X

WHY

Connect with Us

Industrial Goods and Services

Our industrial goods and services clients are taking steps to capitalize on the opportunities of the Internet of Things (IoT) while leveraging innovative IT security technologies and solutions as part of their IT risk management program — many of them cloud-enabled — to manage potential risks. These businesses are improving their security programmes with technologies, including cloud-based IT security services, advanced authentication, and big data analytics. The vast majority of organizations also have adopted risk-based IT security frameworks such as ISO 27001 to help guide their overall security priorities.

A number of internal and external forces are converging to raise the risk ante for global supply chains. Some are macro trends such as globalization and global connectivity, which can make supply chains more complex and amplify the impact of problems that may arise. Others stem from the push to improve efficiency and reduce operating costs. Although trends such as lean manufacturing, just-in-time inventory, reduced product lifecycles, outsourcing, and supplier consolidation have yielded compelling business benefits, they have also introduced new kinds of supply chain risk and reduced the margin for error.

Risk Assessments

MANUFACTURERS AND THE SUPPLY CHAIN IT RISK MANAGEMENT IMPERATIVE

How manufacturers are recognizing the shift in focus to their supply chain and how their suppliers impact their IT risk management program

Oilfield Exploration

IT RISK MANAGEMENT IN CHEMICALS MANUFACTURING

How chemicals manufacturers are addressing enterprise risk in a turbulent industry with upstream shifts in cost and availability of both conventional and unconventional feedstocks.

Overview

The factory floor is a growing area of concern for IT security. In a steadily growing trend, much of manufacturing is now becoming digitally driven. The era of skilled machinists operating from paper engineering drawings has given way to networks of computers, automated machines, ubiquitous sensors, and technicians whose job is to convert digital data into physical parts and assemblies. Design, manufacturing and product support operations are driven by a digital thread of technical data — product and process information — that can be shared throughout the supply chain and must be protected. Much attention has been given to protecting technical information in IT systems and networks. But protecting the operational systems of a manufacturing enterprise presents a new and different set of challenges. Not only must the technical data be protected from theft, it must also be protected from alteration that could impair the proper functioning of parts produced or affect the safety and availability of the production system. These concerns are especially challenging for small and mid-size manufacturers.

Cyber threats to manufacturing enterprises may be motivated by espionage, financial gain or other reasons to compromise confidentiality, integrity or availability – concerns that are the focus of IT security.

For the manufacturing enterprise, these concerns are translated as:

  • Theft of technical data, including critical information and valuable commercial intellectual property. This is a Confidentiality concern.
  • Alteration of data, thereby altering processes and products. This is an Integrity concern.
  • Impairment or denial of process control, thereby damaging or shutting down operations. This is an Availability concern.

These concerns exist from the point of creation of the technical data, through its access at any point in the supply chain, to its use to control physical manufacturing processes throughout the product life cycle. There is ample cause for concern. Symantec reports that manufacturing was the most targeted sector in 2012, accounting for 24% of all targeted attacks.

State-sponsored data breaches became the second most common variety of data breaches in 2012, following only organized crime, according to a study by Verizon.

Interviews conducted in recent studies revealed that large manufacturing companies:

  • Are confident in their risk management posture but are concerned about suppliers, especially small businesses, who lack the resources and knowledge to identify and mitigate cyber risks;
  • Large companies are concerned that supplier vulnerabilities could become their vulnerabilities, and are willing to work with suppliers on improvements; and
  • Have not yet seen an upsurge in the threat to factory systems, but acknowledge the growing interconnections between factory systems and other systems, and the existence of targeted attack examples. They do not want manufacturing systems to be the weak link in the enterprise.

In the past, most ICS (industrial control systems) networks were autonomous and built upon proprietary vendor technology. ICS solutions were geared towards speed, functionality, reliability and safety. IT security features were not a high priority when there was an air gap between ICS networks and other networks in the enterprise. Today, however, competitive pressures are driving the integration and analysis of a big data collected from business information systems, engineering information systems and manufacturing systems across the supply chain. Organizations need to respond quickly to market changes and they need to manage operations and maintenance with fewer people. Executives need timely and accurate information. Production control systems – ICS – must feed this information to the decision makers as soon as possible.

Several interviews conducted during recent studies indicated a distinct trend toward integration of IT and OT systems. Manufacturing enterprises handle a wide range of sensitive data through their highly connected relationships with customers, suppliers and equipment vendors. In the future, enhancing ICS IT security must be addressed as an integral part of enterprise security.

Verizon’s 2013 Data Breach Investigation Report (DBIR) found that manufacturing networks are more likely to be targeted for purposes of espionage than for financial gain, and operations with fewer than 1,000 employees are more often targeted than the large corporations. While the Verizon sampling is not large enough to make sweeping recommendations, the data highlight the particular threat to the manufacturing sector that contains sensitive system design and production information.

Technical data packages, process flows and other critical information move up and down the supply chain in business transactions and in engineering collaborations. While most large corporations have made significant improvements in their business information technology network protections, data shows only an emerging awareness of the threats to the manufacturing information networks. Additionally, the lower tier manufacturers struggle to secure their business networks and most have not initiated protection of their manufacturing networks.

