Industry 4.0 and Cybersecurity
While Industry 4.0 paves the way for immense potential for innovation and growth, it also brings new risks and challenges. With this upward trend of digital technologies and interconnectivity, Cyber is no longer limited to certain aspects of operations or people, it becomes everywhere, including places leaders have not considered.
Changes in manufacturing cyber landscape
Manufacturing organisations embrace Industry 4.0 use cases such as performance and predictive maintenance analysis, which rely on highly connected industrial internet of things (IIoT), that provide operational data to corporate or cloud solutions. These technologies allow manufacturers to increase productivity, faster identification and repair of quality defects, and better collaboration across functional areas, and better manage their assets 24/7.
The COVID-19 pandemic has further accelerated these needs as many manufacturers must maintain their assets and services while being isolated from their facilities.
The attack surface and risks to both operational technologies (OT) and information technology (IT) are growing significantly. This is due to the ongoing convergence of IT and OT, and the emergence of Industry 4.0 ecosystems. The boundaries between IT and OT have become more porous, and perimeters of the network have expanded into the cloud.
At the same time, the growing complexity of today’s threats (such as recent ransomware and state-sponsored attacks) makes manufacturers more vulnerable to attacks than ever.
Deloitte and the Manufacturers Alliance for Productivity and Innovation (MAPI) have been formally studying cybersecurity in manufacturing and its associated risks since 2016.The 2019 Deloitte and MAPI Smart Factory Study revealed several risks for smart factory initiatives. 48% of manufacturers surveyed considered that operational risks, which include cybersecurity, are the greatest danger to smart factory initiatives. The study also showed that manufacturers are most concerned about unauthorised access risks (87%), intellectual property theft (85%) and operational disruption (86%).
IT and OT are not in sync.
There are several areas of overlap between IT and OT, where the management of people, process and technology must be aligned. Still, many manufacturers have yet to integrate their IT and OT strategies.
Even though today’s IT departments are often responsible for managing security for the OT environment alongside existing IT systems, decisions on the OT system-related investments are made by operations leaders with little involvement from IT and security departments.
Security can be overlooked when implementing advanced technologies into the OT environment. In general, the continuous security of the OT system is not covered by service level agreements (SLA) and contracts with system integrators and equipment providers. This could have a serious impact on operations if they are targeted by an attack.
IT and OT leaders may not be ready to respond to new threats due to a false sense of security.
90% of manufacturers surveyed reveal that they have capabilities to detect cyber events but only a few companies extended monitoring into their OT environments. Unless there is a negative impact on operations, it can be difficult to identify attacks in the OT environment.
More than 50% of the manufacturers surveyed have not conducted a cybersecurity assessment in the last six months, meaning they are not aware of the impact of a cyberattack on their organisation’s operations.These answers suggest that surveyed manufacturers seem more confident in their cyber readiness than the maturity and capabilities they may have to respond to and recover from a cyberattack.
Building cyber resilience in manufacturing organisation
Manufacturing organisations should invest in a holistic cyber management program that extends across the enterprise (IT and OT) to identify, protect, respond to, and recover from cyberattacks.
Organisations should consider the following steps when building an effective cybersecurity program:
- Perform a cybersecurity maturity assessment.
If your organisation has not done this in the past year, consider making this a priority. The assessment should include OT environments, business networks, and advanced manufacturing cyber risks.
- Establish a formal cybersecurity governance program that considers OT.
The program should provide consistency across locations. The governance structure should involve representatives from the business to enable IT and OT teams to work together where practical. Consider using a steering committee to assign decision-making authority to further deliver consistency within the program.
- Prioritise actions based on risk profiles.
Use cybersecurity maturity assessment results to create a strategy and roadmap that can be shared with the executive to address risks that are appropriate with your organisation’s risk tolerance and capabilities.
- Build in security.
Since Industry 4.0 use cases are still in the initial stages, it is time to align these projects with your cyber risk program. Design and include proper security controls at the early stage of these projects.
The article is written by Wuthi Nopsuwanchai, Senior Manager, and Sarin Treesiriprasert, Assistant Manager of Risk Advisory, Deloitte Thailand.