Cyber Secure Manufacturing in 2021 - Deloitte United States · Tero Mellin Director, Cyber Risk Deloitte January 2018. ... are too late if, for example, plants are already at a standstill

Predicting the future of Cyber Security in Finnish Manufacturing Cyber Secure Manufacturing in 2021

Contents

Research setting and method 3

Introduction 5

What did they say? 6

The current landscape

Definitionofcybersecurity

Aboutthefutureofthecybersecurityinmanufacturing

Cybersecurityprioritiesinmanufacturingin2021

Conclusions

And here’s what we say 16

Contact us 18

References 18

3

Research setting and methodThe study was conducted in three phases.

Phase 1: PreparationCarryingouttheliteraturereview,arrangingapreparationworkshopfor14cybersecurityexperts,andselectingtheprofessionalsfortheDelphipanel.Theselectionoftheprofessionalstothepanelwasbasedonthequalityoftheirexpertiseanddiversityoftheirbackgrounds.Therefore,thepanelasagroupwasabletoofferabroadviewofthefutureofcybersecurityintheindustry.

Panellist background: ThepanellistswerefromdifferentlargeFinnishmanufacturingcompaniesoperatingglobally,manyofwhichhadaturnoverofoverhalfabillioneurosin2015.Halfofthepanellistshadatleasttenyearsofexperienceincybersecurity,andmostofthemhadoversevenyearsofexperienceintheircurrentsecurityrole.Evenloweryeardirectcybersecurityexperienceprofessionalsstillhadalengthy,evendecades’long,careerinITwhereinformationandcybersecurityhadbeenpartoftheirdailywork.

Phase 2 and 3: Two one-on-one interviews Thepurposeofthefirstinterviewroundwastointroducethetopictothepanel.Thefirstpropositionsfromthepreparationphasewerealsotested,andstatementsandtopicsforthenextroundidentified.Themostpopularviewsofthefutureofcybersecurityinmanufacturingwereidentifiedafterthefirstinterviews.

Thenextinterviewroundwasdesignedbasedonthefindingsofthefirstround.Inthesecondround,thepanellistswerepresentedwithmorespecifictopicsraisedfromthefirstround,andtheyarguedforandagainstnotonlytheirownbutalsoothers’opinionsandstatements.

4|Cyber Secure Manufacturing in 2021

5

Manufacturing is rapidly entering the 4th industrial revolution wheretheold,complexandformerlyclosedenvironments,solutionsandsystemsmeetnew,connectedandmoreopenones.Thisoffersimmensepossibilitiesforthemanufacturingindustry,andeverymanufacturingcompanyshouldharvestthebenefitsoftheseinnovativesolutionstopowerperformanceandmaketheirbusinessmoresuccessful.

Alreadytoday,thenetworkconnectionsfromtheindustrialsystemsatthe“floorlevel”arerapidlyincreasing.Everymanufacturerofanindustrialcomponentorsensorwantstocollectallthepossibledatafromtheirownsystems.Inalargeindustrialprocess,therearedozensofthesemanufacturers.Eachconnectiontotheoutsideworldexposesthesystemstocyberrisks.Inthenearfuture,wewillprobablyseetheimplementationof5Gmobilenetworksintoeachofthesesensors.IndustrialIoTwillnotaskusersforpermissiontoconnecttotheInternet;itwillbetherebydefault.

The year 2017 saw two large malware campaigns. InApril,thecaseofWannaCryencryptedandhijackedthousandsofcomputersaroundtheworld.Peoplewereleftstandingcluelessattheshopcounterswhiletheregisterswerelockedandinoperable.Anevenmoreseriouscasewasyettocomeaboutamonthlater.TheNotPetyacasedestroyedtheinformationsystemsthatitinfectedandthistimetherewasapricetag.Alargelogisticscompanysaidpubliclythattheylost300milliondollars

inthewakeoftheattack.Whatisevenmorealarmingisthatthiscompanywasn’tevenatarget,butgotcaughtinthecrossfireandbecamecollateraldamage.

In the midst of these insecure times, we found ourselves with many questions aroundcybersecurityinmanufacturing.Questionslike,whatisthenear-termroleofcybersecurityinthisageofrapiddevelopmentinmanufacturing?Isthereariskthatcybersecuritywillbebypassedatthisspeedofchange,andallthebenefitsofthenewsolutionsdiluted?Isthereariskthatbusinessbenefitsoftheconnectedworldremainuntappedfrommanufacturingcompaniesbecauseofcybersecurityincidents?Whatshouldmanufacturingcompaniesprioritize,andhowisthisseenbydecisionmakersandindustryprofessionals?DoFinnishmanufacturingcompanies’cybersecurityprofessionalsfeelthattheyhaveenoughresources,investments,andsupportfromtheirexecutivesinordertosecurethebusinessintherequiredmanneralsointhenearfuture?

