Cyber Security in Swiss Industry 4.0 Companies
Cyber risks need to be under control in order to take advantage of the opportunities of Industry 4.0, though only a few companies have an up-to-date and comprehensive cybersecurity strategy in place. A new Deloitte survey shows how companies, especially those in the fields of connected and smart products, can prepare themselves for cyber risks.
Konstantin Von Radowitz, Head of Consumer & Industrial Products, Deloitte Switzerland
Olivier Bandle, Head of Cyber Risk Services for Consumer & Industrial Products, Deloitte Switzerland
Industry 4.0, and digitalisation in a wider sense, offer enormous opportunities to improve processes, products and services. Most importantly, it brings entirely new products and services to market. But digitalisation comes also with new risks that need to be understood and managed to leverage its full potential. The Deloitte study on Industry 4.0 identified cybersecurity as the main risk to prevent Swiss companies of going fully digital and automated years ago. Cyberattacks can paralyse connected manufacturing systems and incur high costs. Only a few Swiss companies have fully prepared and implemented a comprehensive cybersecurity strategy.
Around one-third of 225 survey responds in advanced manufacturing suffered a cyber attack in the previous year. Theft of intellectual property and production disruption are considered the greatest cyber risks. Phishing/pharming, viruses, security breaches by third parties, and social engineering can result in high costs. The shipping company AP Moller-Maersk estimated the costs of last year's Petya ransomware cyber attack at up to USD 300 million. Petya also forced Cadbury to temporarily shut down all of its chocolate factories in Australia.
Risk management for connected production
Continuous vulnerability testing is indispensable in automated production processes nowadays. Older systems are not designed to be integrated into networks and can expose other IT assets easily and lead to production disruptions.
One-third of respondents have not conducted a cyber risk assessment on their productive industrial control systems. Furthermore, two-thirds of those who have conducted such a risk assessment used significant internal resources, which might lead to an organisational bias of the assessment. Another one-third of respondents have not included manufacturing networks in their plans for cyber incident handling.
An effective cyberattacks protection in connected and autonomous production environment requires a comprehensive protection based on four pillars:
- Strategy: Define a clear business-based cyber strategy
- Security: Reinforce systems to minimise incidents
- Vigilance: Implement monitoring programmes
- Resilience: The ability to recover from cyberattacks and restore normal operations
Network segmentation can help improve security on the factory floor. Separating certain systems from the outside world is another protection option. A complete isolation of the manufacturing environment reduces the risk but also efficiency and cost benefits of advanced technologies, which is the opposite of what business desires.
Risk management for intelligent products
Risk management is important not only in manufacturing but also for the products themselves. Products are becoming increasingly smarter and communicating with their environment in the digital age. These communication networks bring greater vulnerabilities. Half of the respondents already provide apps for their products, and three-quarters enable Wi-Fi connectivity. They have to meet strict product security requirements because many of these smart products can, for example, store and transmit confidential customer information (such as quality information or a support backdoor). Successful tampering and attacks on connected vehicles and household appliances have recently highlighted the importance of strong data encryption to ensure information security. Moreover, legal safeguards need to be defined that govern intraorganisational responsibility for risks and ownership of data and transfer.
Additional cyber security mechanisms must be designed and implemented before smart products become available:
- Cyber security experts should be involved from the start to identify possible vulnerabilities in products early on.
- Continuous monitoring, identification and assessment of emerging cyber risks in the ecosystem that pose a potential hazard to intelligent products are also essential.
Cyber Security enables growth
Many companies mention general security concerns as a main reason for not pushing faster digital transformation of their manufacturing environment and products in the age of Industry 4.0. However, extensive digitalisation and automation are essential to remain competitive on the market and should not be restrained by possible cyber risks.