As manufacturers increase their OT investments, a well-planned cyber strategy is essential to resilience.
Digital technologies are increasingly more accessible and cost-effective for manufacturers, leading to entirely new levels of operational efficiency. While legacy systems are still present in a great number of factories, many are being phased out in favor of newer systems that take advantage of predictive analytics, asset performance management, augmented reality, and other state-of-the-art approaches to improving manufacturing operations.
The benefits of digitalizing operations are top-of-mind, but manufacturing organizations are also considering the increased complexity, exposure, and risk presented by adding more devices and systems that are connected to internal and external networks. To fully realize the promise of digital transformation, manufacturers are thoughtfully and intentionally beginning a journey toward more resilient OT enterprises that can withstand cybersecurity threats.
Cybersecurity Challenges in Manufacturing
Merging manufacturing’s long-standing priorities of efficiency and productivity, legacy infrastructure, and today’s emerging technology results in increased risk for manufacturers across multiple industries.
A report from Food Processing, commissioned by Dragos and Fortinet, found that nearly half (47%) of companies in food & beverage manufacturing believe that the potential exposure to cyberattacks has increased moderately or significantly over the last 12 months. In that report, 100% of respondents ranked crisis management and business continuity as somewhat or very important cybersecurity concerns. Loss of productivity (74%), loss of revenue (71%), and service interruptions (69%) were also top-of-mind for many manufacturing security professionals.
Capgemini Research Institute’s report on smart factories identified pharmaceutical manufacturing as one of the most frequently impacted industries, with 44% of surveyed pharma and life science companies reporting at least one cyberattack impacting smart factories.
“Remote assistance capabilities expand the attack surface for threat actors operating from anywhere in the world.”
The Dragos 2021 Year in Review report – which includes a summary of results from cybersecurity assessments across various industrial environments – found that chemical manufacturers most commonly struggle with managing external connectivity, poor network perimeters, and limited visibility into OT assets.
There are a variety of factors manufacturers must consider when embarking on their cybersecurity journey:
- Process automation. Automation is commonplace in manufacturing environments. Many manufacturing processes are relatively simple and repetitive, and automating them enables cost savings and more efficient production. Of course, automation also exposes manufacturing processes to risk because threat actors can exploit weaknesses or vulnerabilities in the industrial control systems, devices, components, and software to corrupt or disrupt production.
- Remote operations. As a result of the COVID pandemic, many organizations have moved to reduce overhead and vendor support costs while maintaining or increasing productivity. Companies are adapting to remote assistance, engineering, and even operations. These capabilities expand the attack surface for threat actors operating from anywhere in the world.
- Operational focus. A manufacturing facility’s competitive advantage depends on uptime and the availability of systems. Many facilities function in a 24/7, continuous manufacturing mode. Asset management and change control monitoring are crucial, and anything that threatens to disrupt production — like ransomware attacks — can pose an outsized risk in manufacturing environments.
- Supply chain and partner/outsourcing vendor security. Supply chain attacks are increasing – according to a recent report from the Ponemon Institute, 34% of organizations identified supply chain and third-party security risk as one of their top three security challenges. Most manufacturers rely on a complex web of suppliers, partners, and outsourced vendors—any of which may be compromised by threat actors to leverage trusted relationships to gain access.
Increasingly, vendors also have direct connectivity into manufacturing facilities, allowing for easier and more efficient troubleshooting, and enabling real-time data flow that feeds performance enhancements. These direct networks open another potential attack vector in an already highly connected environment.
- IT cybersecurity strategies cannot be re-deployed in OT environments. Digital transformation is driving more collaboration between IT and OT teams, but no matter who does the work, IT and OT remain two very different worlds with different technological and business objectives. IT cybersecurity strategies are effective in IT environments – OT environments need a different set of solutions and require a different journey. Companies that aren’t treating the two differently are opening their enterprises to additional risks – such as bringing a plant down with a mistimed or uncontrolled vulnerability scan or security patch update.
Defining a Sustainable ICS Cybersecurity Journey
Modern technology and digital transformation will continue to drive a focus on security for cyber-physical systems. Gartner estimates that by 2023, 75% of organizations will restructure risk and security governance to address a landscape that includes IT, OT, internet of things (IoT), and physical security—a 5x increase from 2021.
“IT cybersecurity strategies are effective in IT environments – OT environments need a different set of solutions and require a different journey.”
Despite the complexity, opportunities exist for manufacturers who build a program to address these risks. Forward-thinking manufacturers can benefit in the following ways after making targeted OT cybersecurity investments:
- Greater volume and speed of projects. Manufacturing organizations continue to streamline and modernize by expanding connectivity and adopting new technologies to drive cost savings and efficiency. Manufacturers that are purposeful about creating and improving their cybersecurity programs can more easily scale these improvements across multiple processes and sites.
- Operational excellence. Cybersecurity capabilities like asset inventories and visibility into industrial network communications are essential when responding to cybersecurity incidents or addressing vulnerabilities – but they also provide valuable new data and insights about digital assets that can be used day-to-day to diagnose and troubleshoot operational issues.
- Developing people and skills. A growing base of skilled ICS security practitioners are highlighting the risks and importance of OT security – and communicating those risks more effectively to company leaders and boards.
- Greater governance. Company executives and boards are more engaged and increasingly recognizing that cybersecurity doesn’t just apply to IT environments. OT networks support the core of the business yet historically have been neglected relative to IT networks.
Today, leaders are realizing how critical OT networks are for the success of the enterprise and allocating resources accordingly. Manufacturers who have considered OT and industrial operations in their cybersecurity program can confidently and accurately answer questions in the boardroom.
- Company culture. Organizations are aware of the increased threat landscape and the importance of effective cybersecurity. Security is becoming part of the broader corporate culture, and as manufacturers mature in their OT cybersecurity journeys, their cultures will operationalize strong security programs that ensure more resilient operations.
For manufacturers beginning or evaluating progress along their cybersecurity journeys, Dragos recommends the implementation of five critical controls for meaningful improvements in security posture:
- Create an ICS-specific incident response plan. An OT incident and response plan must be distinctly different from an IT-focused plan. OT involves different device types, communication protocols, different types of tactics, techniques, and procedures (TTPs) specific to industrial threats. Investigation requires a different set of tools and languages. Managing the potential impact of an incident is different, along with a different path for recovery. Companies should consider having a team of responders ready, armed with proactive knowledge of your systems and familiarity with your specific business objectives.
- Develop a defensible architecture. OT security strategies often start with hardening the environment – removing extraneous OT network access points, maintaining strong policy control at IT/OT interface points, and mitigating high risk vulnerabilities. However, even when technical controls are implemented correctly during a project, they will atrophy over time without appropriate investment in the people and processes to maintain it. The resources and technical skills required to monitor the environment and adapt to new vulnerabilities and threats is essential to success.