Aboveall,whatshouldthefocusareasbewhenplanningcybersecurityroadmapstoensurethatthemanufacturingbusinessalsorunssmoothlyin2021?

To get the answers to these, we decided to study the subject. In additiontotakingadiveintothecurrentliterature,wealsoaskedexperts.Weinterviewedapanelofcybersecurityprofessionalsfromlargeandglobally

Introduction

operatingFinnishmanufacturingcompanies.WeusedaknownfutureforecastingmethodcalledDelphi,interalia,inordertoensurethenecessaryanonymityofthepanelmembers.Afterandinbetweenmanyiterativeinterviews,weanalysedtheanswersandwearenowconfidentthatwehave:

A VIEW OF THE CYBER SECURITY LANDSCAPE IN FINNISH MANUFACTURING IN 2021Luckily,wealsoheardgoodnewsaboutthecybersecurityinmanufacturing.Nevertheless,wefoundthattherewillbealotofworkaheadinthisfieldtosecurethefutureofthechangingmanufacturingbusinessalongsidethedigitalizingsociety.Everyoneisneededand,therefore,wewantedtosharetheseinsightswithyou.

Please enjoy!

Katariina KannusCyberRiskDeloitte

Tero MellinDirector,CyberRiskDeloitte

January 2018

6|Cyber Secure Manufacturing in 2021

Toforeseethefutureofcybersecurityinmanufacturing,itiscrucialtounderstanditscurrentlandscape,decisions,desires,andplans,asthesegiveanindicationofthefuturestate.Indicationsinclude,forexample,howmanufacturingcompaniesarecurrentlyinvestingorhaveplanstostartinvesting,whatkindoflevelofcybersecuritytheyhavedecidedtoreach,andwhichofthecurrenttrendswillalsooccurinthefuture. Thissectionincludesabriefintroductiontotherelevantpartsofthecurrentlandscapewhichwill,accordingtothisstudy,impactthefutureofthecybersecurityinmanufacturing.Wethenmoveontosummarizingthepanellists’viewofthefutureofcybersecurityinmanufacturingbeforediscussingtheprioritiesthepanellistshadinrelationtobothliteratureandCyberSecurityFramework.

The current landscape

Developedcountriesandtheirmanufacturingindustrytodayareincreasinglydependentondigitalnetworksandtheirservices.Inthefuture,thedependencywillonlyincrease.Cybersecurityisanenablerofdigitalizationbutwhenmanagedpoorlyitcanjeopardizeallthebenefitsthatdigitalizationcanbring(1).

Cybersecurityprofessionalsinthemanufacturingindustryneedtomakedecisionsintheconstantlychangingthreatlandscape.Theyaredealingwithaplethoraofbothknownthreatsthatrequireinstantreactionsaswellaslesswell-knownandunpredictablefuturethreats.Theyhavetopreparefortheunexpectedtodaywhileplanningforthefutureatleastacoupleofyearsahead.ThelifecyclesoftechnicalsystemsinOperationalTechnologyaremeasuredin decades rather than in years in conventionalIT.Itisessentialthatcybersecurityplansareconnectedandalignedwiththecompany’sstrategy,plans,andvision.

Intoday’sworldofconstantchange,cybersecurityisnotanexception.Itismorelikeapioneerinregardtochange:everyhourofeveryday,attackersare,andwillbe,usingnewinnovativewaystothreatenthemanufacturingbusinessbychallengingitscybersecurity.ITsystemsneedtobeupdatedandpatchedataveryrapidpacetokeepupwiththevulnerabilities.

Enterthetraditionalindustrialworld‘onceayearmaintenancebreak’approachintheequationtostarttoseethechallengesthattheCSO,CISO,andothercyberdefendersarefacedwith.Intheverynearfuture,whenmanufacturingsystemsareincreasinglyenteringcyberspace,itwillbeimpossibletorunthebusinesswithoutfirstsecuring

What did they say?

7

itproperly.Therefore,carefulandfact-basedplanningofareasonableuseoflimitedcybersecurityresourcesaswellasthestrategicdecision-makingaroundthetopicisessentialforsecuringthemanufacturingbusiness.

