Cyber Secure Manufacturing in 2021 - Deloitte United States · Tero Mellin Director, Cyber Risk...
Transcript of Cyber Secure Manufacturing in 2021 - Deloitte United States · Tero Mellin Director, Cyber Risk...
Contents
Research setting and method 3
Introduction 5
What did they say? 6
The current landscape
Definitionofcybersecurity
Aboutthefutureofthecybersecurityinmanufacturing
Cybersecurityprioritiesinmanufacturingin2021
Conclusions
And here’s what we say 16
Contact us 18
References 18
3
Research setting and methodThe study was conducted in three phases.
Phase 1: PreparationCarryingouttheliteraturereview,arrangingapreparationworkshopfor14cybersecurityexperts,andselectingtheprofessionalsfortheDelphipanel.Theselectionoftheprofessionalstothepanelwasbasedonthequalityoftheirexpertiseanddiversityoftheirbackgrounds.Therefore,thepanelasagroupwasabletoofferabroadviewofthefutureofcybersecurityintheindustry.
Panellist background: ThepanellistswerefromdifferentlargeFinnishmanufacturingcompaniesoperatingglobally,manyofwhichhadaturnoverofoverhalfabillioneurosin2015.Halfofthepanellistshadatleasttenyearsofexperienceincybersecurity,andmostofthemhadoversevenyearsofexperienceintheircurrentsecurityrole.Evenloweryeardirectcybersecurityexperienceprofessionalsstillhadalengthy,evendecades’long,careerinITwhereinformationandcybersecurityhadbeenpartoftheirdailywork.
Phase 2 and 3: Two one-on-one interviews Thepurposeofthefirstinterviewroundwastointroducethetopictothepanel.Thefirstpropositionsfromthepreparationphasewerealsotested,andstatementsandtopicsforthenextroundidentified.Themostpopularviewsofthefutureofcybersecurityinmanufacturingwereidentifiedafterthefirstinterviews.
Thenextinterviewroundwasdesignedbasedonthefindingsofthefirstround.Inthesecondround,thepanellistswerepresentedwithmorespecifictopicsraisedfromthefirstround,andtheyarguedforandagainstnotonlytheirownbutalsoothers’opinionsandstatements.
5
Manufacturing is rapidly entering the 4th industrial revolution wheretheold,complexandformerlyclosedenvironments,solutionsandsystemsmeetnew,connectedandmoreopenones.Thisoffersimmensepossibilitiesforthemanufacturingindustry,andeverymanufacturingcompanyshouldharvestthebenefitsoftheseinnovativesolutionstopowerperformanceandmaketheirbusinessmoresuccessful.
Alreadytoday,thenetworkconnectionsfromtheindustrialsystemsatthe“floorlevel”arerapidlyincreasing.Everymanufacturerofanindustrialcomponentorsensorwantstocollectallthepossibledatafromtheirownsystems.Inalargeindustrialprocess,therearedozensofthesemanufacturers.Eachconnectiontotheoutsideworldexposesthesystemstocyberrisks.Inthenearfuture,wewillprobablyseetheimplementationof5Gmobilenetworksintoeachofthesesensors.IndustrialIoTwillnotaskusersforpermissiontoconnecttotheInternet;itwillbetherebydefault.
The year 2017 saw two large malware campaigns. InApril,thecaseofWannaCryencryptedandhijackedthousandsofcomputersaroundtheworld.Peoplewereleftstandingcluelessattheshopcounterswhiletheregisterswerelockedandinoperable.Anevenmoreseriouscasewasyettocomeaboutamonthlater.TheNotPetyacasedestroyedtheinformationsystemsthatitinfectedandthistimetherewasapricetag.Alargelogisticscompanysaidpubliclythattheylost300milliondollars
inthewakeoftheattack.Whatisevenmorealarmingisthatthiscompanywasn’tevenatarget,butgotcaughtinthecrossfireandbecamecollateraldamage.
In the midst of these insecure times, we found ourselves with many questions aroundcybersecurityinmanufacturing.Questionslike,whatisthenear-termroleofcybersecurityinthisageofrapiddevelopmentinmanufacturing?Isthereariskthatcybersecuritywillbebypassedatthisspeedofchange,andallthebenefitsofthenewsolutionsdiluted?Isthereariskthatbusinessbenefitsoftheconnectedworldremainuntappedfrommanufacturingcompaniesbecauseofcybersecurityincidents?Whatshouldmanufacturingcompaniesprioritize,andhowisthisseenbydecisionmakersandindustryprofessionals?DoFinnishmanufacturingcompanies’cybersecurityprofessionalsfeelthattheyhaveenoughresources,investments,andsupportfromtheirexecutivesinordertosecurethebusinessintherequiredmanneralsointhenearfuture?