- Deploy visibility and monitoring. You can’t protect what you can’t see. A successful OT security posture maintains an inventory of assets, maps vulnerabilities against those assets (and mitigation plans), and actively monitors the assets and traffic for potential threats. End-to-end solutions enable deep visibility and prioritized management of vulnerabilities.
- Enable multi-factor authentication. Multi-factor authentication (MFA) is an excellent way to control access to sensitive applications through an extra layer of security for a relatively small investment. Remote access is a common example where MFA should be utilized and is being broadly adopted across most industries.
- Develop an effective OT vulnerability management program. Knowing your vulnerabilities – and having a plan to manage them – is a critical component to a defensible architecture. According to the Dragos 2021 ICS/OT Cybersecurity Year in Review, more than 1,200 OT-specific vulnerabilities were released last year, many of them with incomplete or erroneous information.
While patching an IT system like a laptop in an office is relatively easy, shutting down a plant has huge costs. An effective OT vulnerability management program requires timely awareness of key vulnerabilities that apply to the environment, with correct information and risk ratings, as well as alternative mitigation strategies to minimize exposure while continuing to operate.
Every organization is starting from a different place, and every environment is unique. But, with a clear understanding of your risks, impacts, maturity, and gaps, you can create a roadmap that guides your team to implement and maintain a sustainable ICS/OT security program. M
About the authors:
Dan Scali is a Senior Director of Strategy at Dragos.
Eddy Wade is a Principal Industrial Consultant at Dragos.
How manufacturers can bolster resilience through operational technology cybersecurity
Over the last few years, cyber attacks on manufacturing plants and public infrastructure have grown more severe and had a greater impact on the public. Recent incidents in critical infrastructure organizations highlight the evolving threats these operational environments face.
With the rise of M4.0 and growing dependency on data, manufacturers must transform their thinking about cybersecurity for operational technology (OT). While quick fixes or ad hoc policies might beckon, the long-term strategy should be to build a resilient organization to battle current and future threats.
Typical Cybersecurity Challenges
While difficulties securing manufacturing facility environments stem from several factors, loose governance is one of the prime culprits. Many times, roles and responsibilities for cybersecurity in a plant are not well defined. The automation engineer has many operational responsibilities, but sometimes cybersecurity is an afterthought and assigned as a hobby task. To make matters worse, relationships between other people or groups within the facility or enterprise aren’t formalized, leading to a vulnerability if an emergency should arise.
Limited expertise also poses a challenge. The idea of OT cybersecurity has only been around for about 15 years, and not many people have experience across M4.0, automation, and cybersecurity, resulting in a dearth of qualified OT cybersecurity resources. It takes a special combination of skill sets — from industrial control equipment and software to proprietary network protocols — and a fundamental understanding of the threats facing the OT space.
At the same time, threats continue to evolve. Since Stuxnet in 2010, threats to OT have increased exponentially, both in targeted attacks against infrastructure and collateral damage from ransomware. This escalation underscores the need for a resilient, strategic, and holistic approach to OT cybersecurity rather than an ad hoc, quick-fix approach.
“Since Stuxnet in 2010, threats to OT have increased exponentially.”
Organizations also often lack risk visibility. Many manufacturing facilities have a surfeit of data on production, raw material usage, energy consumption, and quality of product. One area of great need is an understanding of the risk associated with this data.
First, the infrastructure of the OT must be inventoried and managed in a way that facilitates a quick response to cyber events. If a vulnerability is located in a certain programmable logic controller (PLC), it could more easily be mitigated if the plant engineers know the location of the PLCs, the version of software and firmware, and the correct patch to install. Many factories do not have this inventory in an organized and secure location that can be quickly accessed by the appropriate personnel.
Second, the data moving between devices on the plant floor is a treasure trove of information concerning normal operation versus anomalous and potentially dangerous communication. Tools are available to view this data flow between devices and discern the risk to operations.
Finally, the fundamental difference between IT and OT cybersecurity processes precludes the ability to use tools meant for IT on OT devices, systems, and networks. These differences need to be understood at the enterprise level so that an OT cybersecurity program can be effective. Typical differences that can cause catastrophic production failures include nontraditional operating systems and applications; 24/7 operational requirements (100% availability needs); and primary directives on human safety. According to a study by TrapX Security, only 41% of responding organizations have a dedicated security team to secure their operational technology, while 32% of respondents rely on their IT teams to defend their OT platforms against cyber threats.
Creating a Transformational OT Cybersecurity Program
To address the challenges of OT cybersecurity, enterprises must look at the problem holistically. The path to a resilient program starts with understanding the business risk to the enterprise from unsecured OT environments. The following steps outline how to start and what is required:
1. Understand the business risk.
An OT assessment is a critical starting point for any organization to gain insight into the current state of its OT environment, including control system risks and vulnerabilities. This phase should answer five key questions:
1. What is in my production environment?
2. What is important to my organization?
3. What is my current cyber posture?
4. How can I reduce risk now?
5. How do we establish a continuous risk reduction approach that makes sense to the organization?
Many times, organizations lack a clear picture of what is in their environment and the associated business risks. It’s important to get a firm grasp of the devices, software, and network architecture to achieve a baseline that can be used to build a road map of needed improvements. At this stage, the organization should deploy a tool or process that analyzes qualitative and quantitative data to identify specific risks that pose the most significant risk to the business.
“The fundamental difference between IT and OT cybersecurity processes precludes the ability to use tools meant for IT on OT devices, systems and networks.”
An asset inventory with asset categorizations can be developed at the same time. These categorizations enable risks to be scored appropriately. For example, a PLC with many vulnerabilities that is used for a low-priority task will be scored low in priority, but a PLC with only one vulnerability on a critical task would be scored high. These insights are key to the development of a tailored OT security program that is in line with the organization’s risk tolerance and strategy to identify the most significant risks to the business.
At that point, it’s time to close foundational gaps. Once a baseline of current conditions is established, anything that is critical can be corrected quickly. The assessment of the environment will also reveal high-risk vulnerabilities that may require a longer term perspective to fix. These high-risk targets can be addressed in the road map.
2. Align the cyber risk to the business mission and develop a governance structure and road map.
While it’s tempting to stay on the path of fixing high-risk problems, the more resilient approach is to address the foundations of any OT cybersecurity program. This is the next step to transforming how cyber risk is managed. Once you gain visibility and stabilize the environment, it’s time to focus on building the program’s foundation to further reduce risk.
This requires aligning governance to an OT cybersecurity standard such as NIST or NEMA. Also, organizations need to define an OT cyber program future state, strategy, and road map to reduce risk, optimize investments in digital transformation, and align with enterprise risk appetite.
