More companies are taking a disciplined approach to the growing threat of cyber attacks, according to a new cybersecurity survey from the Manufacturing Leadership Council. The MLC is the digital transformation arm of the NAM.
- The survey, which included input from 160 companies, indicates a dramatic change in how seriously manufacturers consider cyber threats compared to 2018, when the MLC last conducted the same survey.
Who’s prepared: Nearly 62% of manufacturing companies say they have a formal cybersecurity plan in place, according to the survey.
- That’s up from 2018, when barely 33% of manufacturers indicated they had devised and adopted formal cybersecurity plans that encompassed their plant floors.
- Nearly 40% of respondents said they had a high level of confidence in their internal cyber expertise, compared with just 25% who expressed such certainty in 2018.
More attacks expected: Yet even as better cybersecurity strategies are put in place, nearly 79% of survey respondents said they expect more attacks in the next year.
- That figure is up from 64% in 2018.
- The most frequently cited reasons for this prediction are increased levels of cyber crime and cyber terrorism and greater connectivity in manufacturers’ operations.
The effects on digital transformation: More than half the survey respondents expressed concern that cybersecurity issues could affect the speed and scope of digital transformation.
- 14% said cybersecurity could be a major obstacle in the next five years, with another 40% describing it as “an issue of concern.”
- Close to half—43%—said they consider cyber a part of doing business in a digitally transformed world.
Proactive measures: More manufacturers are taking advantage of publicly available safeguards, such as the NIST Cybersecurity Framework, to underpin their strategies.
- Nearly 58% of respondents said they have adopted the NIST framework, up from 48% in 2018.
- 45% said they have cyber insurance, compared to the 18% that said they had it in 2018.
The coming challenge: In the past four years, manufacturers have made significant strides to combat the growing problem of cyber attacks against the industry.
- However, manufacturers will need to stay a step ahead of cyber criminals as the number and sophistication of attacks increases.
See the survey: Review the survey findings for an in-depth look at how manufacturing leaders are thinking about cybersecurity in manufacturing’s digital era.
Get help: NAM Cyber Cover was designed specifically to provide enhanced risk mitigation and protection for manufacturers and their supply chains. Find out more at www.namcybercover.com.
High-performing projects and world-class leaders were honored at the first in-person awards gala to take place in three years.
After two years of being reimagined as an online event, there was some extra excitement in the air as the Manufacturing Leadership Awards Gala made its return as an in-person event. It was a fitting celebration in a year that saw a record number of nominations, producing the biggest-ever cohort of winners.
Listed below are the top award winners that were revealed at the gala. The complete list of 2022 winners is here. The 2023 Manufacturing Leadership Awards season will open on August 15.
Manufacturers of the Year
- Small/Medium Enterprise
- Large Enterprise
- Manufacturing Leader of the Year
Dr. Albert Bourla, CEO, Pfizer
- AI and Machine Learning
Anheuser-Busch InBev – Utilities Consumption Reduction with AI Engine (SORBA)
- Collaborative Ecosystems
Protolabs – A Digital Thread for a Full-Solution Provider
- Digital Network Connectivity
Anheuser-Busch InBev – Structured Analysis of Downtime and Asset Performance Management Tool (AODS)
- Digital Supply Chains
Dow Inc. – Global Trade Facilitation Program
- Engineering and Production Technology
General Motors – Factory ZERO: GM’s Launchpad to an All-Electric Future
- Enterprise Integration and Technology
Flex – Facilitating the Production of the World’s Most Complex Product with the Evolution of a Smart Factory. (tie)
Johnson & Johnson – Johnson & Johnson Supply Chain SMART Factory
- Operational Excellence
Anheuser-Busch InBev – AI Digital Workforce and Knowledge Share Platform (Acadia + DeepHow)
- Sustainability and the Circular Economy
AUO Corporation – Meet the Water Drop for 27 Times in AUO
- Transformational Cultures
ALOM Technologies – ALOM DOING Initiative Elevates Company as Employer of Choice
- Editor’s Choice Award
Flex – The LISA Line-Stop Assistant
COPYRIGHT: National Assoc. of Manufacturers
About the author:
Penelope Brown is the Senior Content Director for the Manufacturing Leadership Council.
The good news from MLC’s new cybersecurity survey is that more manufacturers than ever before — 62% in fact, according to the study — have put in place formal cyber plans and strategies to defend their companies against increasing numbers of cyber attacks.
That’s a big and welcome change from just four years ago when just slightly more than one-third had such plans in place. And there was even more good news from the new survey: manufacturers are also growing their internal cyber competencies, providing more cyber training to employees, and even availing themselves of such measures as cyber insurance.
The one area, however, that is still cause for some concern is at the organizational level. When asked who is in charge of cybersecurity efforts, again this year the picture that was painted was one of diffused, or scattered, responsibility. Half of survey respondents indicated that their head of corporate IT is in charge of cyber in their companies. Another 28% said it was their Chief Information Security Officer, 25% said it is a dedicated IT/OT team, and another 17% indicated it is their head of manufacturing. Only 15% of this year’s survey respondents said they have a dedicated Chief Cyber Security Officer (respondents were instructed to answer the question by checking all that applies).
Even allowing for different size, complexity, and culture, organizational responsibility for cybersecurity has long been slippery in manufacturing companies. This is due, in part, to the technical nature of cyber, including whether IT or OT systems are involved, as well as the relative newness of the discipline itself.
In some ways, the current situation reminds me of the debate in the 1980s with the then-new role of the Chief Information Officer. Back then, CIOs struggled with getting their corporate footing, particularly with the C-suite and getting a seat at the so-called leadership table.
A recent study entitled “Security and the C-Suite: Making Security Priorities Business Priorities”, conducted by the Ponemon Institute for LogRhythm, sheds light on the organizational problem, particularly lines of reporting. The study says that 93% of cybersecurity professionals polled in the U.S., EMEA, and Asia-Pacific are not reporting directly to the CEOs of their companies.