Aboveall,whatshouldthefocusareasbewhenplanningcybersecurityroadmapstoensurethatthemanufacturingbusinessalsorunssmoothlyin2021?
To get the answers to these, we decided to study the subject. In additiontotakingadiveintothecurrentliterature,wealsoaskedexperts.Weinterviewedapanelofcybersecurityprofessionalsfromlargeandglobally
Introduction
operatingFinnishmanufacturingcompanies.WeusedaknownfutureforecastingmethodcalledDelphi,interalia,inordertoensurethenecessaryanonymityofthepanelmembers.Afterandinbetweenmanyiterativeinterviews,weanalysedtheanswersandwearenowconfidentthatwehave:
A VIEW OF THE CYBER SECURITY LANDSCAPE IN FINNISH MANUFACTURING IN 2021Luckily,wealsoheardgoodnewsaboutthecybersecurityinmanufacturing.Nevertheless,wefoundthattherewillbealotofworkaheadinthisfieldtosecurethefutureofthechangingmanufacturingbusinessalongsidethedigitalizingsociety.Everyoneisneededand,therefore,wewantedtosharetheseinsightswithyou.
Please enjoy!
Katariina KannusCyberRiskDeloitte
Tero MellinDirector,CyberRiskDeloitte
January 2018
6|Cyber Secure Manufacturing in 2021
Toforeseethefutureofcybersecurityinmanufacturing,itiscrucialtounderstanditscurrentlandscape,decisions,desires,andplans,asthesegiveanindicationofthefuturestate.Indicationsinclude,forexample,howmanufacturingcompaniesarecurrentlyinvestingorhaveplanstostartinvesting,whatkindoflevelofcybersecuritytheyhavedecidedtoreach,andwhichofthecurrenttrendswillalsooccurinthefuture. Thissectionincludesabriefintroductiontotherelevantpartsofthecurrentlandscapewhichwill,accordingtothisstudy,impactthefutureofthecybersecurityinmanufacturing.Wethenmoveontosummarizingthepanellists’viewofthefutureofcybersecurityinmanufacturingbeforediscussingtheprioritiesthepanellistshadinrelationtobothliteratureandCyberSecurityFramework.
The current landscape
Developedcountriesandtheirmanufacturingindustrytodayareincreasinglydependentondigitalnetworksandtheirservices.Inthefuture,thedependencywillonlyincrease.Cybersecurityisanenablerofdigitalizationbutwhenmanagedpoorlyitcanjeopardizeallthebenefitsthatdigitalizationcanbring(1).
Cybersecurityprofessionalsinthemanufacturingindustryneedtomakedecisionsintheconstantlychangingthreatlandscape.Theyaredealingwithaplethoraofbothknownthreatsthatrequireinstantreactionsaswellaslesswell-knownandunpredictablefuturethreats.Theyhavetopreparefortheunexpectedtodaywhileplanningforthefutureatleastacoupleofyearsahead.ThelifecyclesoftechnicalsystemsinOperationalTechnologyaremeasuredin decades rather than in years in conventionalIT.Itisessentialthatcybersecurityplansareconnectedandalignedwiththecompany’sstrategy,plans,andvision.
Intoday’sworldofconstantchange,cybersecurityisnotanexception.Itismorelikeapioneerinregardtochange:everyhourofeveryday,attackersare,andwillbe,usingnewinnovativewaystothreatenthemanufacturingbusinessbychallengingitscybersecurity.ITsystemsneedtobeupdatedandpatchedataveryrapidpacetokeepupwiththevulnerabilities.
Enterthetraditionalindustrialworld‘onceayearmaintenancebreak’approachintheequationtostarttoseethechallengesthattheCSO,CISO,andothercyberdefendersarefacedwith.Intheverynearfuture,whenmanufacturingsystemsareincreasinglyenteringcyberspace,itwillbeimpossibletorunthebusinesswithoutfirstsecuring
What did they say?
7
itproperly.Therefore,carefulandfact-basedplanningofareasonableuseoflimitedcybersecurityresourcesaswellasthestrategicdecision-makingaroundthetopicisessentialforsecuringthemanufacturingbusiness.
