Our industrial goods and services clients are taking steps to capitalize on the opportunities of the Internet of Things (IoT) while leveraging innovative IT security technologies and solutions as part of their IT risk management program — many of them cloud-enabled — to manage potential risks. These businesses are improving their security programmes with technologies, including cloud-based IT security services, advanced authentication, and big data analytics. The vast majority of organizations also have adopted risk-based IT security frameworks such as ISO 27001 to help guide their overall security priorities.
A number of internal and external forces are converging to raise the risk ante for global supply chains. Some are macro trends such as globalization and global connectivity, which can make supply chains more complex and amplify the impact of problems that may arise. Others stem from the push to improve efficiency and reduce operating costs. Although trends such as lean manufacturing, just-in-time inventory, reduced product lifecycles, outsourcing, and supplier consolidation have yielded compelling business benefits, they have also introduced new kinds of supply chain risk and reduced the margin for error.
How manufacturers are recognizing the shift in focus to their supply chain and how their suppliers impact their IT risk management program
The factory floor is a growing area of concern for IT security. In a steadily growing trend, much of manufacturing is now becoming digitally driven. The era of skilled machinists operating from paper engineering drawings has given way to networks of computers, automated machines, ubiquitous sensors, and technicians whose job is to convert digital data into physical parts and assemblies. Design, manufacturing and product support operations are driven by a digital thread of technical data — product and process information — that can be shared throughout the supply chain and must be protected. Much attention has been given to protecting technical information in IT systems and networks. But protecting the operational systems of a manufacturing enterprise presents a new and different set of challenges. Not only must the technical data be protected from theft, it must also be protected from alteration that could impair the proper functioning of parts produced or affect the safety and availability of the production system. These concerns are especially challenging for small and mid-size manufacturers.
Cyber threats to manufacturing enterprises may be motivated by espionage, financial gain or other reasons to compromise confidentiality, integrity or availability – concerns that are the focus of IT security.
For the manufacturing enterprise, these concerns are translated as:
These concerns exist from the point of creation of the technical data, through its access at any point in the supply chain, to its use to control physical manufacturing processes throughout the product life cycle. There is ample cause for concern. Symantec reports that manufacturing was the most targeted sector in 2012, accounting for 24% of all targeted attacks.
State-sponsored data breaches became the second most common variety of data breaches in 2012, following only organized crime, according to a study by Verizon.
Interviews conducted in recent studies revealed that large manufacturing companies:
In the past, most ICS (industrial control systems) networks were autonomous and built upon proprietary vendor technology. ICS solutions were geared towards speed, functionality, reliability and safety. IT security features were not a high priority when there was an air gap between ICS networks and other networks in the enterprise. Today, however, competitive pressures are driving the integration and analysis of a big data collected from business information systems, engineering information systems and manufacturing systems across the supply chain. Organizations need to respond quickly to market changes and they need to manage operations and maintenance with fewer people. Executives need timely and accurate information. Production control systems – ICS – must feed this information to the decision makers as soon as possible.
Several interviews conducted during recent studies indicated a distinct trend toward integration of IT and OT systems. Manufacturing enterprises handle a wide range of sensitive data through their highly connected relationships with customers, suppliers and equipment vendors. In the future, enhancing ICS IT security must be addressed as an integral part of enterprise security.
Verizon’s 2013 Data Breach Investigation Report (DBIR) found that manufacturing networks are more likely to be targeted for purposes of espionage than for financial gain, and operations with fewer than 1,000 employees are more often targeted than the large corporations. While the Verizon sampling is not large enough to make sweeping recommendations, the data highlight the particular threat to the manufacturing sector that contains sensitive system design and production information.
Technical data packages, process flows and other critical information move up and down the supply chain in business transactions and in engineering collaborations. While most large corporations have made significant improvements in their business information technology network protections, data shows only an emerging awareness of the threats to the manufacturing information networks. Additionally, the lower tier manufacturers struggle to secure their business networks and most have not initiated protection of their manufacturing networks.
McAfee’s 2012 Threat Predictions identifies industrial networks as the leading IT security vulnerability, and states, “Attackers tend to go after systems that can be successfully compromised, and ICS systems have shown themselves to be a target-rich environment.” Many smaller suppliers do not have the resources, expertise or financial incentives to identify vulnerabilities and mitigate risks. Their ICS networks are typically vulnerable to backdoors, default passwords, discoverable IP addresses, connection by portable devices and connection from outside networks. Small manufacturers often believe that they are not likely to be targets of cyber attacks, and that perimeter defenses such as firewalls and virus protection will keep them safe — a false hope in light of recent data.
Across all industrial sectors, the world’s leading companies turn to us for our expertise and experience in IT risk management. Brier & Thorn has worked with industrial companies across 71 countries, addressing a broad range of IT risk management challenges. We are focused from day one on helping our industrial clients mobilize their organizations to deliver results. Our industrial goods and services clients span multiple ancillary industrial sectors, including:
Our client’s IT risk management strategy should support its business strategy, not constrain it. We focus first on the strategic needs of our clients’ businesses to determine the security controls needed to support their long-term goals. We help companies confidently address their IT risk decisions and ensure their business and operating models are agile and effective, equipping them to cut through the noise of fleeting security control trends to create enduring results.
We have provided IT risk management services to many of the industrial goods and services companies listed in the Fortune 500. Our industrial manufacturing practice comprises a global network of consultants who provide IT risk management to public and private sector industrial manufacturing companies around the world, from manufacturers in goods and chemicals, including shale gas development, exploration and mining in the United States to engagements with automobile and EDC manufacturers in Europe, and Asia Pacific.
Our specialists are recognized for their innovation and thought leadership in emerging technologies, such as the Internet of Things (IoT), connected automobiles, and connected medical devices. Central to the successful delivery of our risk management services is an in-depth understanding of today’s industry issues in addition to a wealth of specialized resources and best practices.
The environment in which our clients operate is continuously evolving and so too are the issues. We help our clients address the full range of IT risk management challenges across the supply chain, transformation of human capital, globalization, shale gas, and capitalizing in the strategic value of technology.
The industrial goods and services industry continues to face unparalleled risk management challenges. Low-cost players and feedstocks are changing the fundamental economics of the industry in unexpected ways, forcing established competitors to rethink their existing footprint and operating models and lower operating costs in order to compete while expanding into new markets that consequently expands the attack surface to new threats and threat sources. All of this is occurring at a pace that leaves little time for executive leadership teams to respond with appropriate IT risk treatment options let alone develop even broader enterprise risk management plans.
Companies have responded with a variety of growth and defensive strategies: some pursing wrenching cost reductions to ensure near-term profitability that has a direct impact on investments in IT security.
This simple 6-step plan, distinctive to our firm lays out:
We share our clients’ ambitions working to understand their reality and deliver true results – focusing on strategic decisions and practical actions. We align our incentives with our clients’ objectives so they know we’re in this together as a closely-held partnership.
European automobile manufacturer secures its connected luxury automobiles through threat management services from Brier & Thorn
LORD Corporation, a diversified technology and manufacturing company reduces IT risk by partnering with Brier & Thorn for managed services and IT risk management.