Analysis
Cybersecurity for smart factories
Tools for managing cyber threats to manufacturing
The rise of digital technologies brings a new level of cyber complexity to factories. Does the manufacturing industry have adequate cybersecurity programs in place to prepare for these expanded risks?
Today’s manufacturing cyber landscape
The Fourth Industrial Revolution heralds an era of tremendous potential for innovation and growth. It also brings new risks and challenges. And this might be most evident in today’s manufacturing cyber landscape.
Deloitte and the Manufacturers Alliance for Productivity and Innovation (MAPI) have been formally studying cybersecurity in manufacturing and the associated risks since 2016. The 2019 Deloitte and MAPI Smart Factory Study revealed a number of risks relative to smart factory initiatives, from operational to financial and strategic to compliance. Forty-eight percent of manufacturers surveyed identified operational risks, which include cybersecurity, as the greatest danger to smart factory initiatives. With the interconnectedness of the smart factory technologies, cyber threats are among the most prevalent, as smart factory environments expose people, technology, physical processes and intellectual property to these risks.
This report explores a few key questions raised by the current risk landscape:
- To what extent are cyber threats affecting manufacturers today?
- What type and level of risks exist in present-day factories?
- How do manufacturers address today’s cybersecurity risks? And how will they address new risks?
- How do manufacturers build cybersecurity controls into their smart factory initiatives?
A proliferation of cyber threats
Many manufacturing companies are seeing an increase in cyber-related incidents associated with the control systems used to manage industrial operations. These systems can range from programmable logic controllers and distributed control systems to embedded systems and industrial IoT devices. Collectively, these control systems make up the operational technologies (OT) that allow facilities to operate.
While the advantages of connectivity include increased levels of productivity, faster identification and remediation of quality defects and better collaboration across functional areas, they can also multiply the potential vulnerabilities of the smart factory. In fact, the Cybersecurity and Infrastructure Security Agency (CISA) lists 1,200+ known OT system–related security issues, vulnerabilities, and exploits from more than 300 OEMs and system providers. The threat landscape for the systems that control operations of a production facility has proliferated rapidly with the increase in digitisation and advanced technologies.
The root cause? IT and OT are out of sync
To gain operational efficiency and assure better customer service, many manufacturing companies are looking to converge IT and OT across their operations. There are a number of areas where people, process, and technology overlap between the IT and OT ecosystems―areas where respective strategies need to be in sync. The reality of these technologies and how they are used, however, is often markedly different.
OT system–related investment decisions are often made on the factory floor by leaders within operations, with less involvement from corporate IT and security departments. This can lead to a myriad of different technologies, often with different security control capabilities, that will likely need to be integrated to and then managed using existing IT network infrastructures.
A false sense of security
Adding advanced technologies to OT networks requires equally sophisticated cybersecurity standards. A significant share of manufacturers, however, have yet to build the cyber capabilities to secure some of these business-critical systems. Given the rapid pace at which new technologies are added to factories via smart factory use cases, IT and OT leaders may be unprepared to respond to new threats that arise.
While 90 percent of manufacturers surveyed report capabilities to detect cyber events, very few companies today have extended monitoring into their OT environments. And fewer than half of manufacturers surveyed have performed cybersecurity assessments within the past six months.
These responses indicate that surveyed manufacturers seem more confident in their cyber preparedness than the maturity and capabilities they may have to respond to and recover from a cyberattack, especially when new technologies come online in periods between risk assessments. It’s likely that some manufacturers are not aware of the new threats they face when leveraging IoT devices and other emerging technologies in a smart factory environment.
Building cyber resilience in the smart factory
As smart factory initiatives continue to proliferate across the global footprint of manufacturers, cyber risks are expected to continue to increase. As the 2019 Deloitte and MAPI Smart Factory Study reveals, the cyber preparedness of many manufacturers is less mature than likely necessary to protect against not only current threats, but also new threats and vulnerabilities that digital technologies create. Manufacturing organisations should invest in a holistic cyber management program that extends across the enterprise (IT and OT) to identify, protect, respond to, and recover from cyberattacks.
Organisations should consider these steps when beginning to build an effective manufacturing cybersecurity program:
- Perform a cybersecurity maturity assessment
- Establish a formal cybersecurity governance program that considers OT
- Prioritise actions based on risk profiles
- Build in security