Episode 5: Cyber and Smart Manufacturing has been saved
Episode 5: Cyber and Smart Manufacturing
Industry 4.0 Ready podcast series
With the rise of digital technologies and global interconnectivity, the manufacturing sector faces a new level of complexity. Nearly half of manufacturers have been the victim of cyber-crime, with the sector now the third most targeted for attack. We see that cyber is no longer limited to certain aspects of operations or certain people; rather, it’s everywhere, likely in places manufacturing leaders haven’t even considered. We discuss the risks of cyber security for smart factory adoption and the steps manufacturers can take to protect their business. Your host Nick Davis, UK Industry 4.0 Leader at Deloitte is joined by Aaron Maran, Policy Manager at Make UK, and Bia Bedri, Industrial Products Cyber Leader at Deloitte UK.
Adopting a no blame culture and empowering colleagues to report incidents as they happen plays an integral role in cyber security.
- Aaron Maran, Policy Manager, Make UK
Cyber is as much a business enabler as a risk. It touches on business technology and people. It is a business imperative.
- Bia Bedri, Industrial Products Cyber Leader, Deloitte UK
Aaron is a Policy Manager at Make UK. Aaron undertakes research and analysis to formulate policy positions on issues that matter most to manufacturers. He works closely on Make UK’s Digital & Green campaign which focuses on how the manufacturing industry can accelerate digital adoption and transition to a net zero economy.
Aaron is also the author of Make UK’s report Cyber Security – The Last Line of Defence. Aaron has spoken on the importance of cyber security in the context of digital adoption to manufacturers and policy-makers alike.
Prior to working in Make UK’s Policy team, Aaron spent four years in Make UK’s Brussels office, representing the views of manufacturers in the European Parliament, Commission and Council.
Find out more
If you are interested in any of the topics discussed during this episode, please find useful links below:
Nick Davis [00:00.01]: Welcome to today’s podcast, Cyber and Smart Manufacturing, part of our Industry 4.0 Ready podcast series. I’m your host, Nick Davis, Industry 4.0 Leader for Deloitte in the UK.
Today we learn about cyber resilience in manufacturing and how the rise of digital technology using greater connectivity marks a new level of complexity for manufacturers in the context of cyber security. We see that cyber is no longer limited to just certain aspects of operations or certain people. It’s everywhere, likely in places that manufacturing leaders may not even have considered. Every employee, every device, every piece of machinery or finished product brings with it the potential for cyber risk.
To share their views on cyber resilience in smart manufacturing, I’m delighted to be joined by Bia Bedri and Aaron Maran. Perhaps we could start with a few introductions. Bia, please tell us a little bit about yourself and why you’re passionate about all things cyber.
Bia Bedri [00:00:59]: Hello, Nick. Great to be joining you today for this podcast. So, I guess a little bit of background: I’m a partner in our Deloitte Cyber Practice, leading our cyber services into the ER&I sector. So that’s the Energy Resources and Industrial sector. I would like to claim that I had the foresight 25 years ago when I got into the cyber industry, but, if I’m honest, it was more of an interest in a really cool topic at the time. Having said that, it wasn’t really mainstream at the time, so it was only cool for the people involved in it, not anybody else, but, clearly, it’s a hot topic now. I’m really passionate about cyber, and the reason I am, it’s very real, it’s tangible, it brings all of business, technology, innovation, psychology and people under one umbrella, so that’s what I really love about it.
Nick Davis [00:01:53]: Thanks, Bia. And Aaron, please, perhaps tell us a little bit about yourself and why you’re excited about cyber resilience in the context of manufacturing.
Aaron Maran [00:02:01]: Hi, Nick. It’s a pleasure to be joining you and Bia today. I’m Aaron Maron, Policy Manager for Make UK and lead on cyber security policy. I’ve had the opportunity to be representing the manufacturing sector for close to seven years now, and prior to my most recent role I also spent four years working in our Brussels office looking at data flows and how they will be affected with the UK leaving the bloc. Cyber security has become more and more important over the last – recent years, sorry, and obviously that’s where my interest really lies. More and more, manufacturers are starting to realise the importance with then continuing to push to further digitise.