“In fact, on average respondents are three levels away from the CEO which makes it very difficult to ensure that leadership has an accurate and complete understanding of security risks facing the organization”, the study said.
It may only be a matter of time before issues of who is responsible for cybersecurity and who that person should be reporting to in order to ensure as full as possible an organization-wide understanding of cyber risks and remediations are resolved.
But a better approach may be a proactive one, driven by the C-suite, to make cybersecurity responsibility as clear as possible. Clarity is a necessity in a time of rising frequency and sophistication of attacks. – David R. Brousell
Heading to the beach? Take along the Manufacturing Leadership Council’s summer reading list to catch up on today’s top trends in digital manufacturing while you catch some rays. With these articles, you’ll discover new ideas, technologies and best practices to give your company a competitive edge.
Workforce: Leading the Way to Workforce Optimization. As digitization changes employees’ expectations of their employers, manufacturers must adapt. Examples include options for remote work, interactive training, agile and rapid collaboration platforms, career development, work-life balance and more.
Industrial automation: Camozzi’s Autonomous Vision. Successful autonomous manufacturing will depend on the fundamental relationship between humans and machines, says Camozzi Group CEO Lodovico Camozzi, whose company makes industrial machinery. In a recent interview with the MLC, Camozzi shared his view of manufacturing’s autonomous future, including:
- How advanced additive manufacturing approaches promise new production paradigms;
- The importance of collaboration in driving innovation and excellence; and,
- Why the industry must maintain a human focus in today’s digital world.
Cybersecurity: Ransomware Attacks Increasingly Targeting Manufacturers. Think your business is safe from hackers? Think again. Ransomware attacks against manufacturers are on the rise. All businesses should be on guard against cyber extortion, advises Peter Vescuso, vice president of marketing for industrial cybersecurity provider Dragos and a member of the MLC.
Supply chain: How Manufacturers Can Navigate Supply Chain Challenges.
As global supply chain woes, worker shortages and wage inflation challenges intensify, manufacturers everywhere want to know the best way to navigate them. In this article, a panel of industry experts shares top tips to sustainably and profitably overcome current obstacles.
Artificial Intelligence: AI Roadmap: How Manufacturers Can Amplify Intelligence with Artificial Intelligence. Artificial intelligence offers manufacturers a host of benefits, including better visibility into supply chains, insights from predictive analytics and the ability to quickly respond to unexpected changes in demand. A six-step road map can help manufacturers looking to integrate AI into their businesses.
5G: 5G Will Help Unlock M4.0’s Potential. 5G technology offers speed and capacity advantages to manufacturing companies. According to the MLC’s recent Transformative Technologies survey, 26% of manufacturers have already invested in 5G technology. More than half expect to invest or are considering investing in the technology over the next two years to take advantage of 5G’s benefits.
Sustainability: Overcoming Roadblocks to Advance Sustainability Programs.
The manufacturing industry is expected to improve its sustainability and keep leading the fight against climate change. However, making green changes to processes and procedures can be costly. To get the most bang out of their sustainability investments, manufacturers should focus on data-driven initiatives and indicators.
Looking for more digital manufacturing insights? Browse the Manufacturing Leadership Journal for additional information on technology, organizational structure and leadership in manufacturing’s digital era.
M2030 Perspective: Is there value for manufacturing in the future metaverse?
Businesses around the world took note when Facebook announced in October 2021 that it was changing its name to Meta Platforms, Inc., formally focusing the company’s future around the concept of the metaverse.
There’s since been a lot of interest from manufacturing companies on this topic. The Manufacturing Leadership Council’s webcast on the metaverse, for example, hosted in May as part of its Manufacturing in 2030 Project series, drew one of its largest audiences ever.
But is there value for manufacturing in the metaverse?
A number of questions routinely come up in conversations with manufacturing companies about the metaverse. Will adoption live up to the hype? What is the business opportunity? Why invest in the metaverse? Where in the value chain should companies invest effort to realize the benefits? And how can manufacturing companies get started?
Defining the Metaverse
First, it’s important to develop a solid understanding of what the metaverse means. That, of course, is easier said than done. There’s a lot of buzz and many points of view swirling around, so we’ll offer a more simplified one: The metaverse is the next generation of the internet—a virtual, interconnected reality seamlessly woven into our physical world. In other words, it’s a convergence of digital and physical environments.
Most common definitions include three key components:
- Digital environments, such as Horizon Worlds or Oculus
- A mechanism for interacting with those digital worlds through augmented reality, virtual reality, or even brain-computer interfaces
- A commerce engine in the digital world, such as Web 3.0, non-fungible tokens (NFTs), or blockchain
But there is a fourth component that isn’t often found in other definitions: Autonomous X. There is a digital transition underway in many industries–from connected, to intelligent, to autonomous. Consider the example of a factory. Companies can use 3D renderings to engineer and design a factory. Through IoT connectivity among products, manufacturing operations, vehicles, and buildings, people can now begin to monitor factory systems more intelligently. In the future, digital twins will manage those buildings, making Autonomous X the fourth element of the metaverse.
“The metaverse is the next generation of the internet—a virtual, interconnected reality seamlessly woven into our physical world.”
The other key aspect of Autonomous X for manufacturing is that it allows persistence without human intervention. If you are in a virtual game with three other people, and they leave, there is no activity—or persistence—in that virtual world. But in manufacturing, there can be persistence without human intervention. In an autonomous building, a digital twin with intelligence can maintain the HVAC, security systems, and environmental controls so that both the virtual and physical worlds can continue to operate. That is why it is important to consider the Autonomous X factor when defining and thinking about the metaverse in manufacturing.
Some Elements Already Exist
There is a lot of excitement and many hypotheses about what the metaverse may look like in manufacturing, including the potential for full, virtual stores with digital-only products that create new revenue streams.
Here’s how I described what this may look like to my 11-year-old daughter: Imagine you’re watching a US Women’s National Soccer Team match in Oculus. Kristine Lilly scores a goal. Then an ad pops up asking if you’d like the same soccer cleats. You click on it and select the option to customize the cleat with your school logo and put your name on the back. Press the button, Nike manufacturers it, and ships it to you in three days.