Nowadays,itishighlyimportantthatthecompanies’cybersecurityisproactive:afteraseriouscyberattack,thedamageisalreadydone.Reactiveimprovementsaretoolateif,forexample,plantsarealreadyatastandstillorsensitiveinformationstolen(2,3,4).Inaddition,theFinnishnationalcybersecuritystrategy(5) statesthatpreventingcybersecuritythreatsneedsproactiveoperationsandplanning.Thenewoperativeenvironmentrequiresknow-howandtheabilitytoreactfastandconsistentlyintherightway.Toreachproactivecybersecurity,itisimportanttoknowwhattheprioritieswillbeinthenearfuture,whatwillnotbesoimportantgoingforward,andwhatthemainobjectivesareofcybersecurity.

Themanufacturingindustry’sbusinessandoperatingenvironmentisincreasinglyglobal.Moreandmoreoperationsandstakeholdersarespreadallaroundtheworld.Inthefuture,thechangingglobaloperativeenvironmentintroducesnotonlyopportunitiestogrowbutalsochallenges(6,7,8).Oneofthebiggestchallengesseemstobecybersecuritymanagementandthecontingencyplanningforthefuturecyberlandscape.

CybersecuritydoesnotbelongonlytotheITdepartmentanymore(9,10,11,12).Globally,itsimportancehasbeennoticedinthecorporateboardroomsandtheexecutiveinteresthasbeenforecastedtorise(12).Newtechnologiesinmanufacturingenvironmentsbringanewkindofcyberthreatswiththemwhiletheattackersfindmoreandmorewaystousetheknownandunknownvulnerabilitiesofoldsystems,technologies,andprocesses.

Forgettingcybersecuritycouldbehighlyexpensivetocompanies.Accordingtothestudies(13,14),aninformationsecuritybreachcancostthevictimcompany4-73milliondollarsonaverage.Thetotalimpactandcostsofcybersecurityproblems,e.g.databreaches,aretrulycomplicatedandcanonlybediscoveredinthelongterm(15).However,accordingtoourstudy,itseemsthatFinnishmanufacturingcybersecurityprofessionalsarewellawareofthepotentialcostsofsecuritybreaches.ItalsoseemsthattheFinnishmanufacturingcompanyexecutivesarebecomingmoreandmoreawareofthethreatsandtheircoststothebusiness.

Now,theonlyquestionseemstobeiftherestofthecompany,e.g.themiddlemanagementanddailyoperations,areawareenoughsothattheallbenefitsofthenewtechnologies,innovations,andnewlyconnectedsystemsarenotlost.

8|Cyber Secure Manufacturing in 2021

“If you move slowly with your cyber security you move backwards in relation”

Definition of cyber security

Thepanellistswereaskedtodefinecybersecurity(inFinnish:kyberturvallisuus)fromtheirpointofview.Asexpected,theanswersdifferedgreatly.However,theycanbesynthesizedintoadefinition:CyberSecurityasatermcombinestraditionalinformationsecurityandaconnectedworldofinformationsystemstothephysicalworld.

Manyexpertsmentionedthatcybersecurityconsistsofthreeelements:processes,people,andtechnology.Itwasalsohighlightedhownowadaystheproblemsincybersecurityalsoextendtothephysicalworld:forexample,byattackingcomplexandcriticalfactorysystems,itwouldactuallybepossibletothreatenhumanlives.Itwasalsonotedthatmostcybersecurityactivityiswell-knownandnormalinformationsecurityworkandpracticeswhichshouldnotbeforgottenjustbecauseofthenewterm.

About the future of the cyber security in manufacturing

ThereisoptimismforthefutureofcybersecurityinFinnishmanufacturing.Thepanellistssawthatworkandbigstepsareneededtomanagecybersecuritybut,forexample,noonesuggestedscenarioswhereFinnishmanufacturingwouldbeinsomekindofcrisisin2021becauseofcybersecurityproblems.

However,thepanelsharedaviewthatfastprogressisessentialtoenablevalidresponsestocyberthreatsinthefuturemanufacturingenvironmentwhere:

1. The dependence on networks and information systems will increase rapidly,

2. attacks become smarter and

3. cybercrime becomes even more professional.

Nevertheless,thepanelbelievedthatthehigheducationlevelinFinlandaswellasthestableoperative,political,andgeographicalenvironmentcreateagoodbasisandconditionsforstrongandviablecybersecurity.Finnishlegislationisalsoseenassupportivefromacybersecuritypointofview.

