OT security in production: a challenge for SMEs
The number of cyberattacks on Swiss companies is steadily increasing. Industrial companies that need to protect not only their traditional IT but also their operational technologies (OT) are particularly affected. This is because the increasing digitalization and networking of production facilities as part of Industry 4.0 and the smart factory are creating new vulnerabilities that are being exploited by attackers.
OT refers to all technologies that directly control the operation of machines and production systems. In contrast to IT, which primarily connects people and data, OT ensures that production processes run smoothly. Precisely because modern production facilities are highly networked and communicate with each other, the protection of these systems is becoming increasingly important.
Manufacturing SMEs particularly at risk
Legacy systems, which are still in use in many industrial companies, pose a particular risk. These systems have often been in operation for decades and are difficult or impossible to update with the latest security updates. Replacement or decommissioning is often not possible because they are indispensable for production. These outdated systems offer cyber criminals a potentially easy target.
The threat situation for small and medium-sized enterprises (SMEs) is particularly serious. Unlike large corporations, SMEs often have neither specialized IT security departments nor sufficient financial resources to establish comprehensive protective measures. According to the latest "Cyber Study 2024", four percent of Swiss SMEs surveyed have been the victim of a serious cyberattack in the last three years. Extrapolated to the entire Swiss corporate landscape, this corresponds to around 24,800 affected companies - around three quarters of which suffered considerable financial damage.
A cyber incident always causes significantly more effort and costs than preventive measures.
measures.
Heavily regulated sectors such as the pharmaceutical and food industries are frequent targets of such attacks. Precisely because strict legal requirements apply here, companies cannot simply adapt or update their systems, even if security vulnerabilities are known. Attackers know this and exploit these weaknesses. In one case we accompanied, a cyber attack on the office area was stopped in time before production was affected. Nevertheless, the financial damage was considerable - an example that shows how quickly a supposedly small vulnerability can have major consequences.
New regulations increase the pressure to act
In addition, there are new regulatory requirements, such as the EU's NIS2 directive or the ICT minimum standard introduced by the federal government. NIS2 is an EU directive that also applies to Swiss companies when they trade with the EU. The ICT minimum standard, on the other hand, is a minimum industry standard defined by the federal government for companies' cybersecurity measures.
Even if compliance with these standards is associated with bureaucratic effort, we consider them to be useful. They also provide important support for reviewing and improving the cyber security strategy in a targeted manner. After all, a cyber incident always causes significantly more effort and costs than preventative measures. For many SMEs, however, there is uncertainty: they often do not know how good or bad their current security situation really is - and what specific measures would be necessary.