That’s just one example of how the metaverse could drive convergence between entertainment, customer experience, customization, and manufacturing. Many of the building blocks for this scenario exist today, suggesting that this future may not be so far away. But it will be more of a practical progression, rather than a sudden shift, toward this new future state.
Where Executives Stand Today
West Monroe recently surveyed 150 C-suite executives from a cross section of industries, including consumer and industrial products, to understand their current views about the metaverse.
- Is there business value? Most executives believe the metaverse will present business value for their organizations over the next one to five years: 57% believe it has some potential business value, and 29% believe it holds significant business value. However, viewpoints differ by industry. Consumer packaged goods manufacturers are the most optimistic with 43% of CPG executives believing the metaverse holds significant value for their organizations.
- Where should you invest? Many businesses have already begun exploring augmented reality and virtual reality technologies that will play a significant role in the metaverse, or they plan to start soon. Results of the survey showed a slight leaning toward external use cases such as improving marketing campaigns or customer experience: 45% of companies are exploring these technologies now for external use, versus 39% that are actively looking at internal use cases.
Consumer packaged goods and industrial manufacturing companies are more likely than average to be planning for external uses in the next 12 months. This could include field operations and maintenance, where augmented reality applications are already being deployed today.
How to Start Exploring the Manufacturing Metaverse
Become educated: The metaverse is a rapidly evolving concept, and there are many points of view about what it is and what it means. Following the trends is critical. Even if your organization isn’t ready to fully invest today, it should be willing to experiment and be thinking about the future, because it’s likely that your competitors already are.
Create cross-functional innovation teams to begin building and testing the strategy: The best metaverse opportunity could be in research and development, manufacturing, sales, marketing, or another area across the value chain. We don’t yet know what applications will have the greatest impact for the manufacturing industry, and it will likely vary by company. Creating cross-functional teams increases your organization’s ability to identify, evaluate, and prioritize the best use cases.
“The metaverse could drive convergence between entertainment, customer experience, customization, and manufacturing.”
Identify potential sources of value: If you haven’t read the terms and conditions of Oculus, you should. Consider this: You are essentially providing Mark Zuckerberg with a window into your house and life. The data that can be gathered is breathtaking, and scary. They can read your eye patterns to understand what interests you, know the size of your hands, and see everything that’s in your bedroom (or whatever is in view, wherever you play). There are massive privacy concerns here—another topic for another time—but the point is that there is a tremendous amount of data that can be gathered via the metaverse. Just imagine what could be done with this information. There will be other more direct sources of value, but it’s imperative to have your cross-functional team think beyond the obvious sources. This will help direct your organization in the next step of identifying where to pilot and test.
Think big, start small, and act fast: There will be strategic choices to make. Do you want to be part of building the new infrastructure? Do you want to monetize content and virtual assets? Do you want to create B2B or B2C content or even inward-facing experiences such as customer showrooms, virtual conferences, or remote collaboration solutions? Or do you want to attract existing customers and/or prospects through advertising? You need to be strategic but also remain practical as you begin testing and validating the opportunities.
Pilot, monitor, and report on metaverse-related initiatives: Innovate and test practical use cases while also keeping a close eye on where the industry is creating critical mass. This will help create a flywheel effect. Without an institutionalized process to monitor, report on, and test opportunities, you could potentially be disrupted rather than leap-frogging the competition.
Most of all, stay practical: All of this is emerging at a time when manufacturing organizations are still adjusting to the upheaval of the past two years. It is critical to be strategic and proactive, but at the same time remain practical as companies look at the potential of the metaverse in an industrial setting in the years ahead. M
About the author:
Randal Kenworthy is a Senior Partner, Consumer and Industrial Products, at West Monroe.
In highly connected industrial ecosystems, managing the supply chain landscape requires adapting traditional approaches to cyber risk.
A hyper-connected world helps companies increase transparency to mitigate the physical disruption of goods. But it also opens them up to a potential digital weakness that poses another kind of disruption – cyber risk.
Lessons from the recent pandemic have accelerated digital adoption. This is now changing the security paradigm in the short to medium term. In particular, the adoption of new technologies to help drive efficiencies across the industrial sector is leading to more complicated IT ecosystems that are, in some cases, heavily integrated with partners, alliances and suppliers. This grey area of potential risk falls outside the traditional good practice guidelines leaders have come to know well. Manufacturers, distributors, and other industrial organizations must now adapt their methods and approaches to identify and manage this new cyber risk vector.
The Impact of an Interconnected World
As traditional corporate boundaries become increasingly blurred, expanding deep into the supplier landscape, trying to track who does what, and when, with data is a growing challenge. Organizations are now faced with an increased exposure presenting many unknown risks, potentially impacting daily operations.
This is a problem for the total supply chain. If one operation is hacked, all are at risk. The rise of e-commerce and non-store retailing within consumer, manufacturing, and distribution is placing huge demands on technology-driven solutions to streamline operations. To keep track of real-time stock levels, tracking software allows for improved accuracy over end-to-end manufacture to delivery to the customer. It requires non-stop communication between partners at each step, with different software systems managing the flow interdependently. Add to that the numerous back-office partners that support payroll, or settlement, or host IT systems. All of these functions require new approaches to managing risk.
“Organizations are now faced with an increased exposure presenting many unknown risks, potentially impacting daily operations.”
Breaches in security can erode market value and damage brand reputation. The attack in 2020 on SolarWinds and the Florida-based IT company Kaseya spread through 200 corporate networks that used its software. The failure to appreciate risk in the overall end-to-end system had a significant material impact on their operations, highlighting the need to re-address the approach to risk management and look wider than an organization’s own corporate domain. Smaller companies are equally at risk. In 2021, 40 percent of ransomware victims had less than 100 employees,
Amassing data from external partners also comes with inherent risk if that data is supplied through systems integration or other means of automated updates.