Nick Davis [00:02:45]: Thanks, Aaron, and I know that, given your membership and Make UK’s role in supporting and promoting UK productivity and economic growth, this will be an important subject, no doubt. Aaron, I was reading with interest the latest survey that you produced at Make UK around cyber resilience, so ‘Cyber Resilience: The Last Line of Defence’, and I think that had some fantastic insights, and I was struck by some of the statistics that came out of that survey, notably that only just under half of manufacturers have been a victim of cyber crime in the last 12 months. So perhaps you could tell us a little bit about why Make UK decided to focus on cyber specifically, and perhaps share some other insights from the survey as well.
Aaron Maran [00:03:27]: I think Make UK have always had a focus on Industry 4.0 and aiding manufacturers in digitising. So along with obviously digitising comes with it cyber security. They are two sides of the same coin. As cyber security has become more prevalent in the mainstream media with such big cyber-attacks, such as SolarWinds or the US colonial pipeline attack, it’s become more at the forefront of our members’ minds as well. So that was one reason why we decided to have a deep dive into cyber security and the manufacturing sector specifically.
More and more companies, I believe around 41% of companies now, are starting to ask either suppliers or customers to demonstrate their cyber robustness in order to win contracts, be that in a supply chain or customers. And finally, companies obviously now are beginning to digitise more and more and, like I said a minute ago, now we’re starting to realise that with that further digitisation they also need to start to consider cyber security and really put that at the heart of their decision making.
Nick Davis [00:04:40]: Thanks Aaron, and I certainly recognise myself the interconnectedness and the role that cyber has across all of the supply chain, from OEMs through to their supply chains and their customers as well. Bia, given the cyber work you are involved in with your clients, is there anything that Aaron shared there that surprises you?
Bia Bedri [00:05:00]: Yeah, it’s interesting. I guess it’s Aaron’s reflections but also reading the report. So, it’s interesting that there’s the view that companies see cyber security as a barrier to digital transformation. I guess the question is: are they really saying that? Because in my experience they may be worried, but it hasn’t stopped them jumping into it, so it’s interesting to hear Aaron’s view.
Aaron Maran [00:05:22]: I completely agree, Bia. I think companies are now becoming more aware, and that’s definitely a positive. It’s not necessarily holding them back, but it’s definitely at the back of their mind now when they are looking at starting to plan digital infrastructure. 59% of our respondents in our survey cited cost as a barrier, but I think it’s always important to understand that there are lots of free-of-charge tools and techniques that companies can implement that can add layers of cyber security, for example two-stage authentication or changing passwords regularly, backing up files. These are all things that can assist in becoming more cyber secure. Along with cost, I’d probably only – the only other barrier I’d probably mention of note would probably be around the skills barrier: obtaining the right skills to hire people into the cyber security teams within their business.
Nick Davis [00:06:18]: Thanks, Aaron. And I guess once organisations have built up that awareness of the challenge and some of these issues, Bia, perhaps you could share what are one or two of the key priorities that a cyber leader in a manufacturer should be focused on to address some of these types of challenges.
Bia Bedri [00:06:39]: Yeah, and I guess, Nick, I said I’ve been in the industry for a very long time, and some things have changed and other things have not changed completely. And to my mind, some of the, I would say, key factors and aspects that make organisations successful and safe is probably things that would surprise you.
So one is sponsorship, and that’s business sponsorship, and what I mean by that is business seniors who really do care and don’t think it’s somebody else’s problem, because if you’ve got that sponsorship then you’re looking at the problem in the right way and actually you’re looking at how you can enable your business, and not looking at it with a negative lens but with a positive lens.