9

Cybersecurityeffortscanneverbescaleddown.Thiswillstillbethecaseeveniftheprevalentsituationseemsgoodandtherearenoimminentthreatsorsecurityevents.Oneofthepanellistsputitwell:Ifyoumoveslowlywithyourcybersecurity[activities]youmovebackwardinrelation[tothethreatlandscape].Inonecompany,thiswasnoticedinpracticewhentheyreachedthecybersecuritylevelthattheyhadset,justtorealizethat,inordertostayatthatlevel,itrequirednewmaintenanceandwork.Criminalsseemtobealwaysonestepaheadandmovemuchfasterthanthecompaniesastheymakebiggerinvestmentsand,contrarytolegitimatebusiness,criminalsdonotcomplywiththelegislation.

Thepanelclaimedthatin2021therewillstillbedifferencesincybersecuritylevelsbetweencompanieseveninsideFinland.However,atthesametime,theyestimatedwithconfidencethatbigandwell-networkedcompanieswillhavetheircybersecurityontherighttrack.

Cybersecuritycooperationandnetworkingbetweendifferentcompaniesandauthoritiesisanecessity.Thequestionofwhethercompetingorganizationswouldhavetheopportunity(orwill)tocollaborateincybersecuritymattersemergedinalltheinterviewrounds.Inthesecondround,thepanelconcludedthatitispossibletocollaborate,forexample,withoutbreakinganycompetitionlaws.

Ourstudyshows,however,thatcooperationiseasierwithorganizationsthatarenotdirectcompetitors.Inaddition,anotherpanellistnotedthatitiseasiertocollaboratewithcompaniesthathaveasimilarcultureandarefollowingsimilarregulations,e.g.regardingethicalcompetition.

The study indicated that cyber security hasstrongpotentialtobecomeanimportantcompetitiveanddifferentiatingfactorinthemanufacturingmarkets.Catchingupwiththemarketleaderisperhapsnotrealisticiftheyhaveaheadstartofseveralyears.Thiswouldactuallyhelpcooperationwhentheleadingcompanydoesnotneedtoworryaboutlosingitsadvantage.Oneofthepanellistssummarizesthetopic:“Here,inFinland,weareforcedtocollaboratebecausetheenemiesaresopowerful”.

10|Cyber Secure Manufacturing in 2021

Meeting the compliance requirementswasclearlyamongthemostimportantcybersecurityfuturegoals.Onlytwoofthepanellistsleftitout.Itwasdescribedas“justmandatory”.Noneofthepanellistschoseonly surviving as their cyber securityobjective.Itwasmentionedthattheobjectiveofcybersecuritycouldbechangingdependingonwhoasks:theexecutivescouldhaveaverydifferentviewofitcomparedtoshareholdersorcybersecurityprofessionals.

Forsomeofthepanellists,reaching the same cyber security maturity level as other companies such as competitorswasthefuturegoaloftheircompanies’cybersecurity.Oneofthemdescribedthatthecompany’scybersecurityshouldbeatthelevelofwhere“youarenottheslowestpreymoving”.

Oneofthemostpopularfuturegoalswasbeing among the best and gaining competitive advantage by cyber security.Thiswasseentobereachedthroughclientsviewingthecompanyasmoretrustworthythanitscompetitorsorthroughthesecureindustry4.0.Highqualityandthecertaintytosupplywereseenasenablersforcompanies’trustworthiness.Bothofwhichwerementionedtoweakenbypoorcybersecuritymanagement.However,itisnotaneasyroad,andoneofthepanellistscommentedthatreachingcompetitiveadvantageviacybersecurityisandwillbearealchallengeinbigglobalcompanies.

Oneofthepanellists,whoselectedbeing among the bestastheircompanyobjective,pointedoutthattheirCEOisexpectingworld-classsolutionsincybersecurity.Somepanellistssaidthattheir

companyhasnoneedtobecomethebestincybersecurity.Onecommentwas,forexample,that“ofcourse,beingthebestwouldbegreatbutunnecessaryforourcorebusiness”.Becoming the best in cyber securitywasselectedonlybyonepanellistwhosaidthatitisoneoftheircompany’svalues.