A new perspective needs to be taken at the enterprise level, so all types of data are considered. Companies need to carefully think through the risk implications of financial data (price, cost, invoices, spend), product data (specifications, quality, Bills of Material), order data (quantities, data, addresses) and shipment data (location, times, carriers), that are shared weekly, daily, or even hourly up and down the supply chain.
The unknown risks in an interconnected world may also include exposed or abandoned internet-facing servers that may highlight asset management issues, or confidential documents that may be leaked due to the lack of consistent applied data classification and handling across multiple organizations.
Other dangers may come from default, out-the-box login credentials pointing to build standards not being met, or legacy hardware falling off the support radar that identify failing decommissioning processes. Further problems can arise from suppliers not informing partners about breaches they’ve identified.
“By adapting traditional approaches to managing risk, organizations can identify their exposure across the entire IT ecosystem and identify the areas of weakness they need to fix.”
All this is in addition to the need to respond to the growing regulatory focus on supply chain accountability, which is placing further pressure on already pressed resources to address ever-growing cyber risk.
How can companies now broaden their risk management processes to incorporate the increasingly interconnected supplier landscape and streamline their efforts? There are five key areas to focus on.
- Access: Be more transparent and know who has access to networks and systems. They also need to understand what partners do inside their networks and with their data and how they access it.
- Data: Understand what data is at risk. That means understanding the full end-to-end architecture that flows into and out of their own environment and identify the points of exposure that could undermine operations (outside-in scanning).
- Suppliers: Increase collaboration and take proactive measures to understand how suppliers manage their own IT estates if they are connected to others. Organizations also need to mature commercial obligations with suppliers to provide greater comfort over how they will handle data. Simply asking them to comply with basic standards isn’t enough.
- Technologies: Leverage red-teaming techniques, rigorously challenging plans, policies, systems and assumptions; attack surface scanning; and Continuous Control Monitoring to test the robustness of their controls.
- The Business: Understand what the material impact on operations would be in the event of a compromise to internal or suppliers’ systems.
By adapting traditional approaches to managing risk, organizations can identify their exposure across the entire IT ecosystem and identify the areas of weakness they need to fix. This will also enable the more efficient and effective use of scarce resources to target areas of vulnerability underpinning operations, allowing manufacturing leaders to obtain a higher degree of assurance and security in an increasingly connected world. M
About the authors:
Shanton Wilcox is a Partner and Americas Leader for Manufacturing at PA Consulting.
Carl Nightingale is a Partner and Cyber Security Expert at PA Consulting.
As consumer products get smarter, how can manufacturers transfer security best practices from production environments into the devices in consumers’ hands?
Security measures are frequently addressed by manufacturers when designing and manufacturing increasingly intelligent products. Most of the efforts implemented are to protect the manufacturer’s network and production capabilities. But what happens beyond those secure walls? How does that effort continue even when a product leaves the protection of the factory?
Internet of Things
The Internet of Things movement has seen rapid acceleration and change as companies and individuals benefit from the many tasks these devices operate, the data they generate, and how they help facilitate connections between the users and their processes. This movement has seen steady growth with the adoption of smart home devices becoming more mainstream in people’s homes and an uptick in building management systems. A secondary reason for the spike in demand is improved efficiency, enhanced by the increased knowledge gained from the influx of data collected by these IoT sensors.
Enhanced data insights in production are a driving factor in the increased installation base, with around $100 billion in investments from the manufacturing sector alone. Estimates show that 127 new devices are connected to the internet every second, with an estimated $4–11 trillion in expected economic value. Current estimates also suggest that around 75 billion IoT devices will be installed by 2025, with 48 billion of those installed between 2020 and 2025 alone.
On the consumer side, simplifying daily chores and the promise of reducing costs via automation and data insights drive many home device purchases. From the enterprise perspective, real-time data has dramatically improved business efficiency leading to cost savings and increased profits. The return on the investment is relatively high compared to the current cost of most of these devices. While the benefits have proven worthy, the Internet of Things movement has left both producers and consumers more vulnerable and scrambling to offset these gains, searching for tools to improve insights into this newly connected part of the business.
The most crucial question is, what should manufacturers consider when creating secure IoT devices from the ground up? Not only do they want to focus on security during the design and creation, but on implementing security controls and ensuring those same controls ultimately carry over to the end user of the IoT devices. The focus on security for IoT devices usually is not a top priority for consumers who purchase these products, nor should it be. So, how can manufacturers now transfer their security best practices from their production environments into the devices they manufacture, and ultimately into their consumers’ hands?
Designing In Security
Great design starts with focusing on the product and how it will improve how we currently perform some tasks. Security needs to be part of the design process from the initial conversation of core software design into the actual product’s physical structure. The company’s security culture will dictate the whole process’s tone from start to finish, ensuring everyone understands the company’s mission around security will translate from the manufacturer to the end consumer. Manufacturers with a strong security culture will implement and address basic security controls early on. Elements such as passwords, encryption, two-factor authentication, biometrics, and zero trust frameworks provide an in depth defense strategy in the early stages. Each of these will allow the benefits to be carried over to the consumers’ hands to ensure that a product can support any strategy no matter what security approach is used in their own environment.
“While the benefits have proven worthy, the Internet of Things movement has left us more vulnerable and scrambling to offset these gains.”
Software is a fundamental part of most IoT devices, and testing and securing the code is essential. Continuous improvements to the software allow for reductions in risk as the software is constantly changing and enhancing, increasing the difficulty of exploiting a vulnerability. Consumers can directly benefit from advances to the user interface (UI) and enhanced security developments from the updates provided. At this point, the data necessary for the product to function should be separated from usage information. The addition of encryption should also be a consideration so, in the unlikely event data is compromised, it poses another barrier to access. The main design goal should be that information cannot be traced back to the end user.
Manufacturing Out Vulnerabilities
Securing the supply chain can be the most daunting part of the process, with many new variables introduced during this stage. Monitoring components purchased from third-party vendors ensures the same quality of security is implemented into each element not designed in-house. Many manufacturers require suppliers have a level of protection within their production line. This can come in the form of software detection of malware or even the use of an intrusion detection system in the OT environment to ensure visibility in all aspects of production. From the end user’s perspective, the benefits here are less visible if implemented correctly. Reducing vulnerabilities introduced from components purchased from outside sources does not directly add value but gives more peace of mind. This part of the process is crucial because components built locally but shipped globally open up the potential for backdoors to be introduced.
