an ongoing cultural shift that requires continuous workforce education and upskilling as well as embedding security considerations into all stages of product development.

At Google Cloud’s Office of the CISO, we agree wholeheartedly with Smith’s assessments. Here are five key governance strategies that can help manufacturing executives build a robust cybersecurity posture and better mitigate the evolving risks they face.

1. Bring in the board

As Smith said, boards of directors should be involved in conversations about the critical business risks that cyberattacks can raise. In today's manufacturing environment, characterized by cloud deployments, AI integration, and interconnected systems, cybersecurity must be a regular board agenda discussion.

Cybersecurity has become a non-negligible, non-fiduciary responsibility for boards, and the SEC now mandates disclosure requirements for cybersecurity incidents. Boards need to understand the cascading impact on shareholders, customers, and consumers when an impactful event occurs.

To better ensure that cybersecurity leaders have a voice at the table, we recommend demonstrating your understanding of pressing business issues: production uptime, throughput, and safety. Explain how a cyberattack could impact revenue by:

• halting production lines
• damaging the brand through compromised product quality
• disrupting supply chains
• endangering worker safety

A cybersecurity objective that's not directly linked to improving manufacturing efficiency, reducing waste, or ensuring worker well-being will face an uphill battle for support and funding. Conversely, by communicating with the terms that already drive business conversations, you can better explain the need for security investments from the shop floor to the boardroom.

2. Rethink risk management for the cloud and AI

The proliferation and interconnection between IT, OT, cloud, and AI has reshaped the manufacturing risk landscape.

A comprehensive risk management framework should deeply integrate digital safety risks and implications, and correlate to business consequences. Manufacturers need a dynamic, adaptable strategy that addresses the interconnectedness of these systems:

• Identify: Map critical assets, systems, and data across all environments, including cloud instances, on-premise systems, hybrid integrations, and AI models.
• Assess: Conduct regular, comprehensive cybersecurity assessments that account for cloud-specific vulnerabilities, evolving threat tactics, techniques, and procedures (TTPs), and the unique risks associated with AI.
• Monitor: Implement real-time monitoring tools to gain comprehensive visibility into your digital ecosystem for malicious and non-malicious threats.

3. Build trust and enable innovation with compliance

Used appropriately, compliance can become a crucial foundation for trust, innovation, and operational integrity in the manufacturing sector. For manufacturers using cloud and AI, compliance encompasses IT and OT, product safety, human safety, and data privacy.

We recommend that you define clear, industry-specific standards for different workloads, taking into account:

• Cloud-specific requirements: Address the shared responsibility model for cloud security and ensure compliance with relevant cloud security frameworks. Consider data residency and sovereignty requirements for storing and processing manufacturing data, especially if operating internationally.
• Operational Technology (OT) security: Integrate OT security requirements into your overall compliance strategy. This includes securing industrial control systems (ICS), SCADA systems, and other operational technologies against cyber threats, which can have significant safety and production implications.
• Product safety and compliance: Incorporate cybersecurity considerations into product design and development processes to ensure compliance with relevant safety standards and regulations. This is especially critical for connected products and smart devices, where vulnerabilities can pose safety risks to end-users.
• Data privacy and AI ethics: Identify and comply with data-privacy regulations related to the collection, storage, and processing of manufacturing data, especially data used to train AI models. Address ethical considerations related to the use of AI in manufacturing, such as bias detection and explainability.
• Supply chain security: Extend your compliance efforts to your supply chain, ensuring that your suppliers and partners adhere to similar security standards. This is particularly important for manufacturers relying on complex, globally distributed supply chains. Incorporate practices such as software bills of material (SBOM) for all software components which are critical to the functioning of a product, and make the SBOM available to customers.

This proactive approach can minimize risk and also facilitate smoother audits and build customer trust.

4. Empower your team with continuous improvement and upskilling

In the manufacturing sector, employees play a vital role in protecting your company’s data, as well as its digital and physical assets. It’s important to equip your workforce with the specialized skills they need to secure IT and OT environments, including learning to use AI properly and securely.

We recommend prioritizing assessing and enhancing cybersecurity skills through targeted role-based training programs, and implementing organizational structures that foster a culture of continuous learning.

• Targeted training: Provide targeted, hands-on cybersecurity training tailored to each team's specific risks:
  • IT teams (cloud security, secure software development, data protection, incident response);
  • OT teams (ICS security, network segmentation, OT vulnerability management, safety protocols);
  • product development teams (secure coding, connected device security, embedded systems vulnerability assessment);
  • and AI/ML teams (secure AI development, data privacy in AI, adversarial attack/data poisoning mitigation).
• Cross-functional security control design: Conduct activities such as threat modelling for critical business processes, engineering networks, and systems that include critical operating environments. Bring together cross-functional teams across the business to discuss the impact of relevant threats and design risk-mitigating controls.
• Realistic simulations: These exercises test employee preparedness and reinforce best practices by mirroring actual cyberthreats faced by manufacturers, including ransomware, safety, and productivity disruption attacks targeting IT and OT systems, and those exploiting AI vulnerabilities.
• Organizational structure and culture: Establish clear roles and responsibilities for cybersecurity your organization. Similar to safety culture, it’s important to foster a culture of security awareness at all levels, where employees understand their role in protecting critical assets and are empowered to report potential security incidents.
• Continuous learning: Cybersecurity is constantly evolving. Encourage continuous learning by providing access to online courses, certifications (such as the Google Cybersecurity Certificate,) and industry conferences. Create opportunities for employees to share knowledge and best practices, which can also help with employee retention.

Google Cloud is committed to supporting manufacturers as they build a robust cybersecurity program. We offer robust training programs, tailored guides, and solutions to help you upskill your teams and strengthen your security posture.

Our Office of the CISO works directly with customers and regulators to evaluate and support cybersecurity governance. Additionally, Mandiant Academy provides dedicated ICS training courses including Fundamentals of ICS Security and Cyber Intelligence for Critical Infrastructure.

5. Encourage regular, robust communication

Open and transparent communication is paramount for building a robust security culture and strengthening relationships in manufacturing, and should extend beyond internal teams to encompass your entire value chain. You can think of those lines of communication and conversation as involving three key constituents:

• Engage the board regularly to keep them in the loop on cybersecurity risks, mitigation strategies, and the progress of security initiatives. Frame these discussions in terms of the business impact on production, product quality, and brand reputation.
• Communicate regularly with employees to foster internal awareness of best practices, potential threats, and organizational policies.
• Proactively communicate with customers, suppliers, and partners about your commitment to data protection, product security, and responsible AI, highlighting certifications and compliance efforts.

For example, communicate how you are securing shared data related to design specifications or supply chain logistics. Be clear about how you are addressing the security of connected products interacting with customer systems. Engage in industry-wide discussions and information sharing related to cybersecurity threats and best practices to stay ahead of emerging risks.

Embrace a secure and innovative future

Successful digital transformation in manufacturing demands a comprehensive strategy, integrating changes across the organization, culture, technology, and standard operating procedures. Everyone needs to understand the terminology, established workflows, and specific responsibilities tied to security.

For more information, including reports, blog posts, insights, and guidance, please visit our CISO hub.