Ourstudyalsoaskedwhothemanufacturersarecomparingtheircybersecuritylevelwith–forexample,whoare“theleaders”mentionedbythepanellists.Tosome,thiswasclearandtheystatedthattheyarecomparingthemselvesagainste.g.theirownindustry.Somepanellists,however,sawcriticalself-evaluationandcomparingagainstownperformancehistorytobethebestmetricbecausecomparingdirectlytoothercompaniesdidnotgivethemasatisfactoryoverview.

The objectives of cyber securityWhich of the following best describes your organisation’s future objectives for cyber security?

1

2

4

7

Only surviving

Becoming the best in cyber security

Avoiding the biggest risks

Being good enough

Reaching the same cyber security maturity level as other companies

Being among the best

Gaining competitive advantage by cyber security

Meeting the compliance requirements

4

2

2

0

11

12|Cyber Secure Manufacturing in 2021

Cyber security priorities in manufacturing in 2021

Figure2showsasummaryoftheprioritytopicsthat,accordingtothisstudy,manufacturingbusinessandcybersecurityprofessionalscanstartwithwhenplanningthedirectionoffuturesecurityefforts.Eachorganizationhasandwillhavetheiruniquecybersecuritybackgroundandchallenges.However,inmanyorganizations,thepriorityrisksseemtohavecommonrootcauses.

InFigure1,theprioritytopicsaredividedunderthecategoriesoftheDeloitteCyberSecurityFramework(16).ThecategoriesoftheframeworkareSecure,Strategic,Vigilant,andResilient.AsseeninFigure1,theInternetofThings,digitalization,industry4.0,andsecurityofindustrialautomationwillbethemostimportantdriversforcybersecurityinthemanufacturingindustryin2021.Inaddition,identityandaccessmanagementaswellasensuringavailabilitywillmostlikelybepriorities.

Moreover,agroupofweaklytrendingtopicswasidentified.The“possiblyimportant”topicsarecollectedinFigure1inrelationtoalloftheCyberSecurityFrameworkcategories.

Figure 1. Priorities of cyber security in manufacturing in 2021.

SECURE

VIGILANT

RESILIENT

STRATEGIC

People & workplace

Data

Identity & access management

Applications

Extended enterprise & infrastructure

Infrastructure

Vulnerability identification

Threat intelligence

Security operations (SOC)

Incident management

Business resilience

Cyber security management

PRIORITYSecurity of industrial automationEnsuring availabilityIdentity & access management

Possibly importantCyber security of third partiesCloud securityPrivacyMobile securityRansom & terrorismOld industrial automation systems & IT environments

Possibly importantCyber espionagePreparing to cyber attacks & recovering from them Possibly important

Advanced Persistent Threats (ATP)Insider threatsFraudsZero-day vulnerabilitiesCyber security automation & analytics

PRIORITYInternet of Things (IoT)Digitalization and industry 4.0

Possibly importantCompliance & changes in laws & regulationsCyber security culture

13

AsvisibleinFigure1,theprioritytopicsfallunderSecureandStrategiccategoriesoftheCyberSecurityFramework.However,therewerealsopossiblyimportanttopics,whichwereconsideredimportantbyboththepanelandintheliterature,undertheVigilantandResilientcategories.Agoodexampleofthosewasincreasinguseofcybersecurityanalyticsandautomation.

Inthisstudy,lessimportantcybersecurityrelatedtopics,inwhichthemanufacturingindustrywillnotfocusonsomuchinthefuture,werealsoidentified.Thosewerethecommitmentofcompanies’executives,reputationriskmanagement,challengesinthecooperationwithauthorities,andmeasuringcybersecurity.Thepanelconsideredmanyofthesetobeinorderin2021and,therefore,theworkandcostsrelatedtothemwillmainlycomefrommaintenance.Therefore,thepanelsaidthatmanufacturingin2021willmainlybeallocatingresourcesandinvestinginothercybersecuritytopics. Intheliteraturereview,therewereacoupleoftopicsfromtheStrategiccategorythatwerenotmentionedbythepanelatall,orwereconsideredlessimportant.Forinstance,alackofcybersecurityprofessionalsandyoungemployees’commitmenttoacyber-secureculturewerementioned

asseriousthreatsintheliterature.Thepanel,ontheotherhand,wasnotveryconcernedaboutthese,whichreflectsthepositiveattitudeofpanelliststowardthefutureofcybersecurity.

Ithasalsobeenemphasizedintheliteratureforquitesometimethatseniormanagementneedstobecommittedtocybersecurityandendorseitsimportance.Thisstudyindicatesthatthishasbecomeself-evidentintheFinnishmanufacturingorganizations,asthepanelconsideredexecutives’lowcommitmentwillnolongerbeoneofthepriorityrisksintheirorganizationsin2021.