It’s also necessary to define roles and responsibilities by formalizing and socializing a governance model for the ongoing oversight of OT risk management, as well as a set of clear roles and responsibilities that will support the ongoing operation and sustainability of the OT cyber program.
In addition, action must be taken to establish cybersecurity compliance with known regulations (if required).
“The path to a resilient program starts with understanding the business risk to the enterprise from unsecured OT environments.”
An awareness and training program also should be created. To do so, use an existing safety culture and augment it with OT cybersecurity awareness, techniques, tools, and policy education. This is one of the easier programs to build since many times the safety education structure is already in place.
3. Institute a program of continuous improvement.
Establishing an OT cybersecurity program is the start of an ongoing practice of continuous improvement. Bad actors are not static; their methods, tools and motivation change daily. It’s important to always redefine the protections in place and constantly monitor for new threats.
One key activity for continuous improvement is to establish transformation measurements. A measurement program should distill control-level requirements into simple-to-understand measures of maturity, and progress should consistently be reported to senior leadership. Use this metrics program to tell your success story.
Organizations also should deploy mitigation tools and policy as per the road map. Execute your implementation plans with the support of a diverse team of professionals versed in operational technology, production processes, cyber, change management, supply chain, process design, and risk management. This may require outside resources.
Another vital step is to enhance the threat response. Enhanced monitoring controls will improve your ability to respond to cyber incidents that impact production. You should define custom alerts and build out OT-specific response playbooks for your Security Operation Center (SOC) analysts, as well as prepare and practice for OT cyber incidents. A critical component of any threat response program is to establish a recovery plan. After experiencing a significant disruption (e.g., ransomware attack), your production line should return to normal operations as quickly as possible. Strategies for establishing a viable recovery plan must include creating a baseline state including asset inventory, known good network connection state and a method to confirm that a return-to-normal condition is restored.
“Establishing an OT cybersecurity program is the start of an ongoing practice of continuous improvement.”
Finally, it’s critical to visualize your OT risk in real time. Create an OT Security Operation Center or align your existing IT SOC with your business mission and objectives to provide real-time visibility into business risks, personnel safety, environmental safety, quality, customer orders, and trade secret protection. For advanced organizations, use real-time risk data for improved decision-making to move beyond threat response to proactive risk management with an OT Risk Operations Center.
M4.0 Challenges Require IT and OT Realignment
Digital transformations with M4.0 drive innovative changes in how organizations leverage technology to gain insights and capture market opportunity. Some of the most significant change to OT environments is being driven by automation and artificial intelligence (AI) to improve reliability, performance, productivity, and safety.
Cyber is an often overlooked, yet critical component in the digital transformation of operational technologies and must be addressed for an organization to fully realize the benefits of its investment. Overlooking cybersecurity, in the new world of M4.0, introduces unneeded risk to the finances of an organization. Companies should consider the methods outlined in this article as a path to lower the risk to the plants and thereby help protect revenue and profits.
It’s important for OT cybersecurity metrics to be integrated with other key components in any M4.0 environment. By transforming OT cybersecurity defenses into a holistic program, companies will protect valuable M4.0 data, realize safer working conditions, and secure production quality and brand protection. M
About the author:
Douglas Clifton is a Managing Director in Ernst & Young LLP’s National Cyber Security group based out of Dallas, Texas.
Ken Keiser is a Manager in the Consultant Services at EY and a practice lead for Operational Technology (OT) Cybersecurity.
For interconnected manufacturing, industrial control systems are key to preventing unauthorized access to data
As manufacturers and other tech companies continue to evolve amid the Fourth Industrial Revolution and prepare for the fifth, industrial control systems (ICS) remain the cornerstone of organizations’ ability to deliver on their goals of increased safety, productivity, efficiency, quality and innovation.
The use of advanced technologies has become table stakes for manufacturers, especially over the last two and a half years. But the proliferation of networked technologies also brings more risks and exposure to advanced cybersecurity threats. Corporate espionage targeting companies’ networks is also becoming a more prevalent way that bad actors can gain competitive intelligence and extort organizations. Attackers have evolved, moving away from large, multipurpose attacks on network perimeters and toward focused attacks that expose businesses to more diverse risks.
Companies across the economy are acutely aware of the risks; 72% of the 400 middle market executives who responded to a recent RSM US Middle Market Business Index survey on the topic of cybersecurity said they anticipate unauthorized users will attempt to access data or systems in 2022, “a sharp rise from 64% last year and the highest number since RSM began tracking data in 2015.”
“Industrial control systems require specific controls and procedures that are usually completely different from the IT world.”
As manufacturers become ever more networked, their devices become more interconnected and they require faster decision-making using real-time data, robust and consistently updated cybersecurity protocols are paramount. And rigorous cybersecurity protocols aren’t just crucial in terms of staying ahead of the competition; customers, business partners, suppliers and vendors increasingly require a higher level of security assurance amid rising concerns, and regulators are requiring more thorough security controls. Lawmakers in the United States, the European Union and Canada, for instance, have recently enacted or introduced rules that would tighten cybersecurity protocols across a wide array of sectors.
It’s clear that operational technology (OT) security is crucial to companies’ success and their ability to remain competitive and protect their intellectual property and systems. But for midsize and smaller manufacturers, it may be difficult to know how best to go about updating and enhancing cybersecurity policies and practices. And while governments and other groups develop regulations outlining key requirements of cybersecurity programs, they rarely describe how those translate to the specific ICS in scope and rarely detail how to build such ICS programs in a sustainable manner.
Below, we take a closer look at what companies need to do to enable that process. For manufacturing companies, building a sustainable cybersecurity program should start with understanding the standards the organization currently has in place, assessing where there may be gaps, and determining what changes need to be made across the four key areas of oversight, people, process and technology.
Define The Need, Select a Standard
What is a cybersecurity program for industrial control systems? Like other cybersecurity programs, it is basically a set of policies, procedures, guidelines, and standards associated and specifically developed to protect and manage your industrial control systems. Within these policies that describe the program, leadership teams define the proper security management practices and controls required. In order to do so, though, key stakeholders associated with the initiative must have clarity around the definition and scope of their ICS cybersecurity program.
Companies may consider reusing IT policies, procedures, guidelines, and standards from other elements of the business, and while some of them may be applicable to a manufacturing environment, industrial control systems require specific controls and procedures that are usually completely different from the IT world.
“Teams need to understand new threat vectors introduced by system changes and ensure they are conducting change-driven risk assessments.”
When it comes to implementing the security program itself, companies don’t need to start from scratch; rather, they can implement standards that other reputable organizations have already honed. The key is to select a comprehensive and relevant standard or set of standards that are usually associated with your industry and in some cases the regulations to which you may have to adhere. Certain national and international standards such as the International Society of Automation’s IEC-62443-4-2 framework in combination with U.S. Commerce Department’s National Institute of Standards and Technology’s Cybersecurity Framework Version 1.1 are excellent comprehensive examples that can guide the development of your ICS cybersecurity program. Remember that comprehensive does not mean perfect; these frameworks typically cover the things that you must or should consider specifically for ICS security programs and as part of an OT environment that usually interfaces with IT.
