By Jonathan Soriano
The Fourth Industrial Revolution (also known as “Industry 4.0”) is characterized by the use of the Internet of Things, big data analytics, digital supply chains, and a number of other technological advancements to improve the efficiency of production processes. Although the benefits of adopting Industry 4.0 technologies cannot be denied, manufacturing firms often overlook the additional vulnerability to cyber risk that accompanies increased reliance on the Internet.
To highlight and address this risk, Deloitte and the Manufacturers Alliance for Productivity and Innovation (MAPI) conducted a joint study, “Cyber Risk in Advanced Manufacturing.” The study aims to offer insight on how manufacturers can capture the value provided by Industry 4.0 technologies while appropriately addressing cyber risk as well. The study’s authors conducted more than 35 live interviews with executives and industry organizations, and, in collaboration with Forbes Insights, collected 225 responses to an online survey exploring cyber risk trends in advanced manufacturing. Based on this information, six critical cyber risk themes were identified:
Executive and board-level engagement
Talent and human capital
Intellectual property (IP)
Industrial control systems (ICS)
Executive and Board-Level Engagement
According to the online survey, the frequency of board briefings that include updates on cyber security has increased, often occurring annually, with quarterly updates. However, enhanced board engagement must be supported by a more complete briefing regarding cyber risk trends and leading mitigation practices. This broader approach will prepare the board to ask the appropriate questions regarding the firm’s cyber risk profile, funding options for mitigation strategies, and how the firm’s cyber risk profile and threats are evolving over time.
Talent and Human Capital
Manufacturing executives indicated that out of the top 10 cyber threats facing their organizations, four are directly attributable to internal employees. The most common threats include phishing/pharming, errors/omissions, direct abuse of information technology systems, and use of mobile devices. Manufacturers often find their employees to be the weakest link in their cyber security due to a general lack of awareness regarding the security of digital assets. Firms can develop cyber security workforce strategies by assessing workforce needs and skill gaps, recruiting skilled talent for cyber security management roles, and providing specialized training to enhance skills.
The most frequently cited cyber threat and the top sensitive data concern facing manufacturers is IP theft. More than 35 per cent of the executives surveyed believe that IP theft was the primary motive for cyber-attacks they had experienced in the past 12 months. When evaluating risks related to IP theft, firms must recognize that risk involves both “data at rest” and “data in motion.” Protecting “data at rest” refers to the protection of large online stores of IP in departments such as Research and Development, Engineering, and Manufacturing Operations. Protecting “data in motion” refers to the protection of IP as it moves through the company’s supply chain, or as it moves in and out of the company to a third party. Companies can reduce the value of sensitive data by encrypting the data to make it difficult to use when compromised. Additionally, all sensitive data can be securely destroyed when it is no longer necessary for business or legal operations.
Industrial Control Systems
Almost one-third of manufacturers surveyed had not performed any cyber risk assessments that focused on the ICS on their shop floors. This oversight is a serious issue because it represents a lack of protection against hackers potentially accessing automated manufacturing processes. Although implementing targeted vulnerability or penetration tests on ICS will result in production downtime, executives must realize that production efficiency should be effectively balanced with cyber security. The use of cyber threat monitoring techniques to detect unusual activity in control systems can prevent significant negative environmental impact, the loss of IP, and/or the loss of life or safety on the shop floor.
A product is considered “connected” if it is embedded with processors, sensors, or software that allow data to be exchanged between the product and its environment, user, or manufacturer, or other products. Approximately 52 per cent of manufacturing executives surveyed stated the connected products they produce are able to store and/or transmit confidential data. Additionally, almost 50 per cent of manufacturers have mobile applications associated with their connected products, and 76 per cent of companies use Wi-Fi to enable data flow between their connected products. Although this wireless access to free-flowing information allows for advancements in product capability and improved service effectiveness, it also results in unprecedented vulnerability. The value that new connected product functionality adds to the firm must be assessed prior to release. The cost to secure connected products and protect the customer and organization from malicious intent must be less than the value added.
The amount of cyber risk that a manufacturing firm is subject to increases when cyber threats can originate from a wide variety of points along the company’s external value chain. Cyber risk related to key third parties in an innovation network, subcontractors, supply chain members, and other business partners must be assessed. As indicated by 86 per cent of survey respondents, the preferred method for managing the adequacy of third-party cyber practices is identifying material risks as part of the assessment process. Sharing knowledge and leading practices regarding cyber threats between companies within an industrial ecosystem is also beneficial because many of the companies operating within the same ecosystem deal with similar challenges on a daily basis. Sharing information helps to make invisible threats both visible and manageable, which reduces future risk across the whole value chain.
In order to remain competitive, manufacturing firms must keep up with the pace of innovation and technological advancement by implementing Industry 4.0 technologies. However, the full value of these advances can only be realized if manufacturing firms take necessary precautions against the associated cyber threats. In this way, complete cyber security is rapidly becoming a competitive advantage in the manufacturing industry.
Huelsman, Trina, et al. “Cyber Risk in Advanced Manufacturing.” Deloitte, pp. 1–52.