Security Marketing and Selling
Demand creation for products needs to include security as a consideration, not just how the device may make work and life easier. Each step in designing and manufacturing a device developed with security adds value for consumers. Awareness of these efforts can improve the value and ensure security becomes one of the core reasons for purchasing the product. Directly marketing security features to end users allows them to select products that fit into their risk profiles. Consumer awareness and training can help keep high levels of security after the product has gone beyond the walls of the OEM. Marketing should highlight what features support a secure experience and use it as a critical factor in differentiating the product in an increasingly crowded IoT devices marketplace.
“Manufacturers with a strong security culture will implement and address basic security controls early on.”
Cyberattacks are frequent and have entered mainstream consciousness because of news coverage and social media platforms. The enterprise customer has felt these attacks both financially and in brand and reputational damage. Data privacy has become a top concern for everyday users. Implementing perfectly designed security tools is useless if the end user is unaware of the capabilities included in the devices they have procured. Guidance and reminders on password security should not just be implemented but sold as a feature. Most consumers do not use complex passwords and fail to update default passwords due to a lack of requirements built into these IoT devices. For enterprise consumers, selling the concept of zero trust compatible devices is imperative. Ensuring the product is placed in an environment with little to no impact should push that device to the top of the consideration list.
Should manufacturers disclose the risks their products could potentially introduce into the end consumers’ environments? One could argue that knowing where the vulnerabilities lie allows the end consumer, an individual, or a large company to mitigate adequately and improve readiness. Currently, companies are not required to provide this type of information. Generally, it is not considered a great sales strategy to point out the risks a product could introduce in one’s environment. Security vendors often sell manufacturing customers solutions to resolve vulnerabilities. To ensure all customers can maintain a level of security that adheres to best practices, they need to inform and educate to best position and implement an in-depth defensive strategy. Manufacturers cannot protect users in every environment. Still, they should be responsible for providing features that allow anyone purchasing their product to construct a secure environment.
Securing the Future
Customers, whether on the enterprise end or in the consumer market, all deserve to have security embedded into their IoT landscape. Demand will continue to grow for many more years as this market matures. Security will continue to be part of the conversation as devices get more intelligent and handle more personal information from all aspects of our lives and businesses. Ensuring that the effort put into security during the design and manufacturing of products carries on beyond the assembly line is critical.
“Each step in designing and manufacturing a device developed with security adds value for consumers.”
The end user’s level of protection should not drop but should increase, given that the consumers’ risk is at its highest when data collection begins at the first use of the product itself. Consumers all deserve a secure home and business even as the 1s and 0s enter and leave a manufacturer’s control. As a consumer of a product, all devices should carry the highest security standards. Privacy is a fundamental right, yet that can only happen with improved efforts toward security expectations at all levels.
There is a saying that the best implementation of security is the one to which you do not have to give a single minute of thought. As products become smarter, manufacturing’s challenge for the future is to ensure their security strategies successfully extend beyond the production plant and into the products themselves. A moment’s thought about security at the beginning of a product’s lifecycle, could save consumers hours of disruption and frustration further down the line. M
About the author:
Jose Razo is a Senior Technical Specialist in IoT, OT, and ICS Security at Microsoft.
Cyber AI can be a force multiplier that enables organizations to respond faster than attackers can move, and to anticipate and react in advance.
Despite making significant investments in security technologies, organizations in many industries continue to struggle with security breaches. Their adversaries are quick to evolve tactics and stay ahead of the technology curve. Humans may soon be overwhelmed by the sheer volume, sophistication, and difficulty of detecting cyberattacks.
Companies are already challenged to efficiently analyze the data flowing into the security operations center (SOC) from across the security tech stack. This doesn’t include the information feeds from network devices, application data, and other inputs across the broader technology stack that are often targeted by advanced attackers looking for new vectors, old misconfigurations, or using new malware. As the enterprise increasingly expands beyond its firewalls, security analysts are charged with protecting a constantly growing attack surface.
Meanwhile, the cost of cybercrime continues to climb and is expected to increase from US$3 trillion in 2015 to $10.5 trillion by 2025.[i] The average cost of a single data breach in 2021 was $4.24 million,[ii] a 10% increase from 2019. According to insurer AIG, ransomware claims alone have grown 150% since 2018.[iii]
“The adoption of 5G networks and an increase in network connections, together with a more distributed workforce and a broadening partner ecosystem, present new risks.”
It’s time to call for AI backup. Cyber AI can be a force multiplier that enables organizations not only to respond faster than attackers can move, but also to anticipate these moves and react to them in advance. Cyber AI technology and tools are in the early stages of adoption with new advances frequently occurring. The global market for these tools is expected to grow by $19 billion between 2021 and 2025.[iv]
AI’s ability to adaptively learn and detect novel patterns can accelerate detection, containment, and response, easing the burden on SOC analysts and allowing them to be more proactive. The bonus is that it can also help organizations prepare for the eventual development of AI-driven cybercrimes.
Expanding Enterprise Attack Surfaces
Organizations’ attack surfaces are expanding exponentially. The adoption of 5G networks and an increase in network connections, together with a more distributed workforce and a broadening partner ecosystem, present new risks. They’re exposing the enterprise outside of its firewalls and pushing into customer devices, employee homes, and partner networks. Here are a few of the ways manufacturers have seen their attack surfaces increase:
Increase in connected devices: 5G, IoT, Wi-Fi 6, and other networking advances are driving an increase in network-connected devices. When seeking a soft attack vector, cybercriminals will be able to choose from a growing number of network-connected physical assets—29.3 billion by 2023, according to one estimate.[v]
The unprecedented number of devices connected to these networks produce data that needs to be processed and secured, contributing to the data logjam in the SOC. It can be challenging to keep track of and manage active assets, their purpose, and their expected behavior, especially when they’re managed by service orchestrators.