Industrial organizations face many tactical challenges when developing an effective cybersecurity program, including lack of clear governance, architectural limitations, control design and documentation issues, ongoing maintenance issues and a lack of monitoring and improvement initiatives.
On the governance front, for instance, organizations need to determine who is responsible for the security of cyber assets and which governance mechanisms should be in place. When it comes to ongoing maintenance throughout the asset lifecycle, teams need to understand new threat vectors introduced by system changes and ensure they are conducting change-driven risk assessments.
Generally, these challenges can be traced to one, or a combination, of the four key areas we mentioned above: oversight, people, process and technology.
“Ongoing monitoring is just as important as fixed processes, especially as cyberthreats evolve and become more sophisticated.”
Addressing the challenges and gaps in these four areas of the business is the crucial next step in enabling companies to develop sustainable cybersecurity practices to safeguard operations into the future. Here’s a look at some of the specific factors at play in each of these four areas:
- Oversight: Developing robust cybersecurity policies and practices must start at the top in any organization. But companies that have not clearly articulated the cybersecurity responsibilities of their leadership teams are setting themselves up for failure. The same occurs in the OT space. Organizations need to have clear governance and strategies in place around the security of their industrial control systems and ensure that processes incorporate board and executive oversight on everything from understanding cyberthreats to navigating cyber insurance to coordinating with law enforcement in the event of a breach.
- People: Fostering the right culture is central to ensuring that employees throughout the company understand and take cybersecurity protocols seriously. People within the organization should not only undergo regular security awareness training and have opportunities to hone their individual cybersecurity skills and competencies, but they should also have a thorough understanding of the company’s protocols and security organization structure at the enterprise level. Vendors also fall into the “people” category, given the cybersecurity implications of how vendors connect with and use the company’s systems.
- Process: There are many process components that touch cybersecurity protocols, from sourcing and vendor management processes to incident management and identity management processes. Companies need to have consistent cybersecurity considerations built into all their processes to ensure not just physical security but also business continuity in the event of breaches. However, breaches in an ICS system require a different set of skills than other types of IT incidents and this is also the case for any other OT process.
- Technology: Much like with processes, manufacturers need to make sure they address cybersecurity issues on a wide variety of technology fronts. This includes security monitoring, threat modelling, intrusion detection and protection, endpoint security, data loss prevention and security architecture and design. How does the organization implement technical security controls across all the different systems, components and modules? That’s a key question to address because many of these security controls cannot be implemented in ICS the same way they have been implemented in IT. This is why technical expertise in ICS cybersecurity issues is a crucial success factor.
Leadership teams should ask themselves where they see the gaps in each of these areas. For instance, does your organization have clear protocols in place for ICS incident response but lack a process for threat modelling? Ongoing monitoring is just as important as fixed processes, especially as cyberthreats evolve and become more sophisticated.
Figure 1 – Source: RSM US LLP
The Role of Talent
A significant element of addressing the above issues and developing a sustainable cybersecurity program is hiring and retaining the right people. Companies in all sectors are battling for talent in a tight labor market, but the competition is particularly acute for tech workers, including those focused on cybersecurity.
“From a technology standpoint, more companies are moving data and applications to the cloud for access to a higher level of protection and controls, with many infrastructure costs going away,” according to RSM’s cybersecurity report. “However, as companies in all sectors are finding, the talent to manage that cloud environment is becoming more expensive and more difficult to find and retain.”
This will continue to be a pain point for manufacturers, especially as more of them shift from on-premises data facilities to using cloud applications and services.
Questions to Frame the Path Forward
Manufacturing companies that want to determine how their cybersecurity practices stack up to the evolving threat landscape should foster honest conversations among members of their leadership teams to address the following questions:
- How does your team assess the information security risks specific to your industrial control environment?
- What steps and/or systems do you currently have in place to secure your industrial and manufacturing operations?
- How often does your team review your business processes to identify new information security risks relevant to your manufacturing processes?
- How often do you perform security threat tests and report results to the management team?
- What is your response plan for a potential operational technology breach?
Having open-ended conversations to address these issues is one of the first steps in building more resilience against cyberattacks and future threats. Working with a third-party advisor on security testing and system assessments can also be an invaluable way to determine what changes the company needs to make to protect itself. M
About the author:
Tauseef Ghazi is a principal at RSM US LLP.
Six steps to achieve cyber resiliency in a digital world.
In 2021, manufacturing was ranked as the most targeted industry in the cybersecurity space as attackers sought to exploit unpatched software and capitalize on supply chain delays to pressure organizations into paying a ransom. This year has brought on more of the same — incidents like the February shutdown of Toyota’s factories from an attack on a Japanese supplier and the potential for more nation-state attacks on critical infrastructure amid the war in Ukraine are early examples.
Manufacturers being hit by a cyberattack is no longer a possibility — it’s a near certainty. Consider that nine in 10 manufacturers experienced at least one intrusion into their operational technology (OT) systems in 2020, and that ransomware attacks on industrial entities have increased by more than 500% since 2018.
This high-risk environment means manufacturing leaders need to focus not just on data security and compliance but also on cyber resilience: the ability to keep their business operating when the inevitable attack hits.
Cyber Risks in the M4.0 Era
Given the current geopolitical climate and supply chain vulnerabilities, it’s no surprise that more than half of manufacturing executives (53%) we polled in Q2 said they are increasing their focus on cybersecurity in response. That is good news. But even if supply chains were running smoothly and geopolitical tensions eased, this heightened attention would be critical.
Why? Because in an M4.0 world, there’s a collision happening between 1) the convergence of information technology (IT) and OT technologies and data sharing, the 2) adoption of cloud and remote-enabled technologies, and 3) the rapid evolution and adaptability of threat actors and techniques.
“47% of attacks on manufacturing were caused due to vulnerabilities that victim organizations had not remediated.”
Today’s attackers can penetrate a broader attack surface, exploit new software vulnerabilities, buy ready-made exploitation kits available on the Dark Web, and conduct increasingly sophisticated supply chain attacks. These attacks not only pose significant financial risks but major safety risks.
The manufacturing sector is overwhelmed with ongoing labor shortages, employee burnout, inflation, and high demand for products — in addition to rising cyberthreats. This combination means cybersecurity may be overlooked at the very moment organizations need to focus on it the most — and the consequences of not preparing are significant. Manufacturers reported an average cost of roughly $3 million per OT security incident in 2020 — and if the industry doesn’t get out in front of the problem now, regulators looking to protect critical infrastructure could potentially impose expensive and burdensome requirements.
