Agility and resiliency remain essential attributes for manufacturers in 2023. Manufacturers are no longer focused on figuring out when things will return to "normal."

Instead, they are applying lessons learned from the past few years to evolve their operations to succeed in this "new normal." Foley & Lardner's Manufacturing Sector team continually examines these transformational shifts through the eyes of our clients and is well-positioned to help clients stay ahead of global trends and innovate in a dynamic marketplace.

As we embark on the second half of 2023, this second annual Manufacturing White Paper examines the business and legal considerations that continue to impact the industry and offers the perspectives and insights of attorneys with deep experience serving as trusted advisors to manufacturing companies.

EVERYTHING ELECTRIFIED AND CONNECTED ALL AT ONCE: NEW CHALLENGES FACING SUPPLY CHAINS, BEST PRACTICES AND LESSONS LEARNED

By Vanessa L. Miller and Nicholas J. Ellis

Modern manufacturing and supply chains are in the midst of a sea change, as products continue a seemingly inexorable march toward electrification and greater connectedness. While these two trends are common across many industries, perhaps nowhere are they more pronounced than in the automotive industry. Most major automobile manufacturers have set aggressive goals to electrify their fleets, many in the range of 40-50% by the mid-2030s. At the same time, infotainment systems and other features have grown increasingly complex (and powerful) as many manufacturers are developing components and assemblies that contain integrated software and technology. Beyond the automotive industry, even the most basic household appliances are now wireless and connected. We have long since passed the point at which a basic automobile surpassed the computing power of a NASA space shuttle. It is (perhaps) only a slight exaggeration to suggest we may see a day in the not-too-distant future when our coffee makers do so as well.

The movement toward electrification and connectedness presents manufacturers with both opportunities and challenges. Those who take advantage of these opportunities and adapt to the changing landscape will thrive. Those who do not will see their market shares diminished and, ultimately many may not survive.

Opportunities: Innovation and Reinvention

Significant changes in manufacturing and supply chains present a new competitive landscape and opportunities for manufacturing companies. With these changes comes the need for new technologies. New technologies bring new players, including new companies. Some of these new companies are truly "new" in the literal meaning of the word. They are startups created to monetize new technologies and products. Other "new" companies that may present opportunities may have been around for some time, they can be considered "new" to a particular field or industry such as legacy automotive manufacturers as they expand their traditional internal combustion engine (ICE) offerings to include more electric vehicles and incorporate autonomous and other connected technologies. Both startups and legacy companies represent potential new business opportunities and relationships for manufacturing companies.

New technologies and new customers present a growing demand for new products or components and require supplier capacity to manufacture those products or components for the market. There also is a need for new and innovative solutions to meet the demands of these changing technologies. These opportunities may be even more attractive because, in many of these new fields, there is less status quo or established market players, which can make breaking into the field less of a challenge for new participants. All of this adds up to significantly more opportunities for companies that are able to seize the initiative.

Challenges: The Risks Surrounding Novelty

While change brings many opportunities, it also brings challenges, including new technologies, new companies, and new relationships. No, that is not a mistake; these are indeed the same things that we listed in the previous section as opportunities. While "new" presents many opportunities, the flipside of those same opportunities are the elements of risk.

In the case of new technologies, there always will be some degree of working out the kinks, both with respect to performance and durability. The most obvious way in which these risks can manifest is through warranty claims and customer complaints. However, they can present other risks as well. For example, a supplier may make significant investments in production capacity for a customer bringing a new product to market. However, if the customer is unable to fully validate the product and launch is delayed or volumes reduced, the supplier can be left with unrecovered investments. The fact that many of these risks are unknown and lack historical data or precedent can make it more difficult for companies to price these risks into their cost walks when quoting new business.

Dealing with new companies in an industry (as either a supplier or a customer) brings its own set of challenges. New companies often have a limited track record or, in the case of legacy companies expanding into new fields, a limited track record within that particular field. They may also have a different worldview that can cause friction, or at least miscommunications and misaligned expectations between different companies. Perhaps the most commonly cited-although at times overstated-examples of such differing cultures coming together is the difference in cultures between traditional automotive manufacturers and companies in Silicon Valley. New companies may have limited resources and expertise necessary to overcome hurdles that may arise. Particularly in the case of startups or other new ventures, there may also be questions about whether new companies have the financial resources to meet their contractual obligations, should challenges arise.

