Cyber risk grows more complicated during the next decade
February 2017 - Manufacturers rely on global networks and generations of different industrial control systems. To remain competitive, they must drive innovation in products, manufacturing processes and industrial ecosystem relationships. As such, large-scale investments in intellectual property and exponential technologies; exploration of Industry 4.0 digital manufacturing opportunities; and rapid adoption of sensor technology, smart products and Internet of Things (IoT) strategies and analytics continue to push the pace of change.
Alongside these technology advancements come cyberthreats, including theft of intellectual property, phishing/pharming, direct abuse of IT systems, errors/omissions, and use of mobile devices by employees. Nearly 40 percent of manufacturing companies Deloitte surveyed recently reported cyber incidents in the previous 12 months; 38 percent of those said cyber breaches resulted in damages in excess of $1 million. Yet only 12 percent of manufacturers are leveraging defensive tools, such as wargaming, to improve organizational preparedness and resiliency to deal with cyber incidents.
Completing the steps below can help companies discuss and improve core aspects of their cyber risk programs.
1. Set the tone. The chief information security officer (CISO) cannot be an army of one. He or she needs to be appropriately supported by management to accomplish key cyber risk objectives for the company.
2. Assess risk broadly. Fifty percent of surveyed manufacturers indicate they perform vulnerability testing for industrial control systems less than once a month and 31 percent have never performed an assessment. It’s critical to perform a cyber risk assessment that includes the enterprise, industrial control systems (ICS) and connected products. Even if the assessment was done in the last six months, review the scope to confirm it was inclusive of advanced manufacturing cyber risks such as IP protection, ICS, connected products and third-party risks related to industrial ecosystem relationships.
3. Socialize the risk profile. Share the results of the enterprise cyber risk assessment and recommended strategy and roadmap with executive leadership and the board. Emphasize the business impact of key cyber risks and discuss how to prioritize resource allocation to address them.
4. Build security in up front. Evaluate top business investments in emerging manufacturing technologies, IoT and connected products, and confirm whether those projects are harmonized with the cyber risk program. Place the right talent on those project teams to help build in cyber risk management and strategies on the front end.
5. Remember data is an asset. It requires changing the manufacturing mindset from transactional to the fact that data alone is an asset. This will necessitate a tighter connection between business value associated with data and the strategies used to protect it. Further, it is wise to assess where valuable data resides and how its risk profile changes as it moves throughout the entire organization.
6. Assess third-party risk. Develop an inventory of mission-critical industrial relationships and evaluate strategies to address the third-party cyber risks that may coincide with these relationships.
7. Monitoring. Be vigilant in evaluating, developing and implementing cyberthreat monitoring capabilities to determine whether and how quickly a breach would be detected. Remember to extend cyberthreat detection capabilities to the shop floor and connected products.
8. Always be prepared. Increase organizational resiliency by focusing on incident and breach preparedness through table-top or wargaming simulations. Engage IT as well as key business leaders in this exercise.
9. Clarify organizational responsibilities. Be clear with the executive suite about the organizational ownership responsibilities for key components of the cyber risk program, and make sure there is a clear leader on the team.
10. Drive increased awareness. Ensure employees are aware of their responsibilities to help mitigate cyber risks related to phishing or social engineering, protecting IP and sensitive data, and appropriate escalation paths to report unusual activity or other areas of concern.
As digital and physical paradigms continue to evolve, there is great variability among cyber risk approaches, which leaves individual companies vulnerable to attack and loss of critical data. Manufacturers face many challenges, such as upgrading legacy ICS while maintaining production output, to human capital concerns such as the scarcity of critical talent.
Cyber risk climbs ever higher on the list of priorities for senior executives and company boards. Establishing effective cyber strategies should be a foremost goal to protect company assets. MM
Trina Huelsman serves as vice chairman–U.S. Process & Industrial Products leader for Deloitte across all functions, including consulting, audit, tax and financial advisory services.