The manufacturing industry is undergoing drastic changes with the pandemic accelerating the adoption of automation and other M4.0 technologies to keep pace with surging demand and disruption. In this landscape, it can be difficult for organizations to stay ahead of cyberthreats.
Some key challenges they face include:
Differences in preparedness between IT and OT teams
Manufacturers have had separate cultures for decades, primarily driven by conflicting priorities between corporate IT and the shop floor. While the corporate side is typically aware of cybersecurity risks, policies, and best practices, that is not always the case for frontline workers. Without the right security awareness campaigns and quality assurance processes in place, these workers might share the same username and password to log into OT systems, click on a phishing email, or use a USB drive without knowing where it came from.
Organizations looking to address this issue through security education must understand how these conflicting priorities can exacerbate communication breakdowns between the two groups. For instance, through the lens of the CIA triad, IT teams believe data confidentiality and integrity are the top cybersecurity priorities, while the OT team places availability as the top priority.
“If the links between IT and OT networks were cut, could your organization still operate and produce its products?”
Additionally, funding for IT teams is often prioritized over OT initiatives as the general perception is that OT environments are purpose-built and static in nature. However, when it comes to evolving attack methods and vulnerabilities, nothing is static and investments in OT security also need to be prioritized. This is further complicated by the constraints OT security teams face when trying to remediate issues when the OT devices themselves are unable to support traditional upgrades and patching procedures that their IT counterparts can rely on to mitigate risk. The result is often a desperate list of security controls and compensating controls between IT and OT environments, ultimately leading to inconsistent levels of protection across the organization. When it comes to true operational resiliency OT cannot be overlooked since the ability to generate revenue is typically dependent on the OT environment.
Change must start at the top. Yet for many executives, cybersecurity may not be their top priority when focused on finding new ways to automate the business, making products cheaper, or retaining critical workforce.
But while such investments may improve efficiency, they can also broaden the attack surface and create new security concerns: 47% of attacks on manufacturing were caused due to vulnerabilities that victim organizations had not remediated, either because the solution was not prioritized and funded, or was not supported by OT device vendors. This is starting to change. Leaders see the consequences of such attacks on revenue and the greater risks from heightened geopolitical and supply chain instability — though more work lies ahead.
A static mindset
The repetitive nature of manufacturing means that many in the sector may not see the need to evolve their cybersecurity strategies, as historically their focus has been on safety versus cybersecurity.
Making the connection between cybersecurity and safety requires a mindset shift: one that accepts the new M4.0 landscape and takes proper precautions to guard against new vulnerabilities while also employing principles of resiliency to ensure the business can continue to operate in the event of an attack.
How to Build Cyber Resiliency in Six Steps
Becoming cyber resilient will be challenging — but it is achievable. To help break it down, we’ve outlined six steps that manufacturing leaders can use to guide their approach.
To better prevent attacks and mitigate the risks that arise when incidents inevitably occur, manufacturers must be able to identify potential threats and create a strategic roadmap that articulates key priorities and action items for the organization.
“We recommend deploying the NIST compliant architectures and standards to build baseline protection.”
Developing that roadmap means not only analyzing requisite documentation but also interviewing stakeholders from across the organization about various applications and connectivity. For instance, daily reports from these stakeholders on how much has been produced, what raw materials need to be ordered, and where defects exist can help leadership assess each area by risk and potential revenue impact should something happen. Armed with that data, organizations can architect security policies and procedures based on that risk (e.g., the company website may just need monitoring and firewalls, while more important systems like OT technologies may need to be isolated).
These interviews should help leaders recognize where attacks originated, whether it’s ransomware, email compromise, spear phishing, or others.
We recommend deploying the National Institute of Standards and Technology (NIST) compliant architectures and standards to build baseline protection. Manufacturers should then focus on properly segmenting IT and OT environments — if these environments lack proper segmentation, they are more easily compromised (e.g., from a cyberattack, network outage, etc.). This impacts everything from production orders and scheduling to raw material management and the delivery of supplies to and from the shop floor. The question becomes: If the links between IT and OT networks were cut, could your organization still operate and produce its products?
To start, manufacturers should concentrate on network security, segmentation, and isolation. Ensure defense-in-depth principles, an approach that uses multiple layers of security, are used to dissuade threat actors from accessing critical systems in the OT environment. Isolate your critical machines so they can run manually (and locally) in the event of an attack — not just from remote locations via the cloud. Also, make sure there are paper records on hand to provide raw material measurements in case of a shutdown.
Having standards, best practices, and architectures in place is only half the battle. Organizations also need to build out their proactive capabilities to monitor and detect unauthorized access attempts, data leakage, and other anomalous behavior.
Detection goes beyond network monitoring. The physical environment, the shop floor, where vendors and business partners have access to critical systems or data needs to be monitored as well. Access is the key and ensuring businesses can be trusted is vital to protecting critical data or intrusions.
“While the corporate side is typically aware of cybersecurity risks, policies, and best practices, that is not always the case for frontline workers.”
However, not all systems are equal in terms of risk and therefore not everything needs to be monitored like Ft. Knox. Understanding the key challenges above will help organizations right-size investments in security and detection capabilities. For example, the need for more rigorous detection capabilities may be elevated when a vendor upgrade is not feasible, but diminished where network isolation or compensating controls have been implemented.
Organizations should prepare for a cyberattack by running incident response exercises that gamify what security incidents could look like. The exercises should drive collaboration among key stakeholders and account for multiple eventualities. For example, what might happen if a given OT system is hit but the person who is responsible for that system is out of the country? This exercise should be combined with an OT isolation tabletop exercise that runs through how the organization can keep machines running should the network get hit.
Being resilient is not only about preventing an attack, but the ability to recover quickly in the event of an attack to maintain revenue-generating operations. This ability requires collaboration among numerous stakeholder groups and is dependent on a strategy that covers people, process, and technology.
Recovery processes need to be defined, documented, and most importantly practiced. Solutions need to be implemented so organizations are able to backup systems and restore capabilities, using a golden image, if necessary, with both data and configuration details included. Ultimately, people across IT, OT, Security, Compliance, Legal, and other business teams need to be trained on the recovery process and their role in supporting the effort towards achieving true resiliency.
“if the industry doesn’t get out in front of the problem now, regulators … could potentially impose expensive and burdensome requirements.”
None of the above is a one-and-done exercise, especially as cyber threats are continually evolving. Organizations need effective governance to help maintain efficiency of security functions over time, and they must test, measure, and update them accordingly. This is not simply a technology issue. Organizational change management is needed to create muscle memory for new processes and tools, as well as to ensure collaboration between different teams. For instance, a brief, easily accessible, and role-specific playbook for new hires can help.