McAfee’s 2012 Threat Predictions identifies industrial networks as the leading IT security vulnerability, and states, “Attackers tend to go after systems that can be successfully compromised, and ICS systems have shown themselves to be a target-rich environment.” Many smaller suppliers do not have the resources, expertise or financial incentives to identify vulnerabilities and mitigate risks. Their ICS networks are typically vulnerable to backdoors, default passwords, discoverable IP addresses, connection by portable devices and connection from outside networks. Small manufacturers often believe that they are not likely to be targets of cyber attacks, and that perimeter defenses such as firewalls and virus protection will keep them safe — a false hope in light of recent data.

Background

Across all industrial sectors, the world’s leading companies turn to us for our expertise and experience in IT risk management. Brier & Thorn has worked with industrial companies across 71 countries, addressing a broad range of IT risk management challenges. We are focused from day one on helping our industrial clients mobilize their organizations to deliver results. Our industrial goods and services clients span multiple ancillary industrial sectors, including:

  • Aerospace, Defense, and Government Services
  • Agribusiness
  • Automotive
  • Chemicals
  • Infrastructure, Construction, & Building Products
  • Industrial Machinery
  • Forest Products, Paper, & Manufacturing

Our client’s IT risk management strategy should support its business strategy, not constrain it. We focus first on the strategic needs of our clients’ businesses to determine the security controls needed to support their long-term goals. We help companies confidently address their IT risk decisions and ensure their business and operating models are agile and effective, equipping them to cut through the noise of fleeting security control trends to create enduring results.

We have provided IT risk management services to many of the industrial goods and services companies listed in the Fortune 500. Our industrial manufacturing practice comprises a global network of consultants who provide IT risk management to public and private sector industrial manufacturing companies around the world, from manufacturers in goods and chemicals, including shale gas development, exploration and mining in the United States to engagements with automobile and EDC manufacturers in Europe, and Asia Pacific.

Our specialists are recognized for their innovation and thought leadership in emerging technologies, such as the Internet of Things (IoT), connected automobiles, and connected medical devices. Central to the successful delivery of our risk management services is an in-depth understanding of today’s industry issues in addition to a wealth of specialized resources and best practices.

The environment in which our clients operate is continuously evolving and so too are the issues. We help our clients address the full range of IT risk management challenges across the supply chain, transformation of human capital, globalization, shale gas, and capitalizing in the strategic value of technology.

 

Our Perspective

The industrial goods and services industry continues to face unparalleled risk management challenges. Low-cost players and feedstocks are changing the fundamental economics of the industry in unexpected ways, forcing established competitors to rethink their existing footprint and operating models and lower operating costs in order to compete while expanding into new markets that consequently expands the attack surface to new threats and threat sources. All of this is occurring at a pace that leaves little time for executive leadership teams to respond with appropriate IT risk treatment options let alone develop even broader enterprise risk management plans.

Companies have responded with a variety of growth and defensive strategies: some pursing wrenching cost reductions to ensure near-term profitability that has a direct impact on investments in IT security.

 

How We Do It

This simple 6-step plan, distinctive to our firm lays out:

  • Established IT risk governance that establishes a governance framework for managing the company’s IT risks by deciding who will be on each of the teams, sets up operating processes and a reporting structure, and connects risk programs such as disaster recovery, business continuity, and crisis management.
  • Understanding of IT organizational boundaries by identifying the company’s IT vulnerabilities which extend to all locations where sensitive data is stored, transmitted, and accessed.
  • Identification of critical business processes and assets that determines what comprises our clients’ most valuable revenue streams, business processes, assets, and facilities.
  • Identification of threats that creates an effective IT risk monitoring environment that focuses on building a sustainable and resilient approach to putting intelligence inputs from various teams under a common risk lens to quickly identify, correlate, and responsd to threats in real time. Our industrial goods and services clients establish a robust threat-analysis capability built on shared intelligence, data, and research from our Security Operations Centers and external sources that effectively analyzes threat context in its entirety.
  • Improvement of collection, analysis, and reporting of information that our industrial goods and services clients are provided as part of our managed security services, which implements robust cyber and technical threat intelligence capabilities. These are: collection and management, processing and analyzing, and reporting and action.
  • Planning and Response actions through a formal design and implementation of prepared responses – playbooks – which are a necessary step in adequately planning and preparing responses to cyber events. Using the intelligence gathered throughout the playbook development process, each playbook says who should take action, what their responsibilities are, and exactly what they should do. Executive leadership will frequently revisit our firm’s cyber intelligence gathering techniques, leverage and update cyber insurance options, and upgrade IT security controls.

BACKGROUNDHintergrund

We share our clients’ ambitions working to understand their reality and deliver true results – focusing on strategic decisions and practical actions. We align our incentives with our clients’ objectives so they know we’re in this together as a closely-held partnership.

How Brier & Thorn helped a European automobile manufacturer harden its luxury-class connected automobiles

European automobile manufacturer secures its connected luxury automobiles through threat management services from Brier & Thorn

Global diversified manufacturer selects Brier & Thorn for IT risk management consulting and managed security services to secure global footprint

LORD Corporation, a diversified technology and manufacturing company reduces IT risk by partnering with Brier & Thorn for managed services and IT risk management.

SHARE