Cybergefahren in der digitalen Supply Chain - Roger Müller

Cybergefahren in der digitalen Supply Chain

The PRISM of PRIvacy, Security and regulatory coMpliance

Roger Müller, Director PwC Consulting and Head Supply Chain & Operations, PricewaterhouseCoopers AG

Rodney Fortune, Manager, Cybersecurity, PricewaterhouseCoopers AG

© GS1 Switzerland 2016 11. GS1 Forum Logistics & Supply Chain | 2. März 2016

The fourth industrial revolution has started – But..…is your Supply Chain safe against cyber threats?

Fle

xib

ilit

y a

nd

co

mp

lexit

y

Industry1.0

Steam engine manufacturing

Industry2.0

Mass production and assembly lines

Industry3.0

Automation and robotic

Industry 4.0

Digitization and Integration of Value Chains and Products/ Services

(Internet of Things/Services)

New Digital Business models Integrated Data

Analytics as core capability

Digital Enterprise

End of 18th

century

Beginning of20th century

1970s

2015+

1800 1900 2000 2014 2020

https://www.youtube.com/watch?v=udiElEok3Lw&index=26&list=PLSNBm65lkNJUABNF7V2xvSSgShwFHyIVh



Towards a new industrial revolution – The Industry 4.0 framework

Source: PwC Industry 4.0 Study, 2015

Innovative digital business models

III

IV

Digitizationof product

andservice

offerings

Digitization andintegration ofvertical andhorizontal valuechains

Industry 4.0

II

Compliance, security, legal & tax

Dig

ital

En

ab

lers

Organisation, employees and digital culture

IT Architecture and data management

Dig

ital

Core e

lem

en

ts

Because of the Internet, mobile devices, applications, and cloud computing, companies and their suppliers can now share a large amount of data at the click of a button.

Today, information about everything from order volumes and capacity status to activity-based management protocols and transportation metrics is electronically transmitted between business partners.

Cybersecurity is essential in order for Industry 4.0 to work, not only in technological terms, but also in terms of the processes in the value chain.


The integrated use of data is the core capability within theframework of Industry 4.0

Importance of data and analysis capabilities within Industry 4.0

93%

76%

68%

61%

61%

54%

5%

22%

20%

27%

27%

20%

2%

2%

12%

12%

12%

26%Generation of additional data

(e.g. through expandedsensor technology)

Use of realtime data to controlproduction

Clear labeling(barcode, RFID, NFC)

Use/exchange of data withcooperation partners

Analysis of extensive amountsof data in real time

Efficient exchange of data alongthe own value-add chain

Neither nor (3) Not important (1,2)Important (4,5)

Source: PwC Industry 4.0 Study, 2015


Cyber Threats are real and affect business and life

91% of large organisations and

87% of smallbusinesses had

security breaches in the last year

• Cyber security is now a persistent business risk

• Organisations are undoubtedly worried about the rising tide of cybercrime

• Looking at security investments by industry shows that spending is down in most sectors, with a few notable exceptions.

• The black markets for stolen data are growing in size and complexity.

Source: PwC 2015 The Global State of Information Security Survey 2015

91%

87%


The dilemma: functionality and simplicity versus security

Digitization Globalization The human being

The 10-80-10 rule of honesty:

According to insiders, it is considered proven that only 10% of adults are

completely honest. For80%, it depends on the environment and 10% are

dishonest.

The digital transformation will change the way how

people do business

The danger to businesses and their customers from hacking and cyberattacks

has become pervasive

The markets and the customers are globally not locally

Laws and regulations as well as jurisdiction is national


Industry 4.0 and Security – Trust versus Risk profile?

Cybersecurity is more than an IT challenge—it’s a business imperative.

New technologies, well-funded and determined adversaries, and interconnected business ecosystems have combined to increase your exposure to cyberattacks.

Your critical digital assets are being targeted at an unprecedented rate and the potential impact to your business has never been greater.

Can I trust mycommunicationtools?

Can I trust mydata andinformation?

Can I trust mymy identity?

Can I trust mybusinesspartner?

Can I trust mytechnology?


Industry 4.0 - Adapt to the new realities of cybersecurity

With Industry 4.0 Information and Data has become a critical supply chain asset, making it increasingly important to protect your data.

Information sharing is not limited to supply chain functions like transportation, distribution, logistics, warehousing, inventory management, sourcing, procurement, and