Staying Out in Front
We’ve witnessed an exciting digital transformation in manufacturing over the last few years. That shift has helped the industry meet pandemic-driven challenges, whether it involves enhanced automation, robotics, diagnostic and forecasting tools, or other M4.0 technologies.
But with new technologies come new cyber risks and vulnerabilities. Add on increasingly sophisticated threat actors, mounting geopolitical and supply chain instability, and workforce shortages, and it’s no wonder the industry has a more urgent focus on cybersecurity.
With cyberattacks becoming just one more cost of doing business, manufacturers have an opportunity to take a more strategic approach and develop not just cybersecurity, but cyber resiliency. Protecting your organization from threats is no longer solely about data security and compliance – it’s about ensuring the business can keep running and enabling continued transformation in an M4.0 world.
About the authors:
David Chaddock is a Director, Technology, at West Monroe.
Sean Duffy is a Senior Principal, Technology, at West Monroe.
David McGraw is a Senior Manager, Consumer & Industrial Products, at West Monroe.
Randal Kenworthy is a Senior Partner, Consumer & Industrial Products, at West Monroe.
GM completely renovated, retooled, and expanded an existing factory into an ML award-winning plant to drive its all-electric vision for the future.
Company Fact File –
Company: General Motors
HQ location: Detroit, MI, U.S.
Revenues: $10 billion+ annually
Employees: 5,000+ employees
Web url: www.gm.com
General Motors, a global automotive leader with a rich history of innovation, is committed to its vision of a world with zero crashes, zero emissions and zero congestion through the creation and manufacturing of electric, self-driving, connected vehicles and shared mobility services that will transform how people get around.
But to advance this vision of an all-electric future that is inclusive and accessible to all, the company needed a fully dedicated electric vehicle assembly plant with contiguous battery assembly. Rather than start from scratch, GM undertook a complete renovation to transform an existing 38-year-old plant into the Factory ZERO Detroit-Hamtramck Assembly Center, a project that won the company High Achiever status in the Engineering and Production Technology category during the recent 2022 Manufacturing Leadership Awards program.
“Built on quality and efficiency, Factory ZERO offers the agility to adapt vehicle production to meet market demands quickly.” — Phil Kienle
This was a monumental undertaking. In addition to adding a 1 million-square-foot expansion, retooling the general assembly area, modernizing and expanding the paint shop, and refurbishing and expanding the body shop, the company constructed a brand-new automated storage and retrieval addition for Ultium battery assembly. This allows for multiple vehicle styles and battery assembly to happen under one roof.
The Factory ZERO team proved it was up to the task. In less than 20 months, the plant began producing its first GMC HUMMER EV pickups. This is critically important for GM. Launching more EVs faster is the catalyst for growth, and the company is accelerating its volumes, growing to 1 million units of EV capacity in North America by the end of 2025, and expanding from there. In North America alone, GM is targeting production of 400,000 all-electric vehicles over the course of 2022 and 2023.“Built on quality and efficiency, Factory ZERO offers the agility to adapt vehicle production to meet market demands quickly,” says Phil Kienle, General Motors Vice President of North America Manufacturing & Labor Relations. “In fact, the ongoing process improvements and strategic resources used at Factor ZERO make it the company’s launchpad for the multi-brand all-EV and Autonomous Vehicle (AV) strategy that it hopes will accelerate GM’s journey into an all-electric future.”
In the process, it also results in savings in time, resources, and capital. Almost 80% of the original equipment and infrastructure were repurposed, which reduced material waste, and because the facility’s initial footprint was used as a foundation, nearly a third less capital was needed compared to building a greenfield site. The accelerated launch and production start also allowed the company to get EVs to customers sooner. And it also will help the company achieve its commitment to source 100% of its U.S. facilities with renewable energy by 2030.
“Through GM’s $2.2 billion investment in an all-electric future and a series of renovations and expansions – at the time, the largest ever for a GM manufacturing facility – Factory ZERO has become one of the most modern automotive plants in North America and provides a manufacturing advantage for General Motors,” adds Kienle.
Extensive Plant Transformation
The original Detroit-Hamtramck Assembly plant was already a world-class facility even before it was transformed into Factory ZERO, having manufactured more than 4 million vehicles since it first opened in 1985. But GM wanted to renovate and expand the factory to be the capstone upon which the company could build on its all-electric vision.
The improvements begin in the body shop, where the addition of Body-In-White scanning has transformed how the team evaluates the fit and finish in each vehicle. Through 3D laser scanning technology, the full-body and sub-assembly analysis provide a comprehensive quality review in under 90 minutes, replacing previous technology that was limited to raw data, and minimizing human error. As the body moves to the joining area, remote laser welds and MIG welding have standardized the optimal packaging to provide ample space and safety framework for the Ultium battery, enabling greater efficiency when team members complete verification checks multiple times per shift.
“The business impacts are many, but most boil down to improved flexibility, scalability, and consistent quality.”
The paint shop underwent a similar transformation, where the painted vehicle bodies now pass through an in-line paint defect detection and classification system. This automated process reduces defects that could be missed by individual inspection and records data that can be used to recognize potential recurring issues throughout multiple paint coats. Within the paint shop, floor plug insertion and sealing have also become automated processes. Due to their repetitive natures, which require frequent bending and wrist flexing, the automation of these processes reduces ergonomic risks and frees up team members to assist in other value-adding activities.
After ensuring the highest quality throughout multiple checks in the paint and body shops, the vehicles enter a modular assembly line, meaning the lines are decoupled and produce specific vehicles, rather than a traditional assembly line where every vehicle moves through the same process. This approach enables the integration of a new vehicle without impacting the rest of the general assembly for re-tooling or changing production needs. It also means that team members working on each line can become specialists in assembling the vehicle specific to their line, resulting in greater quality and accuracy. This area has also reached a new level of efficiency by using electronic job boards and virtual operator training to roll out any changes to a procedure in real time.
Factory ZERO: A Key Competitive Advantage
The business impacts are many, but most boil down to improved flexibility, scalability, and consistent quality. The Body-In-White scan and remote laser weld in the body shop, and the vision defect detection and automated sealing in the paint shop are key upgrades GM made to ensure that vehicles produced at Factory ZERO are of the highest quality.
“Preserving a reputation of excellence in every vehicle is key to customer satisfaction, and necessary to transition to an all-electric future successfully,” says Kienle.
“The success of this transformation serves as a blueprint for future conversion of existing North American manufacturing facilities.” — Phil Kienle
Another factor in preserving GM’s competitiveness in the EV market is the adaptability of production at Factory ZERO, and the ability to produce the right vehicle for the right customer. The modular approach to the general assembly area supports the changing needs of GM’s product portfolio, allowing the company to increase production of a popular vehicle, while maintaining the manufacturing levels of a vehicle that may be impacted by market uncertainties. The newly automated activities in the paint and body shops also increase uptime and will be critical in enabling production at full capacity.
