The world’s growing dependence on the internet was brought harshly into view recently when the Amazon Web Services (AWS) cloud platform went down, impacting more than 3 500 organizations across over 60 countries. Hospitals, banks and airlines were amongst those affected, with thousands of flights cancelled and an estimated impact likely to be in the range of billions of dollars.
While this is an extreme case, it highlights the vulnerabilities of our increasingly digital and interconnected world, making cyber security a global concern. According to the United Nations Institute for Disarmament Research (UNIDR), “Cyber operations can undermine international peace, security and trust, weakening development and reducing prosperity.”
In the World Economic Forum’s (WEF) 2025 Global Cybersecurity Outlook, governments are urged to adopt a “security-first mindset”. The report highlights several contributing factors, such as the growing complexity of the cyber landscape, increasingly sophisticated cyber threats, greater dependence on more complex supply chains and a widening gap between large and small organizations, all of which are increasing vulnerabilities. Over a third of small organizations believe their cyber resilience is inadequate, the report notes, a figure that has grown sevenfold since 2022. This is not surprising given that the global average number of weekly attacks encountered by organizations has increased by 58%.
Manufacturing is a prime target for cyber criminals
In 2024, more than 25% of all cyber attacks worldwide involved manufacturing companies, making manufacturing one of the most targeted industries, in part because hackers know there is a lot at stake if factories shut down. An example is the recent cyber attack on British car manufacturer Jaguar Land Rover, which cost the UK economy an estimated GBP 1,9 billion and affected around 5 000 organizations, making it the most costly cyber attack in British history.
But there is much that can be done, and improved cyber security technology and increased awareness is bearing fruit. According to the IBM 2025 Cost of a Data Breach Report, the global average cost of a data breach is USD 4,4 million, which is actually down 9% from the record levels in 2024, due to more rapid identification and action.
Smart manufacturing increases vulnerabilities
Ensuring adequate cyber security in industrial settings can be tricky because their industrial automation and control systems (IACS) are designed to facilitate ease of access from different networks. This is one of the results of smart manufacturing: the use of integrated hardware, software, and communication technologies used to monitor and control industrial processes. These systems automate repetitive tasks, regulate machinery, and provide real-time insights into operations. From a cyber security perspective, this creates added vulnerabilities.
International standards such as the IEC 62443 series are designed to keep operational technology (OT) systems running throughout their life cycle by securing the IACS. It can be applied to any industrial environment, including critical infrastructure facilities, such as power utilities or nuclear plants, as well as in the health and transport sectors.
IEC 62443-2-1 provides requirements for establishing a security programme for IACS asset owners. It describes the methodology for addressing cyber security risks in the design of an IACS system, which helps to identify risks and therefore make informed decisions regarding the appropriate security requirements.
An IACS security programme is configured to meet specific functional needs, thus being more robust and rigorous than an off-the-shelf product and reducing the risk of new threats being introduced. It also enables integration with the organization’s processes and information security management system.
Keeping up with changing regulations
Recognizing the increasing pervasiveness of digital products and systems, regulatory authorities worldwide are stepping up mandatory cyber security requirements. In Europe, for example, the Cyber Resilience Act (CRA) was introduced in December 2024, with the main obligations to be enforced from December 2027. The CRA is a legal framework that describes the cyber security requirements for hardware and software products with digital elements within the European Union market. It will oblige manufacturers to address security aspects throughout the whole of a product’s life cycle.
Ali Castaing is Certification Project Manager at the French national certification body Laboratoire national de métrologie et d’essais (LNE), which is an active global participant in the IECEE CB scheme. The scheme is an international system for mutual acceptance of test reports and certificates dealing with the safety of electrical and electronic components, equipment and products. IECEE, the IEC System for Conformity Assessment Schemes for Electrotechnical Equipment and Components, and one of the four conformity assessment systems of the IEC, runs a cyber security programme that involves certification against standards in the IEC 62443 series.
“Many manufacturers might not be ready by the time the CRA is enforced,” he warns, “because the regulatory landscape for cyber security is constantly changing and the industry is not as accustomed to certifying against cyber risks as they are to, say, basic safety and performance.” International standards for cyber security are essential, he says, because, when combined with conformity assessment, they provide proof that adequate processes are in place. “It is a lot easier to demonstrate compliance if using international standards that are widely accepted, such as those in the IECEE CB scheme,” he adds.
International standards such as those in the IEC 62443 series for cyber security, in conjunction with conformity assessment schemes such as that offered by IECEE, also help facilitate market access and contribute to the seamless flow of goods and services in the global marketplace. By establishing effective safeguards, they help to ensure the security of digital transactions and provide a common framework across countries that have varying cyber security practices.
People are the weakest link
One of the key elements of robust cyber security is ensuring all employees are on board. Human error is estimated to be responsible for up to 95% of all security breaches, with weak passwords, falling for phishing scams and clicking on malicious links being at the root of many attacks. Social engineering, whereby hackers gain access to systems through trusted means, such as employees themselves, was supposedly behind the cyber attack on Australian airline Qantas, potentially revealing the data of six million customers by impersonating employees to get access to the systems.
The IECEE Certification of Personnel Competence (CoPC) scheme intends to include cyber security in its remit for this very reason. The scheme provides the industry with a reliable benchmark of what is considered “competent” across the world. Through the scheme, national certifying bodies (NCBs) can assess the competency of those working in various industry sectors, with the first competence area aimed at safety in manufacturing. It will ensure those working in industry have the necessary skills and knowledge to use, manage, repair, maintain or interact with machinery in a safe way. This includes aspects such as management, design of installations, equipment selection, inspection, maintenance and repair.
While the scheme currently only covers machinery safety, it is intended that other competence areas will be added according to market needs, with cyber security high on the list. As cyber threats evolve, so do the frameworks and standards used to combat them.
Archivio Numeri