The number two, I would say cyber threats are not an ‘if’ but it’s a definite ‘when’, and we’ve seen it and it’s in the media, the statistics that Aaron shared. So I would say: prepare in advance. It might not take all the pain away, but it will certainly make it less painful when it happens and it will also make it cheaper to recover, which Aaron alluded to.
The third thing, I would say, is how do you make it sustainable? This is not just a one-off ticking the box, ‘Done. Let’s move on.’ This is something about managing your cyber risk ongoing. So again, if you’re thinking about it, you’ve got the right sponsorship, you’ve got the right mindset. It will be sustainable, and it will be core to how you run your business and your business strategy.
Nick Davis [00:08:22]: Thanks, Bia. And Aaron, I know the health of our manufacturing economy is obviously a key priority for Make UK. From a policy perspective, what is it that Government can do to help manufacturers become more resilient in the context of cyber?
Aaron Maran [00:08:40]: Just to echo exactly what Bia said on points two and three, I think if and not when, and planning in advance is definitely key, and the sustainability of integrating that cyber security within your business is extremely important. But from a policy perspective, I’d probably say Make UK have been pushing for quite some time now for Government to commit to a lifelong digital skills account, allowing employees to access funds to digital skills, and we’d hope that cyber security training would be popped into that remit of digital skills. Another one to consider on the policy side would be the Help to Grow scheme, which is obviously starting to be sped up now coming out of the pandemic, and how the Government can incorporate cyber skills within digital skills again.
And then finally, I’d probably just press the Government, and out policy ask is to raise awareness. I think lots of companies are aware of cyber risks, but the ones that don’t know almost are completely unaware of the risk that’s facing them. So an awareness campaign speaking about the importance of being cyber secure I think would be a really good step in the right direction for the Government.
Nick Davis [00:09:51]: Thanks, Aaron. And I think it would be good just for a moment to reflect on some of the specifics for manufacturing Industry 4.0. Cyber is obviously a topic applicable across all sectors, all industries, but, Bia, what is it that is specific about manufacturing an Industry 4.0 that perhaps makes this more challenging?
Bia Bedri [00:10:12]: Yeah, I think it’s recognising and appreciating, right, the Industry 4.0. It’s a major shift in the industry in terms of interconnectivity, interdependencies, so you’ve got to consider that in the manufacturing life cycle itself, in the supply chain to support it. It has a real impact on customers, on the public and viability of a sustainable business itself. And this is sustainable business, never mind the desire to thrive. So, I mean, I can’t think of a bigger major shift that we’ve had probably in the last 10 years. There’s a lot of legacy. It’s interesting, I think, because you’ve got the legacy and you’ve got the innovative, right, and you’re trying to combine the two and transform the business in terms of the business models, but also the underlying terms of business processes, the underlying technology, the culture in terms of how you shift. So I think it’s recognising and appreciating. And again, I keep going back to the mindset. It’s also shift in mindset to embrace cyber, that it’s at the core of the business decisions and everything that enables that.
Aaron Maran [00:11:25]: I completely agree with what Bia’s just said there. I think it’s – the manufacturing sector has got unique challenges similar to – or to echo what Bia just said, around the manufacturing sector 10 to 20 years ago or slightly longer, and moving from an analogue to a digital system now. More and more systems and machineries are becoming interconnected, and the manufacturing sector is largely made up of smaller companies that feed into a far larger supply chain, similar to Make UK’s own membership with 80% small and medium-sized enterprises and then obviously representing some of the bigger players within the sector.
We work closely with the National Cybersecurity Centre and they are very much of the same thought. The manufacturing sector still remains one of the most targeted sectors across the economy, and that’s mainly due to the valuable IP and data that these companies hold. So I think it’s a unique challenge but, as you alluded to, I think the whole economy, as we continue to digitise and as things become far more smart and interconnected, cyber security just needs to be addressed at every step.
Nick Davis [00:12:32]: Yeah, thank you. And I guess we talked a little bit about cyber awareness and being prepared. Bia, to your point, there’s a ‘when’ rather than ‘if’ around some of this. So if a manufacturer does suffer a cyber breach, Aaron, what’s the first thing they should do?