Factory ZERO positions General Motors to realize greater market share and continue to improve the company’s reputation as a leader in sustainability.
Driving Future Innovations — and a More Sustainable Future
While the plant is key in reaching GM’s capacity of more than 1 million units of electric vehicles in North America by 2025, it also supports other facets of the company’s strategy, both in terms of people and sustainability.
At the heart of GM’s manufacturing advantage is the team, which will grow to more than 2,200 people when Factory ZERO is fully operational. Utilizing these team members effectively is a key part of maintaining GM’s manufacturing capabilities. Due to the process automations highlighted in the paint and body shops, team members can focus on initiatives that require human innovation, and in turn utilize these improvements in process and people allocation to increase uptime. The resulting positive production impact is supported by the modular footprint of the general assembly, which enables quicker introduction of new vehicles, and in turn aids in overall expansion of GM’s EV portfolio.
While the facility has been renovated with some of the most advanced technology and tooling, it has also been designed with sustainable manufacturing in mind. Factory ZERO will aid in achieving the company’s commitment to source 100% of its U.S. facilities with renewable energy by 2030. Through a partnership with Detroit’s local utility company, GM’s commitment to a cleaner future marked the largest renewable energy investment in the state of Michigan. Within Factory ZERO’s manufacturing processes, the transition to paperless job guides and use of virtual operator training and e-Labels has also helped maintain GM’s sustainability goals.
“GM wanted to renovate and expand the factory to be the capstone upon which the company could build on its all-electric vision.”
Factory ZERO’s transformation has combined the use of GM’s readily available resources and its investment in advanced manufacturing to maximize its production and engineering capabilities. These efforts enable GM to achieve its commitments to sustainability and quality while pursuing its vision of zero crashes, zero emissions and zero congestion.
Blueprint for the Future
While the transformation of Factory ZERO is an achievement in and of itself, the innovation continues throughout the facility. Each area has been meticulously upgraded with maximum efficiency and quality in mind, from the addition of the full-body vehicle scans to the modular design of the general assembly.
As the epicenter for General Motor’s advancement of an all-electric future, Factory ZERO’s success offers innovative learnings for future conversion of existing North American manufacturing facilities.
“Factory ZERO’s unique scalability and flexibility position GM to stay ahead of the growing demand for electric vehicles while providing quality to balance the need to compete aggressively and win in today’s market with strong products,” says Kienle.
“The success of this transformation serves as a blueprint for future conversion of existing North American manufacturing facilities.” M
About the author:
Sue Pelletier, a contributing editor with the Manufacturing Leadership Journal, is a seasoned writer/editor with experience in online, social media, e-newsletter, tablet app, book and e-book, and print publications..
When it comes to digital transformation, is there a way to ensure that all manufacturers have an equal opportunity to focus on digital initiatives – regardless of their size? A panel at Rethink: The Manufacturing Leadership Council Summit examined the different challenges faced by small and medium enterprises on the industry’s journey to Manufacturing 4.0.
The panel featured Val Zanchuk, President at Graphicast; Chuck Wetherington, President of BTE Technologies and SMM Chairman for the NAM Board of Directors; and Irene Petrick, Senior Director of Industrial Innovation at Intel Corporation.
The most obvious challenge comes from resources. As Zanchuk said, he is often limited by the three T’s: Time, Treasury, and Talent. “I try to keep up with the pace of understand what’s going on with the latest digital tools, and identify the opportunities that make sense for the business.”
“M4.0 is not a rote prescription, it’s a toolbox,” Wetherington said. “We are moving digital technology down to where the work is being done.”
Petrick said that the digital divide isn’t only because of size, but also because of investment choices. “If you weren’t doing a lot of investments in digital over time, then you are behind – it’s not a size issue, it’s an investment issue.” Petrick added that companies who have not been making those continuous investments are behind, especially after COVID.
Cybersecurity is also a concern, not just internal to a company but also as an ask from customers. “The customer base has to be able to look at us and say we’re in good shape, to be comfortable working with us,” Zanchuk said.
Wetherington added, “Every company needs to be worried about cyber and needs to make efforts to be secure. The problem isn’t how good your defense is, it’s whether or not the bad guys want to get at you.”
So how can a small company, or any company, keep from falling into the divide?
“You have to stay on top of understanding technologies,” Zanchuk said. “Lean mentality fits well with 4.0 mentality, but we don’t use every tool in the Lean toolbox. I’m always scanning the technologies to understand it and translate it down to my scale.”
It’s also a matter of people, not just technology. “Hiring and retaining talent will continue to be an enormous challenge,” Petrick said. “Investing there will yield much more value than ever before.”
Katelyn Kelsey didn’t expect to go into manufacturing, but as an engineer, the lure of digital transformation and the opportunity to solve emerging problems was too great.
Participating in a panel discussion on next-generation leaders at MLC’s Rethink 2022 Summit, the Mobility Technology Engineer for Dow, Inc., encouraged employers to go back to the drawing board and to let young people know that manufacturing is a place where they can work with the latest technologies and solve problems that bridge information technology and operational technology.
Moderated by Penelope Brown, MLC’s Senior Content Director, the panel also included Hayley Dwight, Director, Business Architecture and Change Management for Cooley Group, and Daniel Shrives, Research Engineer for Saint-Gobain North America.
The panelists agreed that Gen Z and millennials want to work for companies with interdisciplinary teams that do not operate in silos. Further, Dwight explained that her generation also wants a culture that values information sharing between organizational levels. She shared that she’s able to direct message with people like Jack Dorsey – the co-founder and former CEO of Twitter – so she should have similar access to the leaders in her our organization.
Later Kelsey added, “It costs you nothing to offer a seat at the table.”
Meanwhile, Shrives shared that one of the most important lessons he’s learned so far is to be flexible and expect that a role and responsibilities will change over time. But it is not just about his generation’s expectation to adapt. Shrives shared that leaders should give millennials an opportunity to bring change with them.
To prepare for the future, Kelsey encouraged manufacturers to come to events like Rethink in order to have candid conversations as an industry. She also reminded the audience that manufacturers aren’t just manufacturers anymore. They are also technology companies and they need to pull talent from other industries to create cross-functional teams.
And it is not just about speaking truth to power. Each of the panelists is also working to build their own leadership skills. In fact, Dwight, Kelsey and Shrives were among those honored later in the Next-Generation Leadership category at the Manufacturing Leadership Awards Gala.
Asked to share something about her personal development journey, Dwight shared that she’s working to ask more questions instead of making declarative statements. To do this, she asks herself each day if she ended more sentences with question marks or periods. That’s a lesson for leaders regardless of their generation.
Photo by David Bohrer / National Assoc. of Manufacturers
In 1914, the Ford English School fostered shared language between the company’s workers who spoke many languages and had diverse perspectives. By establishing a shared understanding and fluency in the English language, Ford’s school led to increased safety and efficiency and better citizens.