All of these risks can be further compounded when they occur in a new relationship with a new customer or supplier. Unlike many well-established relationships (assuming they have been good relationships), newer relationships do not have the track record of trust and historical understanding on which to fall back when things get difficult. New business partners are more likely to question the motives, sincerity, or even ability of the other side, and can be more likely to reach for legal remedies should problems arise in the relationship.

Strategies and Best Practices

While the movement toward electrification and connectedness in the automotive and other industries can present challenges, there are a number of strategies and best practices that companies can employ to mitigate the risks these challenges pose.

  1. Consider your approach to software and integrated technology. Whether your company will develop, license, or own a particular software or integrated technology will be a major strategic driver. The key question that many manufacturers will face is "to build or to buy?" Each path comes with its own list of pros and cons that need to be carefully considered in the context of the companies' abilities, particular product, related costs and marketplace leverage.
  2. Strong contracts to protect against risks posed by new technology and new business partners. In a changing world, one of the most important steps that companies can take to protect themselves largely remains the same - protecting themselves through their contracts. Companies entering into a new supply relationship should give careful consideration to the key terms of the arrangement, including at least the following: (i) quantity, (ii) term/termination, (iii) price (including price adjustment), (iv) warranties, (v) indemnification, (vi) intellectual property, (vii) choice of law/forum, and (viii) force majeure. For example, companies that are concerned about the performance of a new supplier's technology should ensure that any purchase contract includes strong warranties and other assurances of performance. Companies that may be concerned about the viability or performance of a supplier should consider seeking licenses or other rights that would enable to obtain vital components from another source if the supplier does not meet its obligations. This directive is not limited to supply contracts alone. Any contract into which a company is entering to take advantage of the opportunities presented by these changes should be carefully considered and calibrated for the risks presented by that particular opportunity.
  3. Consider the form of the relationship to mitigate potential risks. At the outset, companies can mitigate a significant amount of their potential risks and maximize opportunities by properly considering what form the relationship should take. For example, does it make sense to enter into a traditional customer supplier relationship? In some cases the answer may be yes; however, this is not always the case. For example, if a potential new supplier has developed a technology that your company wants to take advantage of but has no track record of production or manufacturing facilities, it may be more appropriate to consider an alternative structure such as a licensing agreement or some form of joint venture. Larger customers that want to ensure long-term access to technology may prefer to protect that investment through some form of investment, or even outright purchase of a provider rather than through a supply agreement alone.
  4. Due diligence, including promised technology and IP rights. It should go without saying, but companies can avoid many headaches (or at least fully understand what they are getting into) by properly vetting their prospective business partners. Key issues to consider include looking at the technological, financial, and operational resources of a prospective business partner to ensure that they are able to perform their obligations, but also looking at their reputation and track record. For example, a litigation search can be very telling. If a company has been in business long enough, it is inevitable that a company will have some kind of litigation history. However, certain issues can present significant red flags. For example, if a company is facing litigation challenging its intellectual property rights or alleging infringement, this may present a significant risk as to whether the company has viable rights to the technology it is offering. Other examples require little or no explanation - if a company has been sued by multiple suppliers in the last month for nonpayment, it probably does not present a good opportunity as a new customer. Finally, appropriate diligence should be performed on any new or unproven technology being offered, with a view to the "golden rule" - if it sounds too good to be true, it very well might be.

Adapting to a Changing Landscape

Unfortunately for some companies, creation and progress often involve a measure of destruction. Changing technology inevitably will leave some companies behind. In few places are these risks more evident than in the automotive industry as the shift to electrification in particular represents a fundamental change to the demands placed on the automotive supply chain. There undoubtably will be challenges along the way and it may take longer than the currently expected 10-15 years, but the path is largely locked in as most automotive manufacturers and their supply base are committing to investments in electrification. For companies that primarily manufacture products that are used only in traditional internal combustion engine vehicles - for example, fuel tanks - this presents a clear and obvious problem. How many companies can survive a 40-50% decline in their business?

