With high-profile breaches making headlines, businesses – especially those in critical industries and infrastructure – are recognising that downtime isn’t just disruptive, it’s costly, reputationally damaging and hits the bottom line.
Jerome Bull talked to Ben Caley, Product Manager for Industrial Communications and Cybersecurity at Siemens UK & Ireland, who addressed several questions about industrial cybersecurity.
1. What is the threat for industry and why has it evolved?
Unlike traditional IT systems, industrial environments were historically isolated and self-contained, with no requirement for systems to communicate with each other or sophisticated data flows.
That’s changed. Today’s factories and infrastructure are increasingly connected, leveraging expanding volumes of data to transform how businesses operate and combining the real and digital worlds to model, prototype, test and manage processes in digital environments.
The challenge is every connection increases the attack surface and vulnerability. The UK’s energy grid alone faces up to hundreds of attempted cyberattacks every day, manufacturing already accounts for more than a third of cyber incidents globally and more than 60 per cent of smart factories have experienced a breach.
And attackers – whether criminal gangs or state-sponsored actors – are evolving quickly, exploiting both IT and OT vulnerabilities to gain footholds in industrial systems.
But the answer is not to pause digitalisation. In fact, a patchwork of different systems that have varying degrees of cybersecurity is a problem in itself. A strong digitalisation strategy with cyber-security at it’s core, where systems and processes are secure by design, with security embedded from the start. is essential. And it should be prioritised at all levels.
.
2. What are the other cybersecurity trends or themes impacting industry?
There are several factors that are sharpening this challenge.
Amid the wider skills shortage in UK tech, industry already faces a scarcity of engineers with the knowledge to keep critical systems running.
And the future workforce will need those same skills plus cyber expertise to secure increasingly connected assets. Building this talent pipeline requires investment in education, lifelong learning and upskilling, which is a commitment Siemens is making across the UK and Ireland.
From a regulatory perspective, governments across Europe and beyond are introducing new rules on cyber resilience. The UK is set to follow suit with the Cyber Security and Resilience Bill which will require businesses to treat cybersecurity with the same seriousness as workplace safety.
This is at least in part to the evolving nature of the threat. Ransomware attacks – where a system is hijacked until a ransom is paid – now account for more than 70 per cent of cyber incidents in manufacturing, where downtime means halted production and severe financial loss.
Many vulnerabilities stem from legacy technology and hastily deployed remote access during the pandemic, which left weak points in defenses. Trusted solutions that are Secure by Design are the foundation of a robust strategy to protect against attacks.
3. What are the key questions companies should be asking to understand and evaluate cyber risk across their operations and connected assets?
The first step is to understand how upcoming legislation will affect you. Where organisations sit in the supply chain makes a difference. An operator of a plant will face different requirements to a machinery supplier, or a business providing software. Firms also need to consider where their customers operate because supplying into Europe, the US or other regions will mean aligning with different regulations.
But compliance is only one part of the picture. Cybersecurity should also be seen as a critical business risk and companies must understand what the potential impacts could be. An attack that halts production can quickly affect the bottom line, but breaches also threaten reputation, intellectual property and customer trust and in industrial environments, cyber incidents can cause safety systems to fail, with potentially devastating effects on people and the environment.
It’s then essential to ask how you are going to protect yourself. Full visibility of processes and assets is vital and we know that many businesses operating across industry don’t have enough understanding of their sites. Firms can’t protect what they don’t know is there and this is often due to the nature of facilities growing and evolving over many years, creating knowledge gaps.
The final key question is how to embed security into day-to-day operations and ensure it becomes a continuous, always-on process.
4. What are the latest regulations or standards guiding industrial sector businesses from a cyber perspective?
Cyber regulation is accelerating worldwide. In the UK, a new Cyber Resilience Bill was announced in the King’s Speech in 2024 and is currently under consultation. While its final shape is still being defined, it is expected to align closely with EU legislation, which will simplify compliance for businesses trading across borders.
In Europe, there are three key regulations to be aware of. The NIS2 Directive, which came into force in last October, requires operators of essential services such as manufacturing sites and utilities to consider cybersecurity throughout the lifecycle of their assets. This legislation is also influencing supply chains, as end users increasingly require their partners to meet the same standards.
Alongside this, the EU Machinery Regulation has introduced a significant change for OEMs and machine builders. In future, a CE mark (which accredits the use of appropriate safety standards) will not be valid unless cybersecurity has been addressed, making it a core part of quality and safety assurance. And finally, the Cyber Resilience Act extends these requirements to the components that make up wider systems, again linking compliance directly to the CE marking process.
For many organisations, this mix of regulation can appear complicated. The most practical way to navigate it is to align with the international IEC 62443 standard, which is referenced by regulators across the globe. At Siemens, we’ve adopted IEC 62443 as standard across our products, systems and wider operations, securing certification and embedding it into the way we design and deliver technology.
The best starting point for any business is to identify which regulations are relevant to its position in the supply chain, and then to build its cybersecurity approach around IEC 62443. This not only provides a clear pathway to compliance but also ensures resilience by design, supporting long-term confidence in digital transformation.
5. What does industry need to do to adapt and adopt in the face of evolving cybersecurity landscape?
Cybersecurity must be treated as part of everyday business. It should be integrated into existing risk management frameworks rather than seen as a separate or specialist concern.
This means clear ownership at board level, with responsibility for cyber resilience taken as seriously as health and safety. The stakes are high – the potential impact of an attack is significant, regulatory fines will be severe and in an industrial context, a cyberattack can cause physical harm, not just data loss.
Building resilience depends on three pillars: technology, processes and people. Firewalls, intrusion detection and anti-malware tools are vital, but only part of the solution. Strong policies and procedures must embed cybersecurity into daily operations, while investment in skills ensures people understand the role they play in keeping systems safe.
This final pillar is often overlooked in industry. While most employees receive training on phishing emails and passwords, those working directly with industrial equipment rarely receive equivalent guidance. Yet in practice, that is often where vulnerabilities appear and even small actions, such as plugging a personal device into a factory computer, can compromise an entire system.
To adapt successfully, businesses must ensure that cybersecurity is led from the top, built into everyday processes and supported by the right culture and skills at every level. In this way, industry can protect people, safeguard operations and unlock the full potential of digitalisation.
6. What are the key leadership considerations when addressing cybersecurity? is it still seen as a ‘technical issue’?
Following on from the previous question, cybersecurity can no longer be regarded as purely a technical challenge. It’s a leadership issue that requires cultural change across an organisation.
Empowering people is central to this as human error is considered the biggest cybersecurity threat by experts. A shopfloor operator may not immediately see a link between their daily tasks and a potential cyberattack and that creates risk.
Training is therefore the starting point. It helps employees understand the role they play and opens their eyes to the potential impact of small decisions, but this can’t be a one-off exercise. The threat landscape evolves constantly, which means awareness programmes must be ongoing, refreshed annually at a minimum and tailored to both office and operational environments.
True resilience comes when training matures into culture. Leaders must ensure accountability for cybersecurity sits not only at board level but across all layers of the business, from engineers to operators. By embedding responsibility at every level, industry can build the secure foundations needed to embrace digital transformation with confidence.