Broader ecosystem of partners: As the enterprise continues to extend with an increasingly global supply chain, hosted data, infrastructure, and services have long contributed to third-party risk. And as more and more organizations integrate data with third-party applications, APIs are a growing security concern.
Third-party breaches are also growing in complexity. Five years ago, an intruder might use widely available malware to target specific computer systems, gain contractor credentials, and steal customer data—messy, to be sure, but with a clear source and the ability to monitor and remediate the damage.
“AI will be increasingly important for many manufacturing clients as they undergo the digital transformation of their factories with Industry 4.0 technologies.”
Such an attack pales in comparison to today’s sophisticated intrusions, in which information stolen from one company can be used to compromise thousands of its customers and suppliers. Supply chain attacks can do the same by exploiting the least-secure embedded components of complex supply networks. A breach with no boundaries can be nearly impossible to monitor and remediate, with active theft potentially continuing for many years.
Adoption of 5G networks: 5G is expected to completely transform enterprise networks with new connections, capabilities, and services. But the shift to 5G’s mix of hardware and distributed, software-defined networks, open architectures, and virtualized infrastructure creates new vulnerabilities and a larger attack surface, which will require more dynamic cyber protection.
As public 5G networks expand, many manufacturing organizations have also begun to invest in private and hybrid 5G networks that meet enterprise requirements for lower latency, data privacy, and secure wireless connectivity. From autonomous vehicles and drones to smart factory devices and mobile phones, an entire ecosystem of public and private 5G networks—connected devices, applications, and services—will create additional potential entry points for hackers. Each asset will need to be configured to meet specific security requirements. And with the increasing variety of devices, the network becomes more heterogenous and more challenging to monitor and protect.
AI Defense Against Cyberthreats
Expanding attack surfaces and the escalating severity and complexity of cyberthreats are exacerbated by a chronic shortage of cybersecurity talent. Employment in the field would have to grow by approximately 89% to eliminate the estimated global shortage of more than 3 million cybersecurity professionals.[vi] AI can help fill this gap.
Accelerated threat detection: Advanced analytics and machine learning platforms can efficiently sift through the high volume of data generated by security tools, identify deviations from the norm, evaluate the data from the thousands of new connected assets that are flooding the network, and be trained to distinguish between legitimate and malicious files, connections, devices, and users.
Force multiplier in containment and response: AI can also serve as a force multiplier that helps security teams automate time-consuming activities and streamline containment and response. Consider machine learning, deep learning, natural language processing, reinforcement learning, knowledge representation, and other AI approaches. When paired with automated evaluation and decision-making, AI can help analysts manage an escalating number of increasingly complex security threats and achieve scale.
“Expanding attack surfaces and the escalating severity and complexity of cyberthreats are exacerbated by a chronic shortage of cybersecurity talent. AI can help fill this gap.”
Proactive security posture: Properly trained AI can enable a more proactive security posture and promote cyber resilience, potentially allowing organizations to stay in operation even when under attack and reducing the amount of time an adversary is in the environment. For example, context-rich user behavior analytics can be combined with unsupervised machine learning algorithms to automatically test user activities; recognize typical patterns in network activity or data access; identify, evaluate, and flag anomalies (and disregard false alarms); and decide if response or intervention is intended. And by feeding intelligence to human security specialists and enabling them to actively engage in adversary pursuit, AI enables proactive threat hunting.
Building an AI Security Roadmap
AI will be increasingly important for many manufacturing clients as they undergo the digital transformation of their factories with Industry 4.0 technologies (e.g., smart factories). With the expectation that 175 Zetabytes of data will be generated by 2025[vii], manufacturing clients should begin preparing for AI as it simply cannot just occur overnight. Protecting client data is vital to keeping manufacturing lines operational and the quality of the product intact.
As companies have visited The Smart Factory @ Wichita and discussed their visions for digital transformation, common threads have emerged around security gaps that need to be filled as part of their roadmaps towards achieving an AI-enabled cyber security strategy.
Network segmentation: Data from a company’s Operational Technology (OT) environment (e.g., manufacturing network) will likely need to flow into their enterprise cloud environment as part of their advanced analytics solution to measure various Key Performance Objectives (KPOs) and Key Performance Indicators (KPIs). In many circumstances, little to no network segmentation is in place between a company’s IT environment and their OT environment. A lack of segmentation exposes the manufacturing environment to nefarious actors who could manipulate, deny, or destroy or steal critical data/processes.
“AI’s ability to identify patterns and adaptively learn in real time as events warrant can accelerate detection, containment, and response, help reduce the heavy load on SOC analysts, and enable them to be more proactive.”
Identity access & authentication: It’s integral that all users, not just individuals but also devices and services, have proper controls in place so that only the approved users can authenticate and communicate within the manufacturing environment. Additional controls such as Multi-Factor Authentication (MFA) serve to further enhance security as entities prepare for enabling AI. Authentication can further enable AI as the controls help answer key questions for faster decision making: Is the access originating from a known location? Is a user switching from a private to a public network? Is the time and data pattern for the access during expected hours of work? Is the access from a known device or services that are known to communicate?
Security monitoring: A security monitoring solution helps further enable securing the manufacturing environment by passively sensing the data on the network. As the environment is baselined, the solution continues to listen to the dataflows in the environment to provide visibility in the network, identify vulnerabilities, detect anomalous activity, and report back on it. A security monitoring solution can help further prepare the environment by further understanding OT asset behaviors to detect potential threats. As organizations continue to prepare for an AI-based approach, data from sensors that understand OT communications and protocols become critical for understanding threats in process control environments.
