Deloitte and the Manufacturers Alliance have been formally studying cybersecurity and associated risks since 2016. Our joint studies have found that while awareness of the potential cyber threats related to smart factory initiatives is growing, many manufacturers have had difficulties advancing their cyber risk management capabilities.
In 2020, the novel coronavirus brought cybersecurity to the forefront, as many manufacturers quickly shifted some of their employees to remote working situations. And, while production still needed to occur on-site, many manufacturers shifted quickly to add virtual capabilities to limit the number of employees needed in a facility and/or to respond to local restrictions related to in-person operations.
The lessons many manufacturers have learned in the past nine months bear out the findings of our 2019 Deloitte and MAPI Smart Factory Study and have even exposed new potential vulnerabilities. Given that October is Cyber Security Awareness month, we thought it would be helpful to tie some of the findings from the study to the current environment and to encourage a dialogue on the ways cyber risks are impacting manufacturers in today’s dynamic work environment.
The study revealed a number of risks relative to smart factory initiatives, spanning enterprise categories from operational to financial and strategic to compliance. Forty-eight percent of manufacturers surveyed see operational risks as their primary risk related to smart factory initiatives. And, much of this is linked to the ongoing convergence of information technology (IT) and operational technology (OT). The figure below highlights some of the top risks manufacturing leaders are concerned about in their OT environment.
As the figure suggests, there are many areas where people, process, and technology overlap between the IT and OT ecosystems―areas where respective strategies need to be in sync. The reality of these technologies and how they are used, however, is often markedly different. OT system-related investment decisions are often made on the factory floor by leaders within operations, with less involvement from corporate IT and security departments. This can lead to a myriad of different technologies, often with different security control capabilities, that will likely need to be integrated into and then managed using existing IT network infrastructures. Considering the speed with which some manufacturers have added technologies like cobots to meet physical distancing guidelines during the pandemic, there could be new risks from these efforts.
The convergence of IT and OT security can be a challenging task, since routine IT procedures, such as antivirus software updates or even patching, can lead to significant production disruptions, even potentially shutting down entire production lines. From the OT perspective, aspects of security can be overlooked when implementing advanced technologies and smart factory initiatives. Ongoing OT system security is not typically covered in the service-level agreements and contracts with system integrators and equipment vendors. Even when covered, these contracts rarely include statements for maintaining security controls, which by default makes it the responsibility of the business process owners. As a result, some large capital projects may omit any budget for ongoing security management of OT systems that could critically affect operations if they were targeted by an attack.
Beyond offering further insights relative to the IT and OT challenges inherent in smart manufacturing, the study offers a closer look at six smart factory use cases and their cyber profiles. Manufacturing leaders can learn more about each of these common use cases and their data types, owners, and potential entry points to help clarify threats and vulnerabilities and create a cyber risk mitigation strategy. With effective cyber risk management for smart factory initiatives, manufacturers can capitalize on the upside potential the Fourth Industrial Revolution brings and prevent themselves from becoming a victim of a future cyberattack.
Opinions expressed by contributing authors are their own.
Global Cyber Cloud Leader and Cyber IoT Leader, Deloitte