Experts Address Key Cybersecurity Threats and Challenges Facing Manufacturing at FMM-CSA Collaborative Event

On 26^th February, Cybersecurity Asia (CSA) and the Federation of Manufacturing Malaysia (FMM) held the “Cybersecurity in Manufacturing: Making Things Secure” event at Wisma FMM, bringing together the industry experts to discuss the evolving threat landscape, the risks posed by legacy systems, and the importance of securing supply chains.

The event featured keynote speeches and presentations from Andrew Martin, Group Publisher at Cybersecurity Asia, Brian Chang from Fortinet, Aw Yang Uei from AC2 Group, and Vikneswaran Kunasegaran from Firmus, culminating in a townhall session that addressed pressing concerns from industry participants.

Manufacturing: A Top Target for Cyber Threats

Andrew Martin’s keynote set the stage by outlining why manufacturing remains a prime target for cyber attacks. He pointed out that industrial control systems (ICS) and operational technology (OT) have traditionally been isolated, making them secure by default.

However, as smart manufacturing gains traction, connectivity has become essential, exposing these systems to significant risks.

Andrew presented three key points as to why manufacturing is a prime target for threat actors:

1. Legacy Systems – Many manufacturers still rely on outdated software and hardware, making them easy targets.
2. Lack of Network Segmentation – Insufficient separation between IT and OT systems allows attackers to infiltrate one area and move freely across the network.
3. Third-Party Risks – Supply chain vulnerabilities, contractors, and insider threats account for 84% of breaches, according to a Deloitte study.

Underscoring the financial impact, Andrew cited research showing that an hour of downtime due to a cyber attack can cost manufacturers between US$30,000 and US$256,000. He also noted that while financial services allocate around 30-40% of their IT budget to cybersecurity, manufacturers typically invest less than 10%, leaving them highly vulnerable.

Andrew then closed his presentation by highlighting these calls to action for all the IT practitioners of the manufacturing sector:

• Investing in network segmentation – Ensuring IT and OT environments are properly separated.
• Enhancing third-party security measures – Conducting rigorous cybersecurity audits of suppliers and contractors.
• Increasing executive awareness – Cybersecurity is not just an IT problem; it requires commitment from top leadership.
• Building an industry network – Collaborating with peers to share insights and strategies against emerging threats.

Bridging the IT-OT Security Gap

Brian Chang, Fortinet’s Solutions Architect & Advisory discussed the convergence of IT and OT and the security challenges that arise as a result.

He reiterated Andrew’s point of how the push for automation and digital transformation now requires OT environments to be interconnected, and that this increased connectivity opens avenues for cyber threats.

Brian cited research indicating that a single breach in the manufacturing sector costs an average of $9.4 million and can go undetected for up to 21 days. This delay allows attackers to move freely within systems, potentially disrupting operations and supply chains.

With Malaysia’s new cybersecurity regulations under Act 854, organisations, particularly National Critical Information Infrastructure (NCII) entities, are now required to report cyber incidents within 6 hours, with penalties reaching RM500,000 or even imprisonment for non-compliance. Amendments to the Personal Data Protection Act (PDPA) further impose fines of up to RM1 million for data breaches. Brian stresses that businesses must shift to a proactive security stance, given these regulations.

To mitigate these risks, Fortinet advocates an AI-driven, platform-based approach to cybersecurity. Brian emphasised the importance of Zero Trust security, which ensures that only verified users can access critical systems. Fortinet’s Security Fabric integrates networking and security to enhance threat detection, automate response mechanisms, and protect OT-specific infrastructure.

Emerging Technologies in Warehouse Management

The rapid evolution of warehouse management systems (WMS) is reshaping logistics and supply chain operations, but with new technologies come increasing cybersecurity risks.

Aw Yang Uei, Managing Partner of AC2 Group, highlighted how businesses are transitioning from traditional methods to AI-driven, cloud-native environments, bringing both efficiency and security concerns.