Companies facing these changes need to consider carefully what their future looks like in the medium- to long-term horizon and develop a plan for how they will adapt. Key factors to consider include such considerations as:

  • What does your company's product mix look like now, and how will those products be affected by impending changes in the industry?
  • What new products are going to be needed as a result of these changes?
  • How are software or new technologies integrated with your products (or how can they be integrated)?
  • Who are your customers?
  • Where do you need to be located geographically?
  • How about your supply base and their geographic locations?
  • What is the appropriate structure for a strategic partnership with a particular customer or supplier?

Once a company has assessed its risks and developed a plan to address those risks, it can move forward with making the necessary investments and changes to its business. If you haven't started, you are already behind!

CYBERSECURITY THREATS IN THE MANUFACTURING INDUSTRY

By Aaron K. Tantleff and Alexander Misakian

In the hyper-connected era of Smart Manufacturing, accelerated by "Industry 4.0," manufacturing is undergoing a digital revolution. By leveraging technologies such as advanced automation, artificial intelligence, the Internet of Things, blockchain, and other technologies, manufacturers continue to optimize production, increase efficiency, and drive innovation. However, this digital revolution brings complex cybersecurity risks and threats, creating significant implications for manufacturers.

For the second year in a row, manufacturing has been the most targeted sector by cyberattacks, accounting for nearly one in four incidents.1 Throughout 2022 alone, ransomware attacks on the manufacturing industry nearly doubled, accounting for 72% of all ransomware attacks and implicating 104 unique manufacturing subsectors.2

As manufacturers increasingly integrate digital information technology with physical operational technology, the vulnerabilities that cybercriminals can exploit continue to multiply exponentially. Accordingly, while cybersecurity has always been an essential aspect of manufacturing, the increasing reliance on technology now makes cybersecurity one of the industry's most critical concerns. Below, we describe various types of cybersecurity risks and attacks faced by manufacturers and outline some of the legal implications and considerations that entities in the manufacturing industry should consider.

Types of Cybersecurity Risks Facing the Manufacturing Sector

Cybercriminals continue to target the manufacturing sector due to its integral role in the economy, potential critical industry and supply chain impacts, and vast amounts of sensitive data held by organizations within the sector. Cyberattacks may disrupt businesses and supply chains, undermining the benefits of digitalization and resulting in financial and productivity losses causing reputational damages.

These cybersecurity risks can be broadly categorized into malware attacks, social engineering attacks, and Advanced Persistent Threats (APTs), in addition to other risks unique to the manufacturing sector.

Malware Attacks involving the deployment of malicious software, may come in many forms, including viruses, worms, ransomware, and spyware, and constitute a significant threat to manufacturers as they can cripple an entire manufacturing operation, causing significant financial, operational, and reputational damage. This category of software is designed to infiltrate, damage, or disrupt systems. The most common malware affecting manufacturing is ransomware, which may involve the encryption and/or exfiltration of a victim's data and a ransom payment demand. Ransomware is especially dangerous for a manufacturer as it can halt production lines, disrupt operations, cause considerable financial loss, and significantly impact the global supply chain.

Social Engineering Attacks exploit human vulnerabilities rather than technological flaws to gain unauthorized access to systems and data, potentially leading to ransomware attacks or sensitive data theft. While phishing is a well-known form, social engineering attacks may involve spear-phishing (targeted at specific individuals or companies), baiting (enticing a user to perform an action with a false promise such as a free gift), and pretexting (creating a fabricated scenario to manipulate the victim into providing access or information).