Nowadays,itishighlyimportantthatthecompanies’cybersecurityisproactive:afteraseriouscyberattack,thedamageisalreadydone.Reactiveimprovementsaretoolateif,forexample,plantsarealreadyatastandstillorsensitiveinformationstolen(2,3,4).Inaddition,theFinnishnationalcybersecuritystrategy(5) statesthatpreventingcybersecuritythreatsneedsproactiveoperationsandplanning.Thenewoperativeenvironmentrequiresknow-howandtheabilitytoreactfastandconsistentlyintherightway.Toreachproactivecybersecurity,itisimportanttoknowwhattheprioritieswillbeinthenearfuture,whatwillnotbesoimportantgoingforward,andwhatthemainobjectivesareofcybersecurity.
Themanufacturingindustry’sbusinessandoperatingenvironmentisincreasinglyglobal.Moreandmoreoperationsandstakeholdersarespreadallaroundtheworld.Inthefuture,thechangingglobaloperativeenvironmentintroducesnotonlyopportunitiestogrowbutalsochallenges(6,7,8).Oneofthebiggestchallengesseemstobecybersecuritymanagementandthecontingencyplanningforthefuturecyberlandscape.
CybersecuritydoesnotbelongonlytotheITdepartmentanymore(9,10,11,12).Globally,itsimportancehasbeennoticedinthecorporateboardroomsandtheexecutiveinteresthasbeenforecastedtorise(12).Newtechnologiesinmanufacturingenvironmentsbringanewkindofcyberthreatswiththemwhiletheattackersfindmoreandmorewaystousetheknownandunknownvulnerabilitiesofoldsystems,technologies,andprocesses.
Forgettingcybersecuritycouldbehighlyexpensivetocompanies.Accordingtothestudies(13,14),aninformationsecuritybreachcancostthevictimcompany4-73milliondollarsonaverage.Thetotalimpactandcostsofcybersecurityproblems,e.g.databreaches,aretrulycomplicatedandcanonlybediscoveredinthelongterm(15).However,accordingtoourstudy,itseemsthatFinnishmanufacturingcybersecurityprofessionalsarewellawareofthepotentialcostsofsecuritybreaches.ItalsoseemsthattheFinnishmanufacturingcompanyexecutivesarebecomingmoreandmoreawareofthethreatsandtheircoststothebusiness.
Now,theonlyquestionseemstobeiftherestofthecompany,e.g.themiddlemanagementanddailyoperations,areawareenoughsothattheallbenefitsofthenewtechnologies,innovations,andnewlyconnectedsystemsarenotlost.
8|Cyber Secure Manufacturing in 2021
“If you move slowly with your cyber security you move backwards in relation”
Definition of cyber security
Thepanellistswereaskedtodefinecybersecurity(inFinnish:kyberturvallisuus)fromtheirpointofview.Asexpected,theanswersdifferedgreatly.However,theycanbesynthesizedintoadefinition:CyberSecurityasatermcombinestraditionalinformationsecurityandaconnectedworldofinformationsystemstothephysicalworld.
Manyexpertsmentionedthatcybersecurityconsistsofthreeelements:processes,people,andtechnology.Itwasalsohighlightedhownowadaystheproblemsincybersecurityalsoextendtothephysicalworld:forexample,byattackingcomplexandcriticalfactorysystems,itwouldactuallybepossibletothreatenhumanlives.Itwasalsonotedthatmostcybersecurityactivityiswell-knownandnormalinformationsecurityworkandpracticeswhichshouldnotbeforgottenjustbecauseofthenewterm.
About the future of the cyber security in manufacturing
ThereisoptimismforthefutureofcybersecurityinFinnishmanufacturing.Thepanellistssawthatworkandbigstepsareneededtomanagecybersecuritybut,forexample,noonesuggestedscenarioswhereFinnishmanufacturingwouldbeinsomekindofcrisisin2021becauseofcybersecurityproblems.
However,thepanelsharedaviewthatfastprogressisessentialtoenablevalidresponsestocyberthreatsinthefuturemanufacturingenvironmentwhere:
1. The dependence on networks and information systems will increase rapidly,
2. attacks become smarter and
3. cybercrime becomes even more professional.
Nevertheless,thepanelbelievedthatthehigheducationlevelinFinlandaswellasthestableoperative,political,andgeographicalenvironmentcreateagoodbasisandconditionsforstrongandviablecybersecurity.Finnishlegislationisalsoseenassupportivefromacybersecuritypointofview.