Now more than one hundred years later, data literacy is the baseline language according to Valerie Logan, CEO and Founder of The Data Lodge.
Logan and Dr. Steven Moskowitz, Director, Digital Transformation at Entegris and Chairman of Innovation Research Interchange (IRI), a division of the National Association of Manufacturers, presented a case study at MLC’s Rethink 2022 Summit titled Fostering Data Literacy: The What, Why and How.
The case study explained that data literacy is the language of data – the ability to read, write, and communicate with data in context. Logan emphasized that the context is important and differs depending on a person’s role. Further, she said, mindset, language and skills are the keys to fostering data literacy.
When Entegris kicked off its digital journey, they took time to examine the corporate culture and then aligned their digital strategy with that culture so different teams could connect to Entegris’ digital thread and move from data to insights to actions and decisions. Logan shared that fostering community and collective languages across a diversity of backgrounds opens new channels for the entire organization.
For Moskowitz, data literacy isn’t about dumping data on people. It is important to communicate the story and explain the decisions and actions that the data necessitates.
At its core, data literacy is a development tool, but it requires enablement and engagement. According to Moskowitz, the impact of shared data literacy isn’t always measurable, but if you don’t establish literacy, the cost could be significant.
Photo by David Bohrer / National Assoc. of Manufacturers
The Manufacturing Leadership Council—a division of the NAM that helps manufacturers leverage digital transformation—named Pfizer CEO Dr. Albert Bourla the 2022 Manufacturing Leader of the Year at the 18th annual Manufacturing Leadership Awards Gala.
The details: The ML Awards are the U.S. manufacturing industry’s biggest stage for recognizing excellence in digital manufacturing. Since the program’s founding in 2005, more than 1,000 high-performing projects and individual leaders have been honored with an award. Winners represent companies of varying sizes in a wide array of industries.
The big award: The Manufacturing Leader of the Year award was presented to Bourla for Pfizer’s extraordinary and ongoing contributions in fighting the COVID-19 pandemic.
- “Manufacturing in America today is stronger thanks to the leadership of Dr. Bourla and his team at Pfizer, including our Executive Committee member Mike McDermott,” said NAM President and CEO Jay Timmons. “Albert and Mike’s passion and dedication to defeating COVID-19 set an example for thousands of companies as our industry navigated and responded to the evolving pandemic, and their leadership and innovation will make us better prepared to respond to the next crisis.”
Other honorees: Awards were given to companies that excelled in various categories of manufacturing, including Protolabs for collaborative ecosystems, AB InBev for digital network connectivity and operational excellence, Dow for digital supply chains, General Motors for engineering and production technology, Flex and Johnson & Johnson for enterprise integration technology, AUO Corporation for sustainability and ALOM Technologies for transformative cultures.
Manufacturers of the Year: Protolabs was named the Small/Medium Enterprise Manufacturer of the Year, and AB InBev was named the Large Enterprise Manufacturer of the Year.
The last word: “Manufacturers continue to be the driving force for global economic recovery and pandemic response as they establish innovative ways to problem-solve in an increasingly complex environment,” said MLC Co-Founder, Vice President and Executive Director David R. Brousell. “Those recognized tonight have helped establish a roadmap for the future of the sector and highlight the importance of Manufacturing 4.0.”
Marco Island, Fla. – The National Association of Manufacturers’ Manufacturing Leadership Council has named Pfizer CEO Dr. Albert Bourla the 2022 Manufacturing Leader of the Year. The award was presented to Bourla at the 18th annual Manufacturing Leadership Awards Gala for the company’s ongoing response to the COVID-19 pandemic.
During a recorded presentation, Dr. Bourla highlighted the work of Mike McDermott, Pfizer’s chief global supply officer and executive vice president and NAM Executive Committee member, and his team of more than 30,000 colleagues and contractors to ensure uninterrupted supply for Pfizer’s entire product portfolio, which includes hundreds of medicines and vaccines—more than 38 billion doses each year—and the manufacturing and global distribution of the Pfizer-BioNTech COVID-19 vaccine and COVID-19 oral antiviral.
“Manufacturing in America today is stronger thanks to the leadership of Dr. Bourla and his team at Pfizer, including our Executive Committee member Mike McDermott. Albert and Mike’s passion and dedication to defeating COVID-19 set an example for thousands of companies as our industry navigated and responded to the evolving pandemic, and their leadership and innovation will make us better prepared to respond to the next crisis,” said NAM President and CEO Jay Timmons. “I also want to recognize the crucial work of the other winners this year, again proving that a competitive manufacturing sector is the key to solving the problems of today and tomorrow.”
The award ceremony took place at Rethink: The Manufacturing Leadership Council Summit, which examines digital manufacturing as it intersects with technology, organizations and leadership, at the JW Marriott Marco Island Beach Resort in Florida June 27–29.
“Manufacturers continue to be the driving force for global economic recovery and pandemic response as they establish innovative ways to problem-solve in an increasingly complex environment,” said MLC Co-Founder, Vice President and Executive Director David R. Brousell. “Those recognized tonight have helped establish a roadmap for the future of the sector and highlight the importance of Manufacturing 4.0.”
In recognition of the highest scoring projects in each award category, the MLC also announced the following High Achievers:
AI and Machine Learning
Digital Network Connectivity
Digital Supply Chains
Engineering and Production Technology
Enterprise Integration Technology
(Tie) Johnson & Johnson
Flex – LISA Line Stop Assistant
MANUFACTURER OF THE YEAR – Small/Medium Enterprise
MANUFACTURER OF THE YEAR – Large Enterprise
The 2023 Manufacturing Leadership Awards season will open to nominations on Aug. 15, 2022. Information about the awards program is available here.
Founded in 2008 and now a division of the National Association of Manufacturers, the Manufacturing Leadership Council’s mission is to help manufacturing companies transition to the digital model of manufacturing by focusing on the technological, organizational and leadership dimensions of change. With more than 2,500 senior-level members from many of the world’s leading manufacturing companies, the MLC focuses on the intersection of advanced digital technologies and the business, identifying growth and improvement opportunities in the operation, organization and leadership of manufacturing enterprises as they pursue their journeys to Manufacturing 4.0.
The National Association of Manufacturers is the largest manufacturing association in the United States, representing small and large manufacturers in every industrial sector and in all 50 states. Manufacturing employs more than 12.7 million men and women, contributes $2.71 trillion to the U.S. economy annually and accounts for 58% of private-sector research and development. The NAM is the powerful voice of the manufacturing community and the leading advocate for a policy agenda that helps manufacturers compete in the global economy and create jobs across the United States. For more information about the NAM or to follow us on Twitter and Facebook, please visit www.nam.org