Industry 4.0 has helped businesses accelerate the pace of transformation of their industry in terms of competitiveness, operational efficiency and time to market, all of which directly translates to increased profitability. However, with such interconnectedness, the threat of cyberattacks has become more prevalent than ever.
Outside of natural disasters such as power outages, theft, earthquakes, etc. cybersecurity is one of the most important threats businesses need to pay attention to, in order to maintain business continuity. This is because, lack of adequate cybersecurity could bring a business to a complete halt in the face of a cyberattack. Hence, it is imperative for organizations to take cybersecurity into consideration, when making future strategic decisions, so the business can be adequately prepared in the event of a cybersecurity incident.
Industry 4.0 happened at a rapid pace and most industries were ill prepared for the change. Now that the changes of Industry 4.0 have become permanent, it’s time to review the various elements that invited cyber risks to the industrial ecosystem, so necessary steps can be taken to protect the industrial environment.
- Lack of ICS/OT Security expertise
- Incomplete security policies and inadequate cybersecurity budget
- Complex supply chain management
- Technology constraints
Lack of ICS/OT expertise
The key obstacle for companies to adopt Industry 4.0 security measures is the lack of qualified information security expertise. Personnel deploying security solutions have little domain knowledge, often only with IT and OT security. Expertise in multiple fields (such as cybersecurity, IT security, embedded systems and OT security, etc.) is required in the industry 4.0 and smart manufacturing industries. Hence, finding qualified cybersecurity experts able to satisfy Industrial 4.0 cybersecurity is a challenge that remains to be addressed.
Personnel who have traditionally supported OT environments require time to adapt to the new environment and their challenges. Given the rapid introduction of Industry 4.0, existing personnel have a big gap to fill. Elements such as secure integration of modern technology with legacy systems and understanding the complexities of new protocols are just a few. Other challenges that remain are the ability of the existing personnel to adapt their working style and incorporate the latest technical know-how, with limited time as well as support.
To address the lack of Industry 4.0 security talent, businesses need to develop employees’ knowledge in understanding the latest technical methods and tools for IT and OT system security. Specialized cybersecurity training needs to be carefully studied and delivered by security leaders within each business organization. To increase the effectiveness of the training, subject matter experts from outside of the organization could be considered.
Incomplete security policies and inadequate cybersecurity budget
Quite often, businesses lack a suitable management structure to maintain the new and existing technologies of Industry 4.0. Businesses are vulnerable to potential security breaches when they fall behind on recruiting the required security professionals to undertake cybersecurity related operations. Furthermore, responsibilities of these personnel may not be clearly defined.
There might be multiple reasons why companies fall behind on mobilizing the required resources for cybersecurity operations. One of the reasons is the allocation of budget for cybersecurity operations. Cybersecurity departments often struggle to demonstrate how they have contributed to increasing a company’s revenue. Hence, such functions are viewed within the business as supportive functions and as an expense. As a result, they do not get the required budget allocated to fulfill the necessary requirements of the cybersecurity program in the organization. This happens mainly because the ultimate goal of the business is to be profitable and make more money for shareholders. And, how increasing the number of security engineers will optimize and reduce company costs becomes a difficult question to answer for the management.
It is worth noting that the security of the system or the robustness of the solution requires financial support from the company’s management. It is a common view of businesses that the investment in cybersecurity has had no visible results that translates to revenue or profits. Striking the right balance between company costs and cybersecurity spending is a big challenge. Businesses usually give due consideration to cybersecurity issues when there is evidence that a security breach would directly result in financial loss.
Furthermore, the transition from existing technologies to emerging technologies of Industry 4.0 is usually because companies want to be able to add new functionality and business value, not primarily to improve cybersecurity.
Enterprises need to correct their security attitude, and management should not think network security program is just an expense or formality. “While industry leaders should not be alone in accepting responsibility for this failure, they must take the initiative to make life harder for cyber threat actors (Scully, 2013)”. For industries and organizations, cybersecurity is not only a cost, but a significant business opportunity. This is because one of the important competitive advantages of a business is cybersecurity, as adequate cybersecurity services give customers confidence in a company’s ability to provide safe, reliable products and services. Therefore, cybersecurity is not an obstacle to business opportunities, but one of the factors that contribute to business interests.
Complex supply chain management
The innovation of Industry 4.0 technology has led to increased difficulty in management. Difficult management scenarios occur in supply chain management in manufacturing. Although companies are able to determine supply chain characteristics (for example, a significant part of the supply chain is controlled by one company when it manufactures its own components), parts of the work are often taken over by the company relying on others. New capabilities have additional impact on the supply chain with the introduction of smart manufacturing (such as predictive analytics, automation and data-driven decision making, etc.). Therefore, the effective management of the supply chain becomes more complex. Supply chains are becoming more dynamic, flexible, and demanding in terms of performance.
Existing and new security risks have wider implications as supply chain interdependence increases. Scalability is one of the most important issues because of the large number of people, organizations and processes involved. Companies need to make many decisions (such as choosing the right vendor, whether a collaborative approach can be agreed upon, how the two parties will establish organizational processes, etc.). These decisions will determine the safety of the final product. Effective control of the supply chain is critical because there is no way to trace the origin of each component, and failure to do so can undermine a company’s confidence in product safety.
Security incidents may occur at different levels and stages because supply chain actors may be subject to different national legislative frameworks. Such events may occur in connection with the exchange of goods, services or information and therefore may result in the spread of risk throughout the supply chain. Any security breach in the supply chain can negatively impact the security of the final product.
Cybersecurity is a shared responsibility of every employee in an enterprise. Cybersecurity becomes an even more pressing reality when it comes to complex supply chains and multiple players. First, the foundation of a secure supply chain is trust, as the risk assessment process and appropriate security controls will be influenced by how much a company trusts another company. How much trust a person can receive means how much risk he can take in a large supply chain so that an appropriate level of security can be defined.
The lack of sufficient security capabilities to connect industrial equipment and systems becomes one of the difficulties in Industry 4.0 security. Constraints of embedded systems present significant
challenges (low-end ICS and PLCs, which face many issues that directly affect their security). There are several reservations that greatly influence the implementation of comprehensive safety features at the design stage, such as the meeting the requirements of device size, limited processing power, the need to ensure long-term operation and pricing the device competitively to include non-negotiable functional and operational requirements. However, when the designer does not incorporate basic cybersecurity features when designing an Industry 4.0 device, the organization that adopts the respective device may be potentially vulnerable to evolving cyberthreats targeting the industrial ecosystem.
Instead of viewing cybersecurity as an overhead, incorporating fundamental security features at design stage will highly benefit industries and vendors alike.
Conclusion: Cybersecurity is a shared responsibility within a modern industrial environment and there must be no exceptions to it in any organization. The cybersecurity threat against industrial organizations cannot be approached in silos or in isolation. Management and various departments must come together to support this business-critical element. Organizations must allocate sufficient budget to undertake an effective cybersecurity program. Policies within an organization must be enabled to embrace cybersecurity as an enabler for the business, instead of viewing it as an overhead. Employees must be trained with the required knowledge to understand the importance of cybersecurity and armed with the technical know-hows to protect, defend and respond to a cyberthreat