9
Cybersecurityeffortscanneverbescaleddown.Thiswillstillbethecaseeveniftheprevalentsituationseemsgoodandtherearenoimminentthreatsorsecurityevents.Oneofthepanellistsputitwell:Ifyoumoveslowlywithyourcybersecurity[activities]youmovebackwardinrelation[tothethreatlandscape].Inonecompany,thiswasnoticedinpracticewhentheyreachedthecybersecuritylevelthattheyhadset,justtorealizethat,inordertostayatthatlevel,itrequirednewmaintenanceandwork.Criminalsseemtobealwaysonestepaheadandmovemuchfasterthanthecompaniesastheymakebiggerinvestmentsand,contrarytolegitimatebusiness,criminalsdonotcomplywiththelegislation.
Thepanelclaimedthatin2021therewillstillbedifferencesincybersecuritylevelsbetweencompanieseveninsideFinland.However,atthesametime,theyestimatedwithconfidencethatbigandwell-networkedcompanieswillhavetheircybersecurityontherighttrack.
Cybersecuritycooperationandnetworkingbetweendifferentcompaniesandauthoritiesisanecessity.Thequestionofwhethercompetingorganizationswouldhavetheopportunity(orwill)tocollaborateincybersecuritymattersemergedinalltheinterviewrounds.Inthesecondround,thepanelconcludedthatitispossibletocollaborate,forexample,withoutbreakinganycompetitionlaws.
Ourstudyshows,however,thatcooperationiseasierwithorganizationsthatarenotdirectcompetitors.Inaddition,anotherpanellistnotedthatitiseasiertocollaboratewithcompaniesthathaveasimilarcultureandarefollowingsimilarregulations,e.g.regardingethicalcompetition.
The study indicated that cyber security hasstrongpotentialtobecomeanimportantcompetitiveanddifferentiatingfactorinthemanufacturingmarkets.Catchingupwiththemarketleaderisperhapsnotrealisticiftheyhaveaheadstartofseveralyears.Thiswouldactuallyhelpcooperationwhentheleadingcompanydoesnotneedtoworryaboutlosingitsadvantage.Oneofthepanellistssummarizesthetopic:“Here,inFinland,weareforcedtocollaboratebecausetheenemiesaresopowerful”.
10|Cyber Secure Manufacturing in 2021
Meeting the compliance requirementswasclearlyamongthemostimportantcybersecurityfuturegoals.Onlytwoofthepanellistsleftitout.Itwasdescribedas“justmandatory”.Noneofthepanellistschoseonly surviving as their cyber securityobjective.Itwasmentionedthattheobjectiveofcybersecuritycouldbechangingdependingonwhoasks:theexecutivescouldhaveaverydifferentviewofitcomparedtoshareholdersorcybersecurityprofessionals.
Forsomeofthepanellists,reaching the same cyber security maturity level as other companies such as competitorswasthefuturegoaloftheircompanies’cybersecurity.Oneofthemdescribedthatthecompany’scybersecurityshouldbeatthelevelofwhere“youarenottheslowestpreymoving”.
Oneofthemostpopularfuturegoalswasbeing among the best and gaining competitive advantage by cyber security.Thiswasseentobereachedthroughclientsviewingthecompanyasmoretrustworthythanitscompetitorsorthroughthesecureindustry4.0.Highqualityandthecertaintytosupplywereseenasenablersforcompanies’trustworthiness.Bothofwhichwerementionedtoweakenbypoorcybersecuritymanagement.However,itisnotaneasyroad,andoneofthepanellistscommentedthatreachingcompetitiveadvantageviacybersecurityisandwillbearealchallengeinbigglobalcompanies.
Oneofthepanellists,whoselectedbeing among the bestastheircompanyobjective,pointedoutthattheirCEOisexpectingworld-classsolutionsincybersecurity.Somepanellistssaidthattheir
companyhasnoneedtobecomethebestincybersecurity.Onecommentwas,forexample,that“ofcourse,beingthebestwouldbegreatbutunnecessaryforourcorebusiness”.Becoming the best in cyber securitywasselectedonlybyonepanellistwhosaidthatitisoneoftheircompany’svalues.
