In somewhat more mature stages, smart manufacturing is an ecosystem play, connecting various stakeholders on levels of processes, business models, and technologies.
Moreover, the technologies enabling streamlining processes, data-sharing, and developing digital business models in smart industry are all about connecting what needs to be connected. It’s about building digital bridges on all levels: from the essential layers of architecture and digitization up to the pillars of the digital transformation strategy.
In manufacturing – and the smart factory – this degree of interconnectedness goes even further with the integration of operational technology (OT) and information technology (IT).
Factory security in the age of IIoT and expanding attack surfaces
The benefits of digital transformation make manufacturers want to invest heavily in smart factories, but efforts could be undone in the blink of an eye if cybersecurity is not baked-in from the offset (Geert van der Linden, Cybersecurity Business Lead at Capgemini)
Yet, in such an environment, cyber risks increase as well and smart factory security is hard to realize without a mature strategy that looks at all elements from the very start. With ever more IoT technology, connected devices, and smart sensors, the attack surface and digital footprint expand, whereby attack surface management and third-party cyber risk management become more important in a smart factory security context.
As a matter of fact, third-party risk management becomes more critical in the context of smart factories and smart manufacturing overall, beyond the ‘cyber’ and ‘digital’ dimensions. Think about sustainability and ESG, for instance. And about supply chain disruptions and ample other risks that arise once you start working in increasingly connected ways, leveraging the power of ecosystems.
Last but not least, the highly connected environments which smart factories are, bring us to the challenges of hardware and software supply chain risks in a complex IT and OT integration environment whereby smart factory security can’t be an afterthought.
It’s not a secret that there is still much work regarding cybersecurity in smart factories and OT cybersecurity. And it’s definitely not a secret that cyber attacks have been on the rise in industrial markets.
The disconnect between smart factory security awareness and preparedness
In a smart factory security context, the outlook regarding cyber attacks isn’t too rosy either. According to a report by Capgemini Research Institute (PDF), little over half (51 percent) of industrial organizations believe that cyberattacks on smart factories will likely increase in the next twelve months.
More importantly, 47 percent of manufacturers said cybersecurity in their smart factories is not a C-level concern today. And that seems a major problem, especially since only some manufacturers have mature practices concerning “the critical pillars of cybersecurity” per the Capgemini Research Institute report. In other words, there’s a lack of preparedness, even if awareness exists.
A significant share of organizations (51%), said that smart factory cyberthreats primarily originate from their partner and vendor networks (Capgemini Research Institute, June 30, 2022)
And all this while, as mentioned, the inherently interconnected nature of smart factories exponentially increases cyber risks and cyberattacks, requiring cybersecurity practices to be built in from the very start.
Before the pandemic’s start, data readiness and cybersecurity already ranked second as significant challenges for manufacturers to scale smart factory deployments per Capgemini Research Institute, which we covered earlier. And while smart manufacturing continues to be – rather slowly – adopted per the 2022 ISG Global Smart Manufacturing Pulse Survey, many challenges persist, as recently mentioned. We can definitely add the lack of a mature, intelligent factory security strategy to it, even if there are differences between various verticals.
Everything will start with C-level awareness and involvement and a clear smart factory strategy whereby security is considered from the beginning.
Or, as Geert van der Linden, Cybersecurity Business Lead at Capgemini, puts it: “The benefits of digital transformation make manufacturers want to invest heavily in smart factories, but efforts could be undone in the blink of an eye if cybersecurity is not baked-in from the offset. The increased attack surface area and number of operational technology and Industrial Internet of Things (IIoT) devices make smart factories a prominent target for cybercriminals. Unless this is made a board-level priority, it will be difficult for organizations to overcome these challenges, educate their employees and vendors, and streamline communication between cybersecurity teams and the C-suite”.
C-suite involvement, communication/collaboration, and awareness are only some of the critical intelligent factory security aspects to consider. But it’s clear that the C-level is really key. As a reminder: per Gartner, cybersecurity should be treated as a business decision, and de facto is often viewed as a business risk by boards of directors now.
Additional challenges, solutions, and data regarding smart factory cybersecurity
The Capgemini report, ‘Smart & Secure: Why smart factories need to prioritize cybersecurity,’ points out other smart factory security challenges to overcome, on top of C-suite focus and communication with the security folks.
Among them: limited budget, human factors, the inevitable consequences of being connected to the cloud and/or the internet (attack surface), a lack of visibility of OT/IIoT devices at their smart factory locations (compare with the digital footprint of all organizations), skills/training, and so forth.
44 percent of executives said they are unable to investigate all the cybersecurity incidents identified by security tools in their smart-factory (OT/IIOT) system (Capgemini report, ‘Smart & Secure: Why smart factories need to prioritize cybersecurity’)
In terms of preparedness, especially governance and, to a lesser degree, response preparedness are challenges, although other issues such as awareness and cyber resilience remain important.
Per the report, around 53 percent of organizations – including 60 percent of heavy industry and 56 percent of pharma and life sciences firms – agree that most future cyber threats will feature smart factories as their primary targets. Heavy industry and pharma and life sciences organizations have also been a victim of a cyberattack impacting their smart factories more often in the past, with 51 and 44 percent, respectively.
To conclude, a six-step approach recommended by the authors for a robust smart factory cybersecurity strategy:
- Perform an initial cybersecurity assessment;
- Build awareness of smart factory cyber threats across the organization;
- Identify risk ownership for cyberattacks in smart factories;
- Establish frameworks for smart factory cybersecurity;
- Create cybersecurity practices tailored to smart factories;
- Establish governance structure and communication framework with enterprise IT.