The Way Forward
On its own, AI (or any other technology, for that matter) isn’t going to solve today’s or tomorrow’s complex security challenges. AI’s ability to identify patterns and adaptively learn in real time as events warrant can accelerate detection, containment, and response, help reduce the heavy load on SOC analysts, and enable them to be more proactive. These professionals will likely remain in high demand, but AI will change their roles. Organizations will need to reskill and retrain analysts to help change their focus from triaging alerts and other lower-level skills to more strategic, proactive activities. Finally, as the elements of AI- and machine learning-driven security threats begin to emerge, AI can help security teams prepare for the eventual development of AI-driven cybercrimes in the years ahead. M
[i] Steve Morgan, “Cybercrime to cost the world $10.5 trillion annually by 2025 ,” Cybersecurity Ventures, November 13, 2020.
[ii] Steve Morgan, “Cybercrime to cost the world $10.5 trillion annually by 2025 ,” Cybersecurity Ventures, November 13, 2020.
[iii] CNBC, “Cybercrime could cost $10.5 trillion dollars by 2025, according to Cybersecurity Ventures ,” March 9, 2021.
[iv] PR Newswire, “Artificial intelligence-based cybersecurity market grows by $19 billion during 2021-2025 ,” June 21, 2021.
[v] Cisco, Cisco annual internet report (2018–2023) white paper
[vi] (ISC)², “(ISC)² study reveals the cybersecurity workforce has grown to 3.5 million professionals globally.”
[vii] Tom Coughlin, “175 Zettabytes by 2025,” Forbes, November 27, 2018.
About the authors:
Sharon Chand is a principal at Deloitte & Touche LLP and the Cyber Risk Secure Supply Chain leader for the Cyber Risk Services practice of Deloitte Risk & Financial Advisory.
Ryan Moore is a Deloitte & Touche LLP Senior Manager in the Cyber Risk Services practice.
This article contains general information only, does not constitute professional advice or services, and should not be used as a basis for any decision or action that may affect your business. The authors shall not be responsible for any loss sustained by any person who relies on this article.
More companies are taking a disciplined approach to dealing with the growing threat of cyber attacks, a new MLC survey finds.
The message has been received.
After years of mounting warnings about the risks of being hacked or worse and now faced with a sharply rising number of cyber attacks in the industry, manufacturers have taken concrete steps to fortify their defenses and protect themselves against what is widely assumed will be an even larger threat in the years ahead.
More manufacturers than ever before have put in place formal cybersecurity plans in their companies to deal with threats and attacks. They are significantly increasing their levels of confidence that they have the internal expertise in place to deal with cybersecurity issues. And a majority of companies now have dedicated cybersecurity budgets, including provisions for cyber insurance, and are providing cyber awareness and technical training to their employees.
These are some of the most important findings of the Manufacturing Leadership Council’s new survey on cybersecurity. More than 160 companies expressed their views on cybersecurity strategy in their organizations, whether they have been attacked and what the nature of those attacks were, what measures they have adopted to defend themselves, and how the growing problem of cybersecurity may be affecting their adoption of Manufacturing 4.0 and their transition to the digital model of manufacturing.
Formal Planning Takes Off
A sea change in how seriously manufacturers consider the cyber threat has occurred at the strategy level. Just four years ago, according to MLC’s 2018 cyber survey, barely one-third of manufacturers had devised and adopted formal cybersecurity plans that encompassed their plant floors. Today, the new MLC survey shows that nearly 62% have put such plans in place (Chart 1).
The more serious attitude is directly related to the perceived consequences of cyber attacks. When asked how important cybersecurity is as a business issue, 83% of survey respondents said it is of high importance, compared with 66% saying so in 2018. Moreover, 64% said this year that business disruption is the most significant cybersecurity-related risk to their companies, compared with 58% in 2018. Interestingly, very few fear equipment or product damage from cyber attacks and only 18% this year are worried about the theft of proprietary information (Charts 2,3).
The advent of connected business ecosystems will test current cyber strategies.
Bolstered by the greater focus on formal planning and now regular awareness and technical training for employees on cybersecurity, a growing number of manufacturers feel confident that they have the internal expertise to deal with manufacturing-related cyber issues. This year, nearly 40% of survey respondents said they had a high level of confidence about their internal expertise, compared with 25% saying so in 2018. Another 46% assessed their confidence levels as moderate this year (Chart 4).
More Attacks Expected
Even as better cybersecurity strategies are put in place and confidence in internal capabilities to deal with threats and attacks grows, an overwhelmingly large number of manufacturers expect more attacks in the year ahead, a perception that is no doubt driving much of the greater emphasis on defensive measures.
This year, nearly 79% of survey respondents said they expected more attacks in the next year, compared with 64% expressing that feeling in 2018 about 2019 (Chart 8). The three most cited reasons for this expectation are more criminal activity; greater connectivity in their operations, particularly with Internet of Things technologies; and more cyber terrorism (Chart 9). Of least concern: insider- or supply chain-originated attacks. Phishing, malware, and ransomware are the most prevalent methods of cyber attack cited by respondents overall.
When asked to assess the cyber battlefield and its most important points of vulnerability, survey respondents painted an interesting picture of where conflict is most likely to play out.
Mobile devices, e-mail servers, and laptop computers were cited by respondents as having the highest level of cyber vulnerability – not plant floor equipment or plant floor control systems. Looked at from a business function or activity perspective, a similar dynamic – vulnerabilities caused by external connections – was revealed in the survey data. Social media networks, partner and distribution networks, and supply chain networks were the most cited points of vulnerability – not plant floor networks, design and innovation networks, or field service operations. In addition, respondents said their best protected systems are their ERP and MES systems.
More manufacturers than ever have adopted formal cybersecurity plans.
What these findings suggest is that, as manufacturers go about forging so-called business ecosystems of partners, suppliers, and customers that are increasingly digitally connected, they will have to extend existing cyber strategies and tactics or even create new ones to protect these networks in the future. This is perhaps the next frontier in cybersecurity.
Manufacturers are starting to decode these signals. When asked in this year’s survey whether they have introduced or changed cybersecurity requirements for external partners and vendors with which they share data, 48% said that they had. In addition, 70% said the increase in remote working spurred by the pandemic has caused them to make adjustments to their cyber policies.