Comparedtothefindingsintheliterature,thepaneldidnotseemtoexperiencespecialpressureonincreasingreal-timerequirements.Evenasthepanellistsadmittedthatthebusinessmayunintentionallyforgetcybersecuritywheninahurry,theyseemedtotrustthatemployeesdon’twanttoviolatecybersecurityonpurposeifthesecurehabitsandactionsaremadeeasyenoughtofollow.

OneoftheintriguingtopicsoftheResilientcategoryiscyberespionage.Noneofthepanellistsprioritizeditasimportantorlessimportant,whileintheliteratureandmediaitwasconsideredanimportanttopicespeciallyformanufacturing(1,2,17,18,19,20,21,22).

“All the steps have to be taken to become resilient against incidents in cyber security;

there are no shortcuts.”

14|Cyber Secure Manufacturing in 2021

Conclusions

Sofar,themaindecisionsregardingcybersecurityseemtobemainlyonthestrategiclevel,andhavenotbeenfullyimplementedtoacompany-wideoperationallevel.Thisstudyindicatesthatin2021itcanstillbeahugerisktomanufacturingnottoimplementcybersecuritysolutionssimultaneouslywithnewlyconnectedsystems.

Besidesnewsolutionsinmanufacturing,ensuringtheavailabilityofmanufacturingsystemsaswellastheintegrityofcontroldatawasalsoidentifiedasafuturepriority.Thesearenotnewprioritiesformanufacturing,butratherbecomeevenmoreimportantandchallenginginthecomingyearsasformerlyclosedmanufacturingenvironmentswillincreasinglybeconnectedtoopennetworks.Thisincreasesthepossibilityofanoutsidertodisruptthesystem.Traditionally,cybersecurityhasbeenseenasdefenceagainstleakingdataandrespondingquicklytodetectedattacks.Inthefuture,ensuringthatsystemsandenvironmentsareproactivelysecuredisvitalforthebusinessasevenashortdowntimeinmanufacturingcanbecomeextremelyexpensive.

Aninterestingfindingwasalsothatthepanelrankedidentityandaccessmanagementamongthemostimportanttopicsbut,bycontrast,nooneselectedidentitytheftasanimportanttopic.Itwasmentionedacoupleoftimesduringtheinterviewsandtherearealsoreferencesintheliteraturetothisasaproblemespeciallyforthemanufacturingindustry(23).OneofthepanellistsevenrankeditasalessimportanttopicfortheFinnishmanufacturingin2021.

Fortheviewnotedhereinabovetherecouldbemanyreasons.First,identitytheftisprobablyconsideredeasiertosolvethanthewholeidentityandaccessmanagement.Accordingtothepanel,identityandaccessmanagementwillalsobeprogressivelyrelatedtothirdpartymanagementwhenin2021companieswillhavetheirownemployees’identitiesmanagedbut,forexample,theidentitiesfortheexternalpartners,meaning,vendors,suppliers,andcustomerswillneedevenmoreattentionfromthecybersecuritypointofview.Theliteratureaswellasthepanelremindedeveryonethatasindustry4.0withcyberphysicalsystems,smartfactories,andIoTwillsoonbepartoftheeverydaylife,inmanufacturingitmeansthatsystems,industrialmachines,hardware,software,orevenacoffeemakeroralightbulbwillalsoneedtheirownidentities.

15

IoT & digitalization

Security of industrial

automation

3rd parties’ cyber security management Identity

& acceess management

Insometopics,therewasinconsistencybetweentheanswersduringtheinterviewsandtheanswersfortheprioritizationofthetopics.Forexample,onlyoneofthepanellistsnamedcybersecuritycultureandemployeeawarenessasapriorityin2021.However,duringtheotherpartsoftheDelphiinterviewsmanyofthepanelliststalkedaboutcybersecurityculturerelatedimprovementsandinvestmentswhichtheircompanyismakingwithinthenextfiveyears. Thiscontradictionindicatesthatcybersecurityculturewillmostlikelybeamoreimportanttopicinthefuturethanhowthepanelprioritizedit.Asawhole,thepanellistsindicatedthattheircompany’sinvestmentincybersecuritywilleithergrowduringthenext5yearsorremainatthecurrentlevel.Thelatterwasindictedincaseswhereithadgrownsubstantiallyduringrecentyears.