Ourstudyalsoaskedwhothemanufacturersarecomparingtheircybersecuritylevelwith–forexample,whoare“theleaders”mentionedbythepanellists.Tosome,thiswasclearandtheystatedthattheyarecomparingthemselvesagainste.g.theirownindustry.Somepanellists,however,sawcriticalself-evaluationandcomparingagainstownperformancehistorytobethebestmetricbecausecomparingdirectlytoothercompaniesdidnotgivethemasatisfactoryoverview.
The objectives of cyber securityWhich of the following best describes your organisation’s future objectives for cyber security?
1
2
4
7
Only surviving
Becoming the best in cyber security
Avoiding the biggest risks
Being good enough
Reaching the same cyber security maturity level as other companies
Being among the best
Gaining competitive advantage by cyber security
Meeting the compliance requirements
4
2
2
0
12|Cyber Secure Manufacturing in 2021
Cyber security priorities in manufacturing in 2021
Figure2showsasummaryoftheprioritytopicsthat,accordingtothisstudy,manufacturingbusinessandcybersecurityprofessionalscanstartwithwhenplanningthedirectionoffuturesecurityefforts.Eachorganizationhasandwillhavetheiruniquecybersecuritybackgroundandchallenges.However,inmanyorganizations,thepriorityrisksseemtohavecommonrootcauses.
InFigure1,theprioritytopicsaredividedunderthecategoriesoftheDeloitteCyberSecurityFramework(16).ThecategoriesoftheframeworkareSecure,Strategic,Vigilant,andResilient.AsseeninFigure1,theInternetofThings,digitalization,industry4.0,andsecurityofindustrialautomationwillbethemostimportantdriversforcybersecurityinthemanufacturingindustryin2021.Inaddition,identityandaccessmanagementaswellasensuringavailabilitywillmostlikelybepriorities.
Moreover,agroupofweaklytrendingtopicswasidentified.The“possiblyimportant”topicsarecollectedinFigure1inrelationtoalloftheCyberSecurityFrameworkcategories.
Figure 1. Priorities of cyber security in manufacturing in 2021.
SECURE
VIGILANT
RESILIENT
STRATEGIC
People & workplace
Data
Identity & access management
Applications
Extended enterprise & infrastructure
Infrastructure
Vulnerability identification
Threat intelligence
Security operations (SOC)
Incident management
Business resilience
Cyber security management
PRIORITYSecurity of industrial automationEnsuring availabilityIdentity & access management
Possibly importantCyber security of third partiesCloud securityPrivacyMobile securityRansom & terrorismOld industrial automation systems & IT environments
Possibly importantCyber espionagePreparing to cyber attacks & recovering from them Possibly important
Advanced Persistent Threats (ATP)Insider threatsFraudsZero-day vulnerabilitiesCyber security automation & analytics
PRIORITYInternet of Things (IoT)Digitalization and industry 4.0
Possibly importantCompliance & changes in laws & regulationsCyber security culture
13
AsvisibleinFigure1,theprioritytopicsfallunderSecureandStrategiccategoriesoftheCyberSecurityFramework.However,therewerealsopossiblyimportanttopics,whichwereconsideredimportantbyboththepanelandintheliterature,undertheVigilantandResilientcategories.Agoodexampleofthosewasincreasinguseofcybersecurityanalyticsandautomation.
Inthisstudy,lessimportantcybersecurityrelatedtopics,inwhichthemanufacturingindustrywillnotfocusonsomuchinthefuture,werealsoidentified.Thosewerethecommitmentofcompanies’executives,reputationriskmanagement,challengesinthecooperationwithauthorities,andmeasuringcybersecurity.Thepanelconsideredmanyofthesetobeinorderin2021and,therefore,theworkandcostsrelatedtothemwillmainlycomefrommaintenance.Therefore,thepanelsaidthatmanufacturingin2021willmainlybeallocatingresourcesandinvestinginothercybersecuritytopics. Intheliteraturereview,therewereacoupleoftopicsfromtheStrategiccategorythatwerenotmentionedbythepanelatall,orwereconsideredlessimportant.Forinstance,alackofcybersecurityprofessionalsandyoungemployees’commitmenttoacyber-secureculturewerementioned
asseriousthreatsintheliterature.Thepanel,ontheotherhand,wasnotveryconcernedaboutthese,whichreflectsthepositiveattitudeofpanelliststowardthefutureofcybersecurity.
Ithasalsobeenemphasizedintheliteratureforquitesometimethatseniormanagementneedstobecommittedtocybersecurityandendorseitsimportance.Thisstudyindicatesthatthishasbecomeself-evidentintheFinnishmanufacturingorganizations,asthepanelconsideredexecutives’lowcommitmentwillnolongerbeoneofthepriorityrisksintheirorganizationsin2021.
