Key findings from a study on smart factories by Deloitte and the Manufacturers Alliance for Productivity and Innovation (MAPI) include:
- 25 percent of manufacturers surveyed have not performed a cyber risk assessment in the past year, meaning these manufacturers likely do not have visibility into the impact of a cyber-related operational disruption;
- 48 percent of manufacturers surveyed identified operational risks, which include cybersecurity, as the greatest danger to smart factory initiatives;
- 40 percent of manufacturers surveyed indicated that their operations were affected by a cyber incident in the past 12 months;
- Management of information technology (IT) is often out of sync with operational technology (OT) management, creating additional vulnerabilities many companies are unaware of;
- OT is typically managed by engineering, automation, and operations rather than IT;
- There is generally no single team responsible for all OT systems and underlying security;
- Traditional application of security controls, such as patching or vulnerability scanning, needs to be adapted to new environment.
Themerging of OT and IT—a theme across the manufacturing, energy, and industrial sectors—creates numerous potential operational benefits. However, it expands the threat surface and the spectrum of potential vulnerabilities. In addition, as the report points out, IT is sometimes at odds with legacy OT systems that were not designed to be externally connected in the first place.
It is clear that many companies prioritize growth and cost reductions over security considerations. This study is consistent with Cyberhedge analysis showing low levels of management awareness of the expanded set of vulnerabilities that come with the acceleration of digital transformation efforts in manufacturing.
The disconnect between OT risk and financial risk related to smart factories is also notable. With 48 percent of respondents indicating that OT is a primary risk, compared to only 18 percent saying the same about financial risk, there appears to be a lack of understanding that an OT disruption often results in significant financial costs. Operational disruptions related to cyber attacks in the past year—such as those experienced by Norsk Hydro and Pitney Bowes—all resulted in significant financial damage. With the twin rise of ransomware and the merging of OT and IT, this dynamic will only grow in 2020.