Industrial plants increasingly adopt smart technologies for digitalisation, but poor cybersecurity in operational technologies (OT) can be exploited. According to our 2024 Global Digital Trust Insights report, 42% of companies are concerned about attacks on digitally connected devices. Such attacks can have disastrous consequences for the company, environment and society. Companies must identify and control vulnerabilities in their operating models, and establishing secure operating models during ongoing operations is crucial to protect against cyber threats. With the increasing incidents of cyberattacks and ever-higher damages, companies are under enormous pressure to act.
Based on our daily consulting experience in the OT environment, we have identified five fields of action that improve industrial security and prevent damage:
Development of an OT strategy (with reference to IEC 62443) and an industrial security strategy.
Development of an industrial security target operating model.
Linking business continuity and industrial security.
Supplementing service provider management with industrial security aspects.
Strengthen IT/OT security architecture competence.
Information security is already a top priority on the leadership agenda. The digitalisation and increasing interconnection of critical infrastructure and production facilities, coupled with a simultaneous rise in cyberattacks by professional hacker units and state actors, are leading to an unprecedented threat situation. To exacerbate matters, the latest technologies often encounter outdated legacy facilities and systems that were never intended to be interconnected.
Security aspects are usually well-considered in pioneering industries where products are networked or production processes have been modernised and digitised. However, this is often not the case with legacy production processes and technologies used in critical infrastructure. Digitising these processes often involves adding features like remote maintenance and monitoring functions to legacy control systems using insecure technology and interfaces.
The potential consequences of this situation are enormous, and many companies are well aware of them. Considering the tensions between digitalisation, competition, and customer needs, industrial security remains an unspoken issue. Studies also reveal that even successful certifications do not guarantee sufficient security.
IT and OT converge when legacy technology is interconnected and enhanced with digital capabilities. Business leaders should not underestimate the risks of this convergence for several reasons:
In times of geopolitical conflict, economic espionage and terrorism, industrial plants are targets with high blackmail potential, even beyond critical infrastructures.
Destroyed production batches, robots that go rogue, power outages in entire districts: the damage potential for OT attacks is often immensely greater than for pure IT incidents.
There is often a lack of mature technical and organisational protective measures. If a non-connected facility suddenly needs to be accessible via the internet, insecure workarounds are often used. Inadequately protected remote access or lax rules for physical access are not uncommon.
In many places, outdated operating systems are no longer supported by the manufacturer. Replacements or updates often require fundamental changes in production processes and associated investments that can cost millions.
Many companies—from the critical infrastructure sector, for example—as well as many SMEs, are economically forced to digitise quickly to meet customer needs and avoid losing revenue. On the other hand, they are obliged by law to comply with stricter regulations, such as the Network and Information Security Directive 2 (NIS2).
In conclusion, an overarching industrial security strategy is becoming a must for companies. How can IT/OT convergence be secured for physical and cyber safety, and how can partners be integrated effectively?
In operational reality, OT security and the digitalisation of industrial plants are evolving topics. Beyond operational safety or operational maintenance, it is rarely strategically planned or systematically addressed. Digital and networked OT security can offer business benefits and introduce overlooked risks to production facilities.
Companies often overlook OT security as an ongoing process with unique needs. IT security departments lack OT understanding, and OT operators may not grasp IT security. Strategic alignment and new operating models are crucial for adapting to technological changes in IT infrastructure and production systems.
OT security is often neglected and shouldn’t be an additional burden for busy employees. This places extra responsibilities on already overworked manufacturing staff. As the demand for skilled workers continues to rise, companies must establish a role structure that considers the evolving needs of the connected industry.
Industrial plants have always been specialised, complex and costly. When companies aim to network their entire production digitally, they often rely on manufacturers or external providers, leading to a fragmented market that makes it challenging to establish uniform security standards.
Based on our consulting experience in the OT environment, we have identified five fields of action that help to improve industrial security and prevent damage. They are:
A uniform understanding of an overarching OT strategy is required for the safety capabilities of networked plants and machines to grow with the risks. This is because corresponding plants and systems are often distributed across different business units without a strategic orientation (e.g. concerning technological leaps or service provider integration). Therefore, there is often no corresponding role to discuss, coordinate and take responsibility for such considerations and developments across the board. At a minimum, an OT coordinator or an OT architect is needed here. The overarching industrial security strategy must then be aligned with this OT strategy. Integrated consideration of OT security, IT security, physical security, business continuity and integrated product security are all necessary components of the transition from the initial concept to quality-of-life maintenance long after delivery.
How can centralised and decentralised roles and responsibilities be effectively assigned in the context of the OT security strategy? What principles should the design of a target operating model be based on? Stability and a high level of security are achieved when the target operating model is comprehensively derived and closely coordinated with the relevant stakeholders.
Successful companies are raising awareness that the security of networked industrial plants is a direct factor in business continuity management and employees need to be trained accordingly. A failure of OT caused by cyberattacks often has enormous economic consequences, which can threaten the company’s existence. In the case of critical infrastructure companies, these effects can also spread to society and the environment. Explicit transparency at the management level about the respective business impact and integrated emergency plans are therefore vital from a regulatory point of view and are also in the company’s best interest.
A clear strategy for dealing with OT service providers and suppliers, and corresponding contract management, helps implement an adequate security level in partnership and proceed on an equal footing.
Increased networking must be countered with systematic control and management of the underlying architecture. If companies decouple and segment their systems, in an emergency only part of the systems is affected—not the entire OT. Another example of risk reduction is applying the zero-trust approach for OT (i.e. an IT security model with a strict identity check for all devices that want to access resources in a network).
While the primary focus of cybersecurity has been on the interruption of IT systems, which affects all industries, there has been an increase in the number of attacks targeting OT—an area that is increasingly blending with IT within the manufacturing sector. Industrial cybersecurity is often the elephant on the factory floor. And therefore, it is the order of the day—before critical damage occurs.
Join us for a Digital Factory Cybersecurity event hosted at our PwC Cork office, which will address emerging cybersecurity risks during a time of rapid technological advancement, leading to the emergence of ‘smart factories’. The discussion will encompass cybersecurity essentials that must be addressed both locally and at the enterprise level.
Event details
Date: Thursday, 2 November 2023
Location: PwC, Albert Quay, Cork
Time: Registration 3pm
Event starts: 3.15pm
Event concludes: 5pm