Implementation of the organization-

wide approach & vision

Ensuring availability

Usability vs. information

security

Figure 2. Top priorities of cyber security in Finnish manufacturing in 2021.

16|Cyber Secure Manufacturing in 2021

Accordingtothestudy,cybersecuritywillstillbeanimportanttopicwithinFinnishmanufacturingin2021asindustrialsystems,products,andenvironmentsareincreasinglycomplex,Internet-enabledandinterconnected.In2021,thefieldofcybersecuritywillcontinuetobeever-evolvingandnewthreatswillcontinuetoappearonan,atleast,dailybasis.ManyFinnishmanufacturingcompaniesareleadersininnovative,newconnectedtechnologies,andcreatorsandearlyadaptersofsolutionsthathelpbusinesssucceed.Cybersecuritywillbeindispensablenotonlyforearningclienttrustbutalsoinkeepingthecriticalinfrastructure,people,andbusinessrunning.

Atthesametime,boardsandseniormanagementhaveanincreasinglyimportantroleinprovidingoversightofcybersecuritystrategyexecution,monitoringthemanufacturingcompanies’cybersecurityposture,andbeingpreparedtorespondtoinvestor,client,analyst,andregulatorquestionsabouttheactionstakenoncybersecurity.

And here’s what we say

The study indicates that in the 2020stherewillstillbeariskthatmanufacturingcompanieswillseecybersecurityonlyasacostandnotasanopportunityorasabusinessenabler.Managingcybersecurityriskskeepscompaniesoutoftrouble.However,cyberriskmanagementtechniquescanalsobeusedinpositioningforsuccess.Operativelythinking:Howtoleveragerisktopowerperformance?Therefore,inthenearfuture,itiscrucialthatmanufacturingcompaniesviewcyberrisksthroughadifferentlens.Insteadofthinkingoftherisksonlyintermsofthenumberofattacksortheactualvaluethatcouldbelost,theyshouldconsiderhowbettercyberriskmanagementwouldallowthemtoreachmorecustomers,maintainbetterrelationships,ormanufacturemoreproducts.

Itisvitalthatmanufacturingcompaniescontinuetoinvestincybersecuritycapabilitiesstrategically.Investmentsneedtobecontinuousnotonlybecausethreatskeeponevolving,butalsotokeepthecompetitorsbehind.Byfocusingontherightareas,manufacturingcompaniescanbecomeresilientorganizationsthatcanquicklyandproactivelyrespondtonewthreatsandattacks,whileremainingflexibletomeettoday’smarketneeds.

17

Theimpactofmanufacturingindustrycybersecurityproblemswillnotonlybeverycostlytothebusinessbutalsoincreasinglyvisibleinthephysicalworld.Forexample,cyberattacksmaythreatenpeople’shealth,orsuddenlystopwholefactoriesaroundtheworld.CaseslikeNotPetyain2017showedusthatevenasingleincidentcantakeupalotofskilledcybersecurityresourcestohelplargeorganizationsrecover.

Iftheimpactistrulyglobalandtakesdownmultiplelargeenterprisesatthesametime,theresimplyisnotenoughhelpavailable.ISACApredicts that there isalackofmorethantwomillioncybersecurityspecialistsgloballyalreadytoday(24).Therefore,inthe2020s,cybersecuritycannotbeaddressedseparatelyfromthebusinessandoperations.

Cybersecurityinmanufacturingisandwillbeatopicthathastobeinplacetoenablethedigitalsocietytorunsmoothly.ThefirsttrulycleveranddisruptiveusesofAIincybersecuritywillprobablybedonebynationstatehackersororganizedcriminalgroupswithhealthybudgetsandresources.

Thisstudystronglyindicatesthatnowisthetimeformanufacturingcompaniestomakesurethattheywillincludeandimplementsecuritynotonlyintheirnewlyconnectedsolutionsbutalsointheirdailybusiness,operations,environment,andculture.Itwillonlybepossibleforcompaniestofocusonthenecessarycybersecurityprioritiesthatwillkeepmanufacturingsecureandsafeinbusinessin2021andbeyondifaddressingtherisksproactively.

