Deloitte and MAPI study: Connected devices, industrial control systems expose manufacturers to cyber threats
Intellectual property theft tops manufacturers’ concerns; new report identifies measures to control cyber risks associated with advanced manufacturing.
NEW YORK, Nov. 15, 2016—Nearly half of surveyed manufacturing executives lack confidence their assets are protected from external threats, according to a new study from Deloitte and the Manufacturers Alliance for Productivity and Innovation (MAPI) titled, “Cyber Risk in Advanced Manufacturing.”
Study results indicate nearly 40 percent of surveyed manufacturing companies were affected by cyber incidents in the past 12 months, and 38 percent of those impacted indicated cyber breaches resulted in damages in excess of $1 million.
“Manufacturers are innovating at an unprecedented rate, integrating cutting-edge technologies in products, automating the shop floor, connecting supply chains, and increasingly investing in valuable intellectual property,” said Trina Huelsman, vice chairman, Deloitte & Touche LLP and US Industrial Products and Services leader. “While these advancements should position them for future growth, the industry is also likely to experience an acceleration in the velocity and sophistication of associated cyber threats. Cyber risk and innovation are closely linked, and through our study, we have identified leading practices manufacturers can implement to address these emerging risks and make their companies more secure, vigilant, and resilient.”
Motives and means of attack
Surveyed manufacturers noted the top motives of cyber attacks to be financial theft, intellectual property theft, and targeted attacks on senior executives for financial gain or access to company strategies or investments. These manufacturers reported that in the past 12 months, the highest number of incidents originated within the organization (46 percent), while 39 percent came from external sources and 15 percent originated from vendors and business partners. Top threats arising from within the organization include phishing/pharming (32 percent), direct abuse of information technology systems (25 percent), errors/omissions (26 percent), and use of mobile devices (24 percent).
Intellectual property—the No. 1 risk to manufacturers
Intellectual property can constitute more than 80 percent of a company’s value according to Ocean Tomo’s “2015 annual study of intangible asset market value,” published March 5, 2015. In the study, 36 percent of manufacturing executives said that intellectual property tops the list of data protection concerns, followed by consumer data (32 percent) and accidental disclosure of personal information (29 percent). In addition, significant and increasing concern exists around more sophisticated state-sponsored attacks on intellectual property. Preventive and detective data protection strategies can help companies to secure their data from the inside out and capture the value of their investments in intellectual property.
“Cyber risk is a critical part of every manufacturing environment and demands attention from every employee, contractor, and business with whom a company interacts,” said Stephen Gold, president and CEO, MAPI. “The most effective approach will rely on more than the CIO or CISO by also engaging the board and C-suite. Company leadership needs to understand their comprehensive cyber risk profile to appropriately allocate resources to mitigate risk.”
Cyber risk on the shop floor
Industrial control systems operate highly automated manufacturing processes where employee safety, environmental protection, and operational efficiency are of paramount importance. Yet, 50 percent of surveyed companies indicate they perform vulnerability testing for industrial control systems less than once a month and 31 percent have never done an assessment. These are essential tools for identifying and mitigating cyber risks on the shop floor and clarifying organizational responsibilities between IT and operational technology employees. By implementing technologies to provide automated 24/7 cyber threat monitoring, manufacturers can become more vigilant in protecting critical manufacturing operations.
“To date, many companies have attempted to isolate the networks associated with their industrial control systems with an air gap, essentially a physical barrier between the industrial control systems networks, enterprise networks, and the internet,” said Sean Peasley, partner, Deloitte & Touche LLP and cyber risk services consumer and industrial products leader. “However, if they haven’t actually tested the accessibility of these systems, they can miss hidden access points that could be vulnerable to attack. An air gap strategy is also contrary to industry trends in digital manufacturing, which are designed to generate cost-savings, automation, and efficiency benefits.”
Connected products, exponential risks
Increasing reliance on technology-enabled connected products brings a new set of risks to manufacturers. Among executives surveyed, 45 percent said their organization uses mobile applications and 35 percent cited sensor controls. However, 40 percent of respondents said they have not yet incorporated connected products into the company’s cyber incident response plan. Planning ahead before a breach occurs—so the entire organization is prepared to respond and quickly neutralize threats—can help companies become more resilient. Leading companies design security into connected products and integrate them into the cyber program from the start. This is important because 76 percent of companies surveyed transmit product data using Wi-Fi, and 52 percent reported that their connected products store and/or transmit confidential data, including Social Security and banking information.
“Through the cyber risk in advanced manufacturing study, we identified both potential vulnerabilities and some great leading practices that manufacturers can leverage to deter attack and prevent loss of critical information and assets,” said Gold.
For more information on Deloitte and MAPI’s study on Cyber Risk in Advanced Manufacturing, please visit www.deloitte.com/us/cyber-risk-advanced-manufacturing. Connect with us on Twitter: @DeloitteMFG, @DeloitteRiskFin, and @MAPI_Mfg_Info
This study was conducted by Deloitte and MAPI. Responses were derived from 35 live executive interviews and industry organization interviews, an innovation lab, and in collaboration with Forbes Insights, we collected 225 responses to an online survey.
Manufacturing leaders use the Manufacturers Alliance for Productivity and Innovation (MAPI) to share best practices, discuss solutions to common challenges, and become better leaders. By leveraging the experiences of their peers, members use MAPI to make their enterprises more competitive and increase their personal effectiveness. As a professional society for manufacturing's leaders, we operate topical councils and produce a variety of research, including economic forecasts and analysis of best practices. For more information please visit www.mapi.net.
About Deloitte’s Industrial Products and Services practice
Deloitte's Industrial Products and Services practice serves 85 percent of all Fortune 1000 process and industrial products companies, which include market category leaders in chemicals, metals, industrial goods, and paper products. For more information please visit Deloitte’s Industrial Products and Services practice, or follow us @DeloitteMFG.
About Deloitte Cyber Risk Services
As part of the market-leading Advisory practice, Deloitte’s Cyber Risk Services help complex organizations more confidently leverage advanced technologies to achieve their strategic growth, innovation, and performance objectives through proactive management of the associated cyber risks. With deep experience across a broad range of industries, Deloitte’s more than 2,500 cyber risk services practitioners provide advisory and implementation services, spanning executive and technical functions, to help transform legacy IT security programs into proactive, secure, vigilant, and resilient cyber risk programs. Deloitte cyber risk services works with our clients worldwide to better align cybersecurity investments with strategic business priorities, establish improved threat awareness and visibility, and strengthen the ability of organizations to thrive in the face of cyber incidents.
As used in this document, “Deloitte” means Deloitte & Touche LLP, a subsidiary of Deloitte LLP. Please see www.deloitte.com/us/about for a detailed description of the legal structure of Deloitte LLP and its subsidiaries. Certain services may not be available to attest clients under the rules and regulations of public accounting.