Comparedtothefindingsintheliterature,thepaneldidnotseemtoexperiencespecialpressureonincreasingreal-timerequirements.Evenasthepanellistsadmittedthatthebusinessmayunintentionallyforgetcybersecuritywheninahurry,theyseemedtotrustthatemployeesdon’twanttoviolatecybersecurityonpurposeifthesecurehabitsandactionsaremadeeasyenoughtofollow.
OneoftheintriguingtopicsoftheResilientcategoryiscyberespionage.Noneofthepanellistsprioritizeditasimportantorlessimportant,whileintheliteratureandmediaitwasconsideredanimportanttopicespeciallyformanufacturing(1,2,17,18,19,20,21,22).
“All the steps have to be taken to become resilient against incidents in cyber security;
there are no shortcuts.”
14|Cyber Secure Manufacturing in 2021
Conclusions
Sofar,themaindecisionsregardingcybersecurityseemtobemainlyonthestrategiclevel,andhavenotbeenfullyimplementedtoacompany-wideoperationallevel.Thisstudyindicatesthatin2021itcanstillbeahugerisktomanufacturingnottoimplementcybersecuritysolutionssimultaneouslywithnewlyconnectedsystems.
Besidesnewsolutionsinmanufacturing,ensuringtheavailabilityofmanufacturingsystemsaswellastheintegrityofcontroldatawasalsoidentifiedasafuturepriority.Thesearenotnewprioritiesformanufacturing,butratherbecomeevenmoreimportantandchallenginginthecomingyearsasformerlyclosedmanufacturingenvironmentswillincreasinglybeconnectedtoopennetworks.Thisincreasesthepossibilityofanoutsidertodisruptthesystem.Traditionally,cybersecurityhasbeenseenasdefenceagainstleakingdataandrespondingquicklytodetectedattacks.Inthefuture,ensuringthatsystemsandenvironmentsareproactivelysecuredisvitalforthebusinessasevenashortdowntimeinmanufacturingcanbecomeextremelyexpensive.
Aninterestingfindingwasalsothatthepanelrankedidentityandaccessmanagementamongthemostimportanttopicsbut,bycontrast,nooneselectedidentitytheftasanimportanttopic.Itwasmentionedacoupleoftimesduringtheinterviewsandtherearealsoreferencesintheliteraturetothisasaproblemespeciallyforthemanufacturingindustry(23).OneofthepanellistsevenrankeditasalessimportanttopicfortheFinnishmanufacturingin2021.
Fortheviewnotedhereinabovetherecouldbemanyreasons.First,identitytheftisprobablyconsideredeasiertosolvethanthewholeidentityandaccessmanagement.Accordingtothepanel,identityandaccessmanagementwillalsobeprogressivelyrelatedtothirdpartymanagementwhenin2021companieswillhavetheirownemployees’identitiesmanagedbut,forexample,theidentitiesfortheexternalpartners,meaning,vendors,suppliers,andcustomerswillneedevenmoreattentionfromthecybersecuritypointofview.Theliteratureaswellasthepanelremindedeveryonethatasindustry4.0withcyberphysicalsystems,smartfactories,andIoTwillsoonbepartoftheeverydaylife,inmanufacturingitmeansthatsystems,industrialmachines,hardware,software,orevenacoffeemakeroralightbulbwillalsoneedtheirownidentities.
15
IoT & digitalization
Security of industrial
automation
3rd parties’ cyber security management Identity
& acceess management
Insometopics,therewasinconsistencybetweentheanswersduringtheinterviewsandtheanswersfortheprioritizationofthetopics.Forexample,onlyoneofthepanellistsnamedcybersecuritycultureandemployeeawarenessasapriorityin2021.However,duringtheotherpartsoftheDelphiinterviewsmanyofthepanelliststalkedaboutcybersecurityculturerelatedimprovementsandinvestmentswhichtheircompanyismakingwithinthenextfiveyears. Thiscontradictionindicatesthatcybersecurityculturewillmostlikelybeamoreimportanttopicinthefuturethanhowthepanelprioritizedit.Asawhole,thepanellistsindicatedthattheircompany’sinvestmentincybersecuritywilleithergrowduringthenext5yearsorremainatthecurrentlevel.Thelatterwasindictedincaseswhereithadgrownsubstantiallyduringrecentyears.