In Aw’s presentation, he noted that cloud adoption is accelerating, with 95% of digital applications expected to be cloud-native by 2025. Aw also added that 75% of non-cloud applications are migrating to the cloud, while 42% of existing cloud applications are shifting to cloud-native platforms.

While cloud-native solutions offer automated updates, lower security risks, and scalability, they also introduce vulnerabilities that hackers can exploit, such as API weaknesses and remote access threats.

Automation is another major shift in warehouse operations, with technologies like automated storage and retrieval systems (ASRS), shuttle systems, and autonomous mobile robots (AMR) transforming efficiency. However, Aw cautioned that cybercriminals can target warehouse control systems (WCS) and robotic controllers, disrupting supply chains through cyber attacks. “The more automated and interconnected our systems become, the greater the risk,” he warned.

Beyond AI, quantum computing is on the horizon, posing a serious threat to existing public key infrastructure (PKI)-based encryption. Aw urged businesses to prepare for post-quantum cybersecurity strategies, as emerging quantum capabilities could render current encryption methods obsolete.

The Rising Threat of Supply Chain Cyber Attacks in Manufacturing

Cyber threats targeting supply chains are becoming a growing concern in the manufacturing sector, with attackers increasingly exploiting vulnerabilities in third-party vendors rather than attacking companies directly. Vikneswaran Kunasegaran, Senior Vice President of Security Assessments at Firmus, highlighted the urgent need for manufacturers to strengthen their defences against supply chain breaches.

According to the Verizon Data Breach Investigation Report (DBIR) 2024, 2,305 cybersecurity incidents were reported in the manufacturing sector, with 849 confirmed data breaches. Financial motives drive 97% of these attacks, with ransomware being a primary method of compromise. Despite this, only 45% of manufacturers were adequately prepared, leaving a significant security gap. “Many businesses trust their vendors blindly without assessing their cybersecurity posture,” Vikneswaran warned.

Real-world supply chain breaches illustrate the consequences of weak vendor security. Toyota’s production was halted in 2022 after a supplier was attacked, delaying 13,000 vehicles. In another case, Applied Materials lost over $250 million due to a vendor’s ransomware attack. Blue Yonder, a supply chain software provider, was also hit, disrupting major clients like BIC and Morrisons. These incidents demonstrate how a single compromised vendor can bring manufacturing operations to a standstill.

Securing the Future: Key Insights from the Panel Discussion

The event wrapped up with a town hall discussion moderated by Andrew Martin, covering incident response, supply chain security, cybersecurity training, and future threats.

On incident response, Vikneswaran pointed out that while many companies have business continuity plans (BCPs), few have tested incident response strategies. He recommended simulated attack exercises to assess readiness. Brian added that incident response isn’t just a technical issue—it also involves legal, financial, and media communication. Andrew reinforced this, stating that clear communication with staff, customers, and regulators is critical during a breach.

For supply chain security, Aw advised companies to diversify suppliers and strengthen IoT security, as over-reliance on a single vendor increases cyber risks. Brian emphasised that more connectivity means higher security threats, requiring stronger controls to protect confidentiality, integrity, and availability (CIA). Vikneswaran noted that IoT devices are highly targeted due to weak security and infrequent updates, urging businesses to implement micro-segmentation to limit attack spread.

Cybersecurity awareness training was another key concern. Brian stated that security is everyone’s responsibility, not just IT, and phishing attacks exploit human psychology, making continuous training essential. Vikneswaran warned that awareness posters often become “wall decorations” unless training is enforced and measured. Some companies, he noted, have started linking cybersecurity awareness to KPIs for better compliance. Aw offered a simple yet effective security tip—never pick up unknown USB devices.

Looking ahead, Andrew cautioned that post-quantum computing could break modern encryption, allowing hackers to decrypt stolen data years later. Brian stressed that companies should prioritise basic security hygiene, including network security and endpoint protection, before investing in advanced AI tools. Aw suggested using shared passphrases with colleagues and family to verify identities, given the rise of AI-driven deepfakes. Vikneswaran closed the discussion by reminding businesses that cybersecurity must be integrated from the start of digital transformation—not treated as an afterthought.