Industry 4.0 and cybersecurity - Deloitte

1 A Deloitte series on digital manufacturing Industry and cybersecurity Managing risk in an age of connected production Industry and cybersecurity Deloitte Consulting LLP's supply chain and Manufacturing Operations practice helps companies understand and address opportunities to apply Industry technologies in pursuit of their busi- ness objectives. Our insights into additive manufacturing, IoT, and analytics enable us to help organizations reassess their people, processes, and technologies in light of advanced manufactur- ing practices that are evolving every day. COVER IMAGE BY EVA VAZQUEZ. Managing risk in an age of connected production Contents Introduction | 2. The digital supply network | 6.

2 Changing supply chain , evolving cyber risks The smart factory | 8. Facing new cyber risks in the age of smart production Connected objects | 13. Expanding risks to the physical object Being secure, vigilant, and resilient in the age of Industry | 17. Endnotes | 18. About the authors | 20. Acknowledgements | 21. Contacts | 21. 1. Industry and cybersecurity Introduction The fourth industrial revolution brings with it a new operational risk for con- nected, smart manufacturers and digital supply networks: cyber. The inter- connected nature of Industry driven operations and the pace of digital transformation mean that cyberattacks can have far more extensive effects than ever before, and manufacturers and their supply networks may not be prepared for the risks.

3 For cyber risk to be adequately addressed in the age of Industry , cybersecurity strategies should be secure, vigilant, and resil- ient, as well as fully integrated into organizational and information technology strategy from the start. I. N 2009, malware manipulated the speed of centri- These new and emerging risks should be managed fuges in a nuclear enrichment plant, causing them and mitigated. to spin out of control. This malware, now known The increased connectivity of smart machinery, a as Stuxnet, was introduced into stand-alone net- shift known as Industry , raises the stakes. Indus- works via flash drives, and it autonomously spread try heralds a new age of connected, smart manu- across production networks.

4 Stuxnet's sophistica- facturing, responsive supply networks, and tailored tion serves as a powerful example of cyberattacks'. products and services. Through its use of smart, potential as weapons in the world of connected autonomous technologies, Industry strives to physical And the battle is decidedly un- marry the digital world with physical action to drive balanced: Organizations must protect a wide swath smart factories and enable advanced manufactur- of technology, while attackers need only pinpoint But while it plans to enhance digital capabili- the weakest link. ties throughout the manufacturing and supply chain It is important, however, that we balance our focus processes and drive revolutionary changes to con- between the external threat landscape and the very nected devices, it also brings with it new cyber risks real and typically overlooked cyber risks created for which the Industry is unprepared.

5 Developing a by businesses who are increasingly using smart, fully integrated strategic approach to cyber risk is connected technologies to innovate, transform, fundamental to manufacturing value chains as they modernize, and otherwise make tactical or strate- marry operational technology (OT) and information gic business decisions that could result in such risk. technology (IT) the very force driving Industry 2. Managing risk in an age of connected production As threat vectors radically expand with the advent In this paper, we examine the modern connected of Industry , new risks should be considered and digital supply networks, smart factories, and con- addressed. Put simply, the challenge of implement- nected device themselves, focusing on the unique ing a secure, vigilant, and resilient cyber risk strat- cyber risks faced by Moving through the egy is different in the age of Industry When sup- production life cycle (figure 1) from the digital ply chains, factories, customers, and operations are supply network, to the smart factory, and finally to connected, the risks posed by cyberthreats become the connected object we explore the actions opera- all the greater and potentially farther reaching.

6 Tions and information security executives can take to anticipate and effectively address cyber risks as Thinking about how to address cyber risk at the end well as proactively integrate cybersecurity into their of the strategic process is simply likely too late. Cy- strategy in the age of Industry bersecurity should become an integral part of the strategy, design, and operations, considered from the beginning of any new connected, Industry . driven initiative. Figure 1. Smart production life cycle and cyber risk Secure, vigilant, Production life resilient cycle stage categorization Cyber imperative Objective Digital supply Secure, vigilant, Data sharing Ensure integrity of systems so private, network resilient proprietary data cannot be accessed Secure, vigilant, Vendor processing Maintain trust when processes cannot resilient be validated Smart factory Vigilant Health and safety Ensure safety for both employees and the environment Vigilant, resilient Production and process Ensure continuous production and resilience/efficiency recovery of critical systems Vigilant.

7 Resilient Instrumentation and Protect the brand and reputation of proactive problem the organization resolution Secure, resilient Systems operability, Support the use of multiple vendors reliability, and integrity and software versions Vigilant, resilient Efficiency and cost Reduce operating costs and increase avoidance flexibility with remote site diagnostics and engineering Secure Regulatory and due Ensure process reliability diligence Connected object Secure Product design Employ secure software development life cycle to produce a functional and secure device Vigilant Data protection Maintain the safety of sensitive data throughout the data life cycle Resilient Remediation of attack Minimize the effects of an incident effects while quickly restoring operations and security Deloitte University Press | 3.

8 Industry and cybersecurity DIGITAL MANUFACTURING ENTERPRISES AND Industry The Industry technologies that enable digital manufacturing enterprises and digital supply networks involve the integration of digital information from many different sources and locations to drive the physical act of manufacturing and distribution. This integration of information technology and operations technology is marked by a shift toward a physical-to-digital-to-physical connection. Industry combines the Internet of Things (IoT) and relevant physical and digital technologies, including analytics, additive manufacturing, robotics, high-performance computing, artificial intelligence and cognitive technologies, advanced materials, and augmented reality, to complete that cycle and digitize business operations.

9 The concept of Industry incorporates and extends the IoT within the context of the physical world the physical-to-digital and digital-to-physical leaps that are somewhat unique to manufacturing and supply chain / supply network processes (figure 1). It is the leap from digital back to physical from connected, digital technologies to the creation of a physical object that constitutes the essence of Industry , which underpins the digital manufacturing enterprise and digital supply network. Figure 2. The physical-to-digital-to-physical leap of Industry 2. Analyze and visualize Machines talk to each other to share information, allowing for advanced analytics and visualizations of real-time data from multiple sources 2.

10 1 DIGITAL. PHYSICAL. 3. 1. Establish a digital record Capture information from the physical world to create a digital record of the physical operation and supply network 3. Generate movement Apply algorithms and automa- tion to translate decisions and actions from the digital world into movements in the physical world Source: Center for Integrated Research. Deloitte University Press | Even as we explore the ways in which information creates value, it is important to understand value creation from the perspective of the manufacturing value chain . Throughout the manufacturing and distribution value network, business outcomes may emerge from the integration of information and operations technologies via Industry applications.