Implementation of the organization-
wide approach & vision
Ensuring availability
Usability vs. information
security
Figure 2. Top priorities of cyber security in Finnish manufacturing in 2021.
16|Cyber Secure Manufacturing in 2021
Accordingtothestudy,cybersecuritywillstillbeanimportanttopicwithinFinnishmanufacturingin2021asindustrialsystems,products,andenvironmentsareincreasinglycomplex,Internet-enabledandinterconnected.In2021,thefieldofcybersecuritywillcontinuetobeever-evolvingandnewthreatswillcontinuetoappearonan,atleast,dailybasis.ManyFinnishmanufacturingcompaniesareleadersininnovative,newconnectedtechnologies,andcreatorsandearlyadaptersofsolutionsthathelpbusinesssucceed.Cybersecuritywillbeindispensablenotonlyforearningclienttrustbutalsoinkeepingthecriticalinfrastructure,people,andbusinessrunning.
Atthesametime,boardsandseniormanagementhaveanincreasinglyimportantroleinprovidingoversightofcybersecuritystrategyexecution,monitoringthemanufacturingcompanies’cybersecurityposture,andbeingpreparedtorespondtoinvestor,client,analyst,andregulatorquestionsabouttheactionstakenoncybersecurity.
And here’s what we say
The study indicates that in the 2020stherewillstillbeariskthatmanufacturingcompanieswillseecybersecurityonlyasacostandnotasanopportunityorasabusinessenabler.Managingcybersecurityriskskeepscompaniesoutoftrouble.However,cyberriskmanagementtechniquescanalsobeusedinpositioningforsuccess.Operativelythinking:Howtoleveragerisktopowerperformance?Therefore,inthenearfuture,itiscrucialthatmanufacturingcompaniesviewcyberrisksthroughadifferentlens.Insteadofthinkingoftherisksonlyintermsofthenumberofattacksortheactualvaluethatcouldbelost,theyshouldconsiderhowbettercyberriskmanagementwouldallowthemtoreachmorecustomers,maintainbetterrelationships,ormanufacturemoreproducts.
Itisvitalthatmanufacturingcompaniescontinuetoinvestincybersecuritycapabilitiesstrategically.Investmentsneedtobecontinuousnotonlybecausethreatskeeponevolving,butalsotokeepthecompetitorsbehind.Byfocusingontherightareas,manufacturingcompaniescanbecomeresilientorganizationsthatcanquicklyandproactivelyrespondtonewthreatsandattacks,whileremainingflexibletomeettoday’smarketneeds.
17
Theimpactofmanufacturingindustrycybersecurityproblemswillnotonlybeverycostlytothebusinessbutalsoincreasinglyvisibleinthephysicalworld.Forexample,cyberattacksmaythreatenpeople’shealth,orsuddenlystopwholefactoriesaroundtheworld.CaseslikeNotPetyain2017showedusthatevenasingleincidentcantakeupalotofskilledcybersecurityresourcestohelplargeorganizationsrecover.
Iftheimpactistrulyglobalandtakesdownmultiplelargeenterprisesatthesametime,theresimplyisnotenoughhelpavailable.ISACApredicts that there isalackofmorethantwomillioncybersecurityspecialistsgloballyalreadytoday(24).Therefore,inthe2020s,cybersecuritycannotbeaddressedseparatelyfromthebusinessandoperations.
Cybersecurityinmanufacturingisandwillbeatopicthathastobeinplacetoenablethedigitalsocietytorunsmoothly.ThefirsttrulycleveranddisruptiveusesofAIincybersecuritywillprobablybedonebynationstatehackersororganizedcriminalgroupswithhealthybudgetsandresources.
Thisstudystronglyindicatesthatnowisthetimeformanufacturingcompaniestomakesurethattheywillincludeandimplementsecuritynotonlyintheirnewlyconnectedsolutionsbutalsointheirdailybusiness,operations,environment,andculture.Itwillonlybepossibleforcompaniestofocusonthenecessarycybersecurityprioritiesthatwillkeepmanufacturingsecureandsafeinbusinessin2021andbeyondifaddressingtherisksproactively.