Aaron Maran [00:12:50]: I think, as you alluded to, or as you start the podcast talking on, is our survey suggested that 47% of manufacturers have been subjected to an attack in the past 12 months. 47% is quite a considerable number, close to half of manufacturers. So what would I suggest in case of an attack would be: take action, first and foremost. We know it costs manufacturers a significant amount of money, as well as reputational damage. You need to put plans in place on how to mitigate the impacts, and if you don’t have a plan you need to start looking at pulling together one, as we know 47% of companies don’t have a plan currently, from our research, so I would really suggest: start developing one.
You need to obviously contact your insurance company. Luckily 52% of firms have insurance in place, but if you don’t it’s probably best to start having a look at what’s on the market, but also important to remember that insurance is just one of the very first steps into becoming cyber secure. And, once you’ve taken all the necessary action, review your policies and processes in order to prevent this happening in the future.
Bia Bedri [00:13:56]: To add to what Aaron has already said, there are probably three things to my mind. One, you’d better know a cyber friend that you will call when it happens. As an example, most of the work that we do in the cyber space is referral. Someone called us in their hour of need. So I think it’s really important that you know who you will be calling in advance, rather than panicking at that point in time. I think, as Aaron mentioned, there’s lots of work that you can do upfront before you get an attack. It’s common sense prepping, it’s thinking about, ‘Should we get attacked, how will we handle it? Do we know which core manufacturing processes we need to bring up first? What else do we need to do to run the business? So what’s the minimum that we need to make sure that we do survive as a business?’ and then you can start thinking about the start of the full journey to recovery.
These things you can do up front. And you probably do them, and you intuitively know it, but I think there is something about the intent of doing it and having those plans, as Aaron mentioned. Then I would say the third thing is Industry 4.0 is the most opportune time to start thinking differently, behave differently and operate differently. Think about how cyber can transform your business and putting it at the core of the thinking and the design. And the reason I keep saying that, because if you build it in right you don’t have to worry about it later, and also it saves you mega costs should something happen. It saves you the reputational damage and it saves you the losses that you get from loss of production.
Nick Davis [00:15:36]: Thanks, Bia. It sounds like some actually really great, practical proposals there and suggestions and, clearly, we hope these events never happen to any of our podcast listeners. Finally, I guess, what’s the single most important point you would leave with our listeners on cyber security and smart manufacturing, just to wrap up? Perhaps, Aaron, yourself first.
Aaron Maran [00:16:00]: I think it’s always hard to leave with just one thought. I think cyber security is so wide-ranging there’s lots of actions I would ask our listeners to take. But probably a final thought from myself is a key element that’s often forgotten, but Bia has mentioned slightly earlier in the podcast, was around culture. I think adopting a no-blame culture is extremely important and empowering colleagues to report things as they happen can aid in getting ahead if you are to face an attack. So as well as having a robust cyber security system, the culture that comes along with that plays an integral role.
Bia Bedri [00:16:33]: And from my side, I would add that cyber is as much a business enabler as it’s a risk. It touches on the business, on technology, on people. But unfortunately, more often than not, it’s perceived as a technology issue only. It’s not; it’s a real business imperative.
Nick Davis [00:16:53]: Thank you both. Fantastic. Well, that brings us to the end of today’s podcast and some fantastic insights from both Bia and Aaron on some of the practical measures manufacturers can take, raising awareness, being prepared and responding to cyber threats as digital technologies enable smart factories to be more connected. Thank you both, Bia and Aaron, and thank you to our listeners. Please do take a moment to share a review and any feedback on this Industry 4.0 Ready podcast. If you’d like a closer read of Make UK’s cyber resilience survey or Deloitte’s cyber security for smart factories report, along with MAPI, please visit our website at deloitte.co.uk. I look forward to sharing and discussing more Industry 4.0 topics on our next podcast. Thanks and goodbye.