18|Cyber Secure Manufacturing in 2021

References

1M.Lehto,J.Limnéll,E.Innola,J.Pöyhönen,T.Rusi,andM.Salminen,Suomenkyberturvallisuudennykytila,tavoitetilajatarvittavattoimenpiteettavoitetilansaavuttamiseksi,Valtionneuvostonkansliasivistys-jatutkimustoiminta,2017

2Verizon2017DataBreachInvestigationsReport,Verizon,2017

3Verizon2016DataBreachInvestigationsReport,Verizon,2016

4Renaultstopsproductionatsomesitesaftercyberattack,DailyMail,MailOnline,2017,http://www.dailymail.co.uk/wires/reuters/article-4502266/Renault-stops-production-sites-cyber-attack.html.

5Suomenkyberturvallisuusstrategiajataustamuistio(FinnishCyberSecurityStrategy),Turvallisuuskomitea(FinnishSafetyCommittee),2013

6Industry4.0:AnIntroduction,Deloitte,2015

7J.PaasiandN.Wessberg,Menestyvääliiketoimintaasuomalaisissavalmistavanteollisuudenyrityksissä2020-luvulla–Neljäskenaariota,VTT,2016

8PicturesoftheFuture,Siemens,2016,https://www.siemens.com/innovation/en/home/pictures-of-the-future.html.

9ThreatHorizon2019:Disruption.Distortion.Deterioration.,InformationSecurityForum,2017

10AT&TCybersecurityInsights:WhatEveryCEONeedstoKnowAboutCybersecurity-DecodingtheAdversary,AT&T,2015

11TechTrends2017:Thekineticenterprise,DeloitteUniversity,2017

12EMEA360BoardroomSurvey,Deloitte,2016

13CostofDataBreachStudy,IBMSecurity:PonemonInstitute,2016

142016CostofDataBreachStudy:GlobalAnalysis,PonemonInstitute,2016

15E.Mossburg,H.Calzada,andJ.Gelinne,Beneaththesurfaceofacyberattack:Adeeperlookatbusinessimpacts,Deloitte.2016

16DeloitteCybersecurityFramework,2017

17ENISAThreatLandscape2016,ENISA,2017

18ENISAThreatLandscape2015,ENISA,2016

19KasperskySecurityBulletin:Predictionsfor2017‘IndicatorsofCompromise’areDead,KasperskyLab,2016

20B.Gertz,Chinacyberespionagecontinues,TheWashingtonTimes,2016,http://www.washingtontimes.com/news/2016/sep/28/china-cyber-espionage-continues/.

212016ManufacturingReport,Sikich,2016

22Yearbook2016:Nationalsecurityisajointeffort,theFinnishSecurityIntelligenceService,2017

232017InternetSecurityThreatReport,Symantec,2017,https://www.symantec.com/security-center/threat-report.

24ISACA:CyberSecuritySkillsGap,2016.https://image-store.slidesharecdn.com/be4eaf1a-eea6-4b97-b36e-b62dfc8dcbae-original.jpeg

Contact us

Tero MellinDirector,CyberRiskDeloitte

+358(0)[email protected]

Katariina KannusCyberRiskDeloitte

+358(0)[email protected]

Thisreportisbasedonastudycompletedinthefirstquarterof2017.ThestudywasconductedincooperationwithTampereUniversityofTechnology.

https://dspace.cc.tut.fi/dpub/bitstream/handle/123456789/24932/Kannus.pdf?sequence=3&isAllowed=y

www.deloitte.fi©2018DeloitteOy,GroupofCompanies

DeloittereferstooneormoreofDeloitteToucheTohmatsuLimited,aUKprivatecompanylimitedbyguarantee(“DTTL”),itsnetworkofmemberfirms,andtheirrelatedentities.DTTLandeachofitsmemberfirmsarelegallyseparateandindependententities.DTTL(alsoreferredtoas“DeloitteGlobal”)doesnotprovideservicestoclients.Pleaseseewww.deloitte.com/aboutforamoredetaileddescriptionofDTTLanditsmemberfirms.

InFinland,DeloitteOyistheFinnishaffiliateofDeloitteNWELLP,amemberfirmofDeloitteToucheTohmatsuLimited(“DTTL”),andservicesareprovidedbyDeloitteOyanditssubsidiaries.Formoreinformation,pleasevisitwww.deloitte.fi

Thiscommunicationcontainsgeneralinformationonly,andnoneofDeloitteToucheTohmatsuLimited,itsmemberfirms,ortheirrelatedentities(collectively,the“DeloitteNetwork”)is,bymeansofthiscommunication,renderingprofessionaladviceorservices.NoentityintheDeloittenetworkshallberesponsibleforanylosswhatsoeversustainedbyanypersonwhoreliesonthiscommunication.