Almost half (40%) of manufacturers surveyed recently by Deloitte and the Manufacturers Alliance for Productivity & Innovation (MAPI) said their operations were impacted by a cyber incident in the past 12 months, and yet one in four have not performed a cyber risk assessment in the last year.
This preparedness gap is becoming increasingly striking as manufacturers adopt more smart factory technologies whose connected nature exposes them to more cyber attacks.
According to the Deloitte and MAPI report on cybersecurity for smart factories, complicating this is the increasing disconnect between IT and shop floor network management. In fact, while 90% of manufacturers surveyed report capabilities to detect cyber events, very few companies today have extended monitoring into their operational technology (OT) environments. As a result, IT and OT leaders may be unprepared to respond to new threats that arise, with serious consequences to intellectual property and production processes.
The report further explores the cyber threats facing manufacturers today and provides guidance on how they can better assess and manage cyber risks in their operations. Below are key excerpts from the report.
Growing cyber threats can be a menace in manufacturing environments
● Manufacturing industry is consistently featured among the most frequently targeted industries.
● 4 in 10 manufacturers surveyed indicated that their operations were impacted by a cyber incident in the past 12 months.
● Average financial impact from IoT-focused cyber incident was $330,000.
● Manufacturers are most concerned with risks related to unauthorized access, intellectual property theft, and operational disruption.
IT and OT need to work in tandem
● While 90% of manufacturers surveyed in the study report capabilities to detect cyber events, very few companies today have extended monitoring into their OT environments.
● Fewer than half of manufacturers surveyed have performed cybersecurity assessments within the past six months; one in four have not performed a cyber risk assessment in the past year.
● IT leaders surveyed were more confident than their OT counterparts indicating a gap between the two groups in having visibility to the risk profile of the organization:
● Confidence in detecting threats: 41% for IT vs 33% for OT
● Confidence in responding to threats: 34% for IT vs 29% for OT
● With the rapid pace at which new technologies are added to factories via smart factory use cases, IT and OT leaders may be unprepared to respond to new threats that arise.
● IT and OT should join governance and responsibility to execute projects and harmonize duplicated or overlapping systems and processes.
The survey also decodes cyber risk through the below smart factory use cases
Identifying the data types and owners along with the entry points, can help to clarify threats and vulnerabilities. This is demonstrated in six use cases:
● Engineering collaboration/digital twin enabled product design
● Risk-adjusted material requirement planning (MRP)
● Advanced manufacturing
● Robotics and cognitive process automation
● Factory asset intelligence and performance management
● Plant consumption and energy management
Steps to build cyber resilience in a smart factory
● Manufacturing organizations should invest in a holistic cyber management program that extends across the enterprise (IT and OT) to identify, protect, respond to and recover from cyber attacks.
● Perform a cybersecurity maturity assessment: The assessment should include the OT environments and the business networks, and it should include advanced manufacturing cyber risks.
● Establish a formal cybersecurity governance program that considers OT: The program should provide consistency and roll out to manufacturing locations globally.
● Prioritize actions based on the resulting risk profile: Use the results of the cybersecurity maturity assessment to create a strategy and roadmap that can be shared with executive leadership.
● Build in security: Since many smart factory use cases are still in planning and early stages, now is the time to harmonize these projects with the cyber risk program.