Advanced Persistent Threats (APTs) are sophisticated, coordinated attacks that often target high-value industries like manufacturing. These attacks are typically conducted by highly skilled groups with substantial resources, intent on stealing sensitive information or disrupting critical infrastructure. In the manufacturing sector, APTs often target valuable intellectual property (IP), such as proprietary production techniques, research and development data, or business strategy documents. In addition to intellectual property theft, APTs can cause significant operational disruption as prolonged, unauthorized access to a manufacturer's network may allow attackers to manipulate industrial control systems, disrupt production processes, or even sabotage equipment. APTs can also compromise supply chains. A successful attack on a manufacturer could give the attacker access to connected networks, such as suppliers, logistics partners, or customers. This potential for wide-ranging impact makes APTs a grave concern for the entire manufacturing ecosystem.

Intellectual Property Theft is one of the most coveted manufacturing targets for cybercriminals. Manufacturers often possess valuable proprietary information, including blueprints, manufacturing processes, research, and development data. Accordingly, sophisticated cybercriminal groups or state-sponsored entities may utilize APTs, among other cyber-attack tools, to target and exfiltrate IP. Given the value of proprietary information such as unique manufacturing methods, product designs, and research data, the impact of such theft on a manufacturing company can be immense, leading to potential market share loss, decreased competitive advantage, and substantial financial repercussions.

Supply Chain Attacks, often resulting from APTs, exploit the vulnerabilities in a company's supply chain network. Given the interconnected nature of the manufacturing industry, a single vulnerability can have far-reaching implications. Attackers can exploit weaker links, such as small suppliers with less robust security, to infiltrate larger, more secure networks. Notably, the 2020 SolarWinds hack, which affected government and corporate networks, was a supply chain attack.

Industrial Control System (ICS) Attacks, also often stemming from APTs, target industrial control systems crucial for modern manufacturing processes and can potentially give the attacker control over production processes. Such an attack can halt production, cause physical damage, or even result in safety incidents. Stuxnet, a malicious computer worm discovered in 2010, targeted ICS in Iran's nuclear facilities, highlighting the potential real-world implications of such attacks.

Insider Threats from disgruntled employees, contractors, or other insiders with access to critical systems can prove just as dangerous cybersecurity risks as threats from outside the organization. As with other types of cyber threats, insider threats pose a significant risk of IP theft. Notably, not all insider threats are intentional. While insiders might misuse their access intentionally, their credentials can also be co-opted through phishing or other methods, allowing an external attacker to infiltrate systems.

Third-Party Vulnerabilities involve cybersecurity risks that result from a manufacturer's relationships with vendors, suppliers, service providers, or any third parties that have access to their systems or data. In other words, a manufacturer's cybersecurity resilience is often only as strong as the weakest link in its supply chain. A third party lacking robust cybersecurity measures can become an initial vector for cybersecurity attacks.

Potential Impact on Critical Infrastructure

The manufacturing sector often serves as a backbone to critical infrastructure - the systems, facilities, and essential services that underpin the functioning of our societies and economies. This encompasses sectors such as power generation, water supply, transportation, telecommunications, and healthcare. Manufacturers play an instrumental role in supporting these infrastructures by providing essential components, equipment, and services necessary for their operation. Consequently, a cyberattack that significantly disrupts manufacturing processes can have wide-reaching and potentially catastrophic impacts on critical infrastructure, the economy, and national security.

Energy. A cyberattack on manufacturers in the energy sector, including those that provide parts for power plants, oil refineries, and wind turbines, could result in widespread power outages, leaving homes, businesses, and public services without electricity. This could affect thousands, if not millions, of individuals and cause significant economic damage. At an extreme, it could even have national security implications, as energy grids could be left vulnerable to additional attacks.

Transportation. Similarly, in the transportation sector, a successful cyberattack on manufacturers of automobile, aircraft, and train components could disrupt the availability of these parts and impact production. The cascading effect of such disruptions could lead to decreased transportation capabilities, major disruptions to the supply chain, and the availability of vehicles or goods, significantly impacting the mobility of goods and people and potentially even impacting military readiness if defense-related transportation is affected.

Telecommunications. In telecommunications, manufacturers produce everything from networking equipment to mobile devices. A disruption in manufacturing these products could have a ripple effect, causing communication blackouts that affect businesses, government agencies, and individuals. Such an event could severely disrupt daily operations across multiple sectors and hinder emergency response efforts.