The Effects on M4.0
Based on their perception that cyber attacks will increase in the years ahead, more than half of survey respondents expressed concern that cybersecurity issues could affect the speed and scope of adoption of Manufacturing 4.0. Fourteen percent said cyber could be a major obstacle in the next five years, with another 40% describing it as “an issue of concern”. A significant percentage, 43%, consider cyber to be just part of doing business in an M4.0 world (Chart 13).
As they devise their defenses, manufacturers are relying more on internal mechanisms, such as corporate best practices and policies and closer collaboration between IT and OT teams, rather than law enforcement or government regulations (Chart 10).
Moreover, more are taking advantage of publicly available approaches, such as the NIST Security Framework, to underpin their strategies. This year, almost 58% of survey respondents said they have adopted the NIST framework, up from 48% in 2018. In addition, there has been a sharp rise in those subscribing to cyber insurance – 45% today, compared with only 18% in 2018 (Chart 12).
All in all, manufacturers have been moving on multiple fronts to combat the growing cyber problem. The challenge for industrial companies going forward will be to try to stay one step ahead as the number and sophistication of attacks increase even as they expand their digital networks outside the four walls of their business. M
Part 1: CYBERSECURITY STRATEGY AND ORGANIZATION
1. Strong Majority Now Have Formal Cyber Strategies
Q: How would you characterize your company’s approach to dealing with manufacturing cybersecurity?
2 Business Issue Concerns Rise
Q: How important is cybersecurity as a business issue to your company, in terms of securely interconnecting systems or exchanging operating data within, or across, your manufacturing sites and partner companies?
3 Business Disruption Still Leads Cyber Risks
Q: What is the most significant cybersecurity-related risk to your company’s manufacturing operations?
4 Internal Expertise Confidence Rises Sharply
Q: What level of confidence do you have that your company has the internal expertise to deal with manufacturing-related cybersecurity issues?
Part 2: MANUFACTURING CYBER ATTACKS AND EVALUATION
5 Nearly Half Have Suffered Cyber Attacks
Q: Have your company’s manufacturing sites ever been a target or a victim of a cyberattack?
6 Nearly Half Also Say that Attacks Have Increased in the Last Year
Q: Have attacks directed at your company’s plant systems and networks increased over the past year?
7 Frequency of Attacks is Significant
Q: How would you characterize the frequency of attacks?
8 More than Three-Quarters Expect More Attacks Ahead
Q: Do you expect your company to experience more attacks in the year ahead than in the past year?
9 Criminal Activity Cited as Top Reason for More Attacks
Q: If yes, what’s driving the increase?
Part 3: POLICIES TO DEAL WITH CYBER ATTACKS
10 Corporate Polices Seen as Best Defense
Q: What do you think will help the most in improving manufacturing cybersecurity in an M4.0 world?
11 Remote Work Has Forced Cyber Policy Changes
Q: Has an increase in remote work required any new changes or adjustments to your cyber policies?
12 NIST Framework is More Widely Adopted
Q: Are you engaged in, or have adopted, any of the following approaches as a way to better protect your company or mitigate cyber risks?
Part 4: THE FUTURE ORGANIZATION
13 Concerns Rise on Effect of Cyber on M4.0
Q: Over the next 5 years, how much of an obstacle will cybersecurity issues be to the speed and scope of adoption of Manufacturing 4.0 technologies and approaches?
About the author:
David R. Brousell is the Co-Founder, Vice President & Executive Director of the Manufacturing Leadership Council.
Survey development was led by David R. Brousell, with input from the MLC editorial team and the MLC’s Board of Governors.
Manufacturers flocked to Florida this summer to discuss the cultures, skills and technologies necessary for digital transformation at the 2022 Rethink Summit, the signature event of the NAM’s Manufacturing Leadership Council. The MLC is the world’s first member-driven, global business leadership network dedicated to senior executives in the manufacturing industry.
The big event: The first in-person Rethink since 2019, this year’s summit drew the largest crowd since the annual event began 18 years ago.
- The conference in Marco Island, Florida, hosted some of the most innovative leaders and teams in the industry, from companies such as Pfizer, Intel, Dow, Saint-Gobain and many more.
- Participants learned about real-world advances and shared best practices in supply chain resilience, effective business cultures, machine learning, business ecosystems and more—as explained by industry experts who put these innovations into practice themselves.
The panels: Here is a quick sample from the array of manufacturing expertise on offer.
- A Pfizer case study: Pfizer Vice President of Digital Manufacturing Mike Tomasco explained how Pfizer Global Supply transformed itself from a digitally siloed operation to a world-class digital powerhouse.
- Bridging the digital divide: A panel of leaders—including Graphicast President Val Zanchuk, BTE Technologies President and NAM SMM Board Chair Chuck Wetherington and Intel Senior Director of Industrial Innovation Irene Petrick—discussed how small and medium-sized manufacturers can keep up with the digital transformation occurring throughout the industry.
- Reaching the next generation: A panel of young manufacturing leaders from Dow, Cooley Group and Saint-Gobain North America discussed what young people are looking for in manufacturing jobs, including interdisciplinary teams and lots of communications up and down the organization levels.
A week of manufacturing: The Rethink Summit was only one highlight of a week of manufacturing events put on by the MLC. The roster of events also included the MLC’s Council Day and the ML Awards Gala.
- Council Day offers MLC members the opportunity to chart the agenda for the MLC’s next year, thus influencing how the whole industry thinks about and plans for digital innovation.
- The Awards Gala spotlights companies and individuals doing incredible work to advance M4.0. The black-tie event honored leaders and companies in 11 project categories, plus the Manufacturers of the Year and Manufacturing Leader of the Year.
- This year, the MLC named Pfizer CEO Dr. Albert Bourla the Manufacturing Leader of the Year, for Pfizer’s extraordinary and ongoing contributions in fighting the COVID-19 pandemic.
The last word: “[T]he fundamental shift in our economy to doing business digitally in all industries, including manufacturing, not only continues but is gaining greater speed and urgency,” said MLC Co-Founder David R. Brousell during an address at Rethink.
Join us next year: Keep up to date with the MLC by visiting the website and stay tuned for Rethink 2023!