18|Cyber Secure Manufacturing in 2021
References
1M.Lehto,J.Limnéll,E.Innola,J.Pöyhönen,T.Rusi,andM.Salminen,Suomenkyberturvallisuudennykytila,tavoitetilajatarvittavattoimenpiteettavoitetilansaavuttamiseksi,Valtionneuvostonkansliasivistys-jatutkimustoiminta,2017
2Verizon2017DataBreachInvestigationsReport,Verizon,2017
3Verizon2016DataBreachInvestigationsReport,Verizon,2016
4Renaultstopsproductionatsomesitesaftercyberattack,DailyMail,MailOnline,2017,http://www.dailymail.co.uk/wires/reuters/article-4502266/Renault-stops-production-sites-cyber-attack.html.
5Suomenkyberturvallisuusstrategiajataustamuistio(FinnishCyberSecurityStrategy),Turvallisuuskomitea(FinnishSafetyCommittee),2013
6Industry4.0:AnIntroduction,Deloitte,2015
7J.PaasiandN.Wessberg,Menestyvääliiketoimintaasuomalaisissavalmistavanteollisuudenyrityksissä2020-luvulla–Neljäskenaariota,VTT,2016
8PicturesoftheFuture,Siemens,2016,https://www.siemens.com/innovation/en/home/pictures-of-the-future.html.
9ThreatHorizon2019:Disruption.Distortion.Deterioration.,InformationSecurityForum,2017
10AT&TCybersecurityInsights:WhatEveryCEONeedstoKnowAboutCybersecurity-DecodingtheAdversary,AT&T,2015
11TechTrends2017:Thekineticenterprise,DeloitteUniversity,2017
12EMEA360BoardroomSurvey,Deloitte,2016
13CostofDataBreachStudy,IBMSecurity:PonemonInstitute,2016
142016CostofDataBreachStudy:GlobalAnalysis,PonemonInstitute,2016
15E.Mossburg,H.Calzada,andJ.Gelinne,Beneaththesurfaceofacyberattack:Adeeperlookatbusinessimpacts,Deloitte.2016
16DeloitteCybersecurityFramework,2017
17ENISAThreatLandscape2016,ENISA,2017
18ENISAThreatLandscape2015,ENISA,2016
19KasperskySecurityBulletin:Predictionsfor2017‘IndicatorsofCompromise’areDead,KasperskyLab,2016
20B.Gertz,Chinacyberespionagecontinues,TheWashingtonTimes,2016,http://www.washingtontimes.com/news/2016/sep/28/china-cyber-espionage-continues/.
212016ManufacturingReport,Sikich,2016
22Yearbook2016:Nationalsecurityisajointeffort,theFinnishSecurityIntelligenceService,2017
232017InternetSecurityThreatReport,Symantec,2017,https://www.symantec.com/security-center/threat-report.
24ISACA:CyberSecuritySkillsGap,2016.https://image-store.slidesharecdn.com/be4eaf1a-eea6-4b97-b36e-b62dfc8dcbae-original.jpeg
Contact us
Tero MellinDirector,CyberRiskDeloitte
+358(0)[email protected]
Katariina KannusCyberRiskDeloitte
+358(0)[email protected]
Thisreportisbasedonastudycompletedinthefirstquarterof2017.ThestudywasconductedincooperationwithTampereUniversityofTechnology.
https://dspace.cc.tut.fi/dpub/bitstream/handle/123456789/24932/Kannus.pdf?sequence=3&isAllowed=y
www.deloitte.fi©2018DeloitteOy,GroupofCompanies
DeloittereferstooneormoreofDeloitteToucheTohmatsuLimited,aUKprivatecompanylimitedbyguarantee(“DTTL”),itsnetworkofmemberfirms,andtheirrelatedentities.DTTLandeachofitsmemberfirmsarelegallyseparateandindependententities.DTTL(alsoreferredtoas“DeloitteGlobal”)doesnotprovideservicestoclients.Pleaseseewww.deloitte.com/aboutforamoredetaileddescriptionofDTTLanditsmemberfirms.
InFinland,DeloitteOyistheFinnishaffiliateofDeloitteNWELLP,amemberfirmofDeloitteToucheTohmatsuLimited(“DTTL”),andservicesareprovidedbyDeloitteOyanditssubsidiaries.Formoreinformation,pleasevisitwww.deloitte.fi
Thiscommunicationcontainsgeneralinformationonly,andnoneofDeloitteToucheTohmatsuLimited,itsmemberfirms,ortheirrelatedentities(collectively,the“DeloitteNetwork”)is,bymeansofthiscommunication,renderingprofessionaladviceorservices.NoentityintheDeloittenetworkshallberesponsibleforanylosswhatsoeversustainedbyanypersonwhoreliesonthiscommunication.