Healthcare and Pharmaceuticals. When it comes to healthcare and pharmaceuticals, cyberattacks can have particularly dire consequences. For example, an attack on medical device or pharmaceutical manufacturers could result in medication production shutdowns, compromised medical device functionality, or altering the formulation of life-saving drugs. In the worst-case scenario, this could have severe repercussions on patient safety and public health.

National Security. Cybersecurity attacks on any of the critical infrastructure sectors noted above may have major national security implications, particularly if the targeted manufacturing company is involved in producing defense equipment or technology. A cyberattack on manufacturers supplying the defense sector could interrupt the production of essential military equipment, impairing a nation's defense capabilities, or result in our nation's enemies gaining access to the IP underlying critical defense technology. Similarly, disruptions in the energy or telecommunications sectors could compromise key national capabilities and intelligence operations.

Overall, the potential impact of cyberattacks on critical infrastructure underscores the urgent need for robust cybersecurity measures within the manufacturing sector. The interconnectedness of today's world means that a cyberattack on a single manufacturing company can ripple outwards to affect a broad array of unrelated sectors. Moreover, these attacks can undermine the public's trust in critical services, causing societal instability. Given the

potential scale of disruption and associated economic, health, safety, and national security risks, manufacturers must adopt a proactive approach to cybersecurity. Cybersecurity in the manufacturing sector is not merely an issue of business continuity, it is a matter of national and international security.

Legal Implications and Potential Liabilities

The legal implications of these cybersecurity attacks are vast, including significant financial and legal liabilities from various sources. First, manufacturers may face liability based on data protection laws if a cybersecurity attack involves a personal data breach. For example, if a manufacturing company controls large amounts of personal data, including customer or employee data, it would be subject to data protection laws such as the General Data Protection Regulation (GDPR) in the European Union and the California Privacy Right Act (CPRA) in the United States. A data breach that exposes or results from noncompliance with data protection laws could result in significant regulatory fines and penalties. For instance, the GDPR imposes significant financial penalties for noncompliance, up to 4% of annual global turnover or ?20 million, whichever is higher. Additionally, manufacturers may face considerable liability arising from class actions filed by affected individuals.

Second, directors and officers of manufacturing companies could face legal action from shareholders based on an alleged breach of fiduciary duties. Such duties include the duty of care, which could be interpreted as an obligation to implement reasonable cybersecurity measures in the context of cybersecurity. If a cybersecurity attack results in significant financial loss and the shareholders can show that directors and officers failed to implement adequate cybersecurity measures, they could be held liable for breaching the duty of care. Similarly, if a cybersecurity attack results from a failure to properly vet and monitor a supplier or other third party's cybersecurity policies and procedures, manufacturers may face potential claims alleging a breach of the required duty of care. Shareholders may also file lawsuits alleging that negligence of the directors and officers resulted in financial loss.

Third, if a cybersecurity attack involves the loss or disclosure of IP, especially in the case of industrial espionage, a company may be found to be in violation of trade secret laws or be subject to IP lawsuits if the cybersecurity attack results in the theft and subsequent disclosure and/or unauthorized use of proprietary information.

Finally, under contract law, manufacturers could be held liable for breach of contract if a cybersecurity attack disrupts their ability to fulfill contractual obligations. Additionally, contracts often contain clauses related to required data protection and cybersecurity. This could lead to various legal consequences, including termination of contracts and liability for any resulting damages.

Recommendations for Manufacturers to Manage Cybersecurity Risks

Given the multitude of cybersecurity risks and significant legal implications, manufacturers must adopt and comply with robust cybersecurity measures and policies, including technical and legal measures.

Technical Measures. These include implementing multi-factor authentication, utilizing modern endpoint detection solutions, ensuring comprehensive business continuity and backup procedures, regularly updating and patching systems, conducting regular security audits, and training employees on cybersecurity best practices. Technical measures are the first line of defense against cybersecurity risks. Manufacturers should review their cybersecurity policies and procedures, and ensure proper technical security measures are implemented and followed.

Employee Training and Awareness. Employees often represent the most significant, and most difficult to manage, vulnerability in an organization's cybersecurity defenses. As such, regular employee training and awareness campaigns are crucial. Training should educate employees about the nature of cyber threats, the importance of cybersecurity measures, and their role in defending against them. Topics can include the importance of strong, unique passwords, the risks of phishing attacks, and the correct procedures for handling, storing, and sharing sensitive data.

Legal Measures. Manufacturers can also protect themselves by incorporating appropriate and compliant cybersecurity clauses into their contracts. For example, to mitigate the risks associated with third-party vulnerabilities, these clauses should specify third parties' responsibilities regarding cybersecurity, including data protection obligations, required security measures, and the procedure for responding to cybersecurity incidents. Manufacturers should also ensure they conduct thorough cybersecurity audits of their third parties. These audits should assess the third parties' cybersecurity policies, procedures, infrastructure, and compliance with relevant regulations. These clauses and audits protect manufacturers legally and incentivize third parties to uphold high cybersecurity standards and limit liability in the event of a cybersecurity attack.

Cyber Insurance. Manufacturers also should invest in cyber insurance to mitigate financial risks associated with cybersecurity attacks, including the costs to investigate, remediate, and respond to such attacks, negotiations and ransom payments, and potential litigation that may arise. Additionally, manufacturers should strive to comply with applicable cybersecurity standards such as ISO 27001 and the NIST Cybersecurity Framework, as these standards provide guidelines and best practices for managing cybersecurity risks. Achieving and maintaining these certifications can demonstrate that the company has taken reasonable steps to protect against cybersecurity threats.

Consider Collaborating with Legal Counsel

Manufacturers face not only a multitude of cybersecurity risks but must also navigate the complex patchwork of cybersecurity and data privacy laws at the state, federal, international, and industry-specific levels. These often complicated laws can vary widely depending on the jurisdiction, industry, and the type of data a company handles. Legal counsel can identify the applicability and ensure compliance with laws like the GDPR, CPRA, and other comprehensive data privacy laws, including cybersecurity requirements imposed by the federal government under the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA), the Defense Federal Acquisition Regulation Supplement (DFARS), and Federal Energy Regulatory Commission (FERC), and other industry-specific regulations.

Legal counsel also can help identify potential liabilities and legal risks related to cybersecurity. This may include facilitating risk assessments, developing risk management strategies, including policies and procedures to mitigate cybersecurity risks, and preparing and executing an appropriate incident response plan following a cybersecurity incident to ensure compliance with applicable data breach privacy laws. Legal counsel can also assist in reviewing and revising contracts with suppliers, service providers, and customers to ensure the inclusion of appropriate cybersecurity requirements and protections, such as indemnification clauses or limitations of liability in the event of a cybersecurity incident. Finally, legal counsel involved and well-versed in a manufacturer's cybersecurity practices and procedures can more effectively assist in the event of litigation, whether from affected individuals, business partners, or regulators.

Managing cybersecurity risks requires a comprehensive, multi-faceted approach combining robust technical measures, strong legal protections, and a commitment to employee training and awareness. By implementing these measures, manufacturers can significantly reduce their cybersecurity risks and protect themselves from potential legal liabilities.

Conclusion

While offering significant advantages, the digital revolution in the manufacturing industry has exposed the sector to elevated cybersecurity risks. As cyber threats grow more sophisticated, manufacturers must navigate a complex legal landscape, balancing technologically supported growth with compliance with data protection laws, potential liability for cyber breaches, and the need for robust cyber defenses.

In this rapidly evolving context, proactive risk management and adherence to cybersecurity standards are not merely best practices but strategic imperatives. Manufacturers should continually revisit their cybersecurity strategies, aligning them with the latest technological advancements and regulatory updates. Fostering a strong cybersecurity culture will not only mitigate legal liabilities but will also contribute to the long-term resilience and competitiveness of the manufacturing sector.

Click here to continue reading . . .

Footnotes

1. See "X-Force Threat Intelligence Index 2023," IBM Security, February 2023.

2. See "ICS/OT Cybersecurity Year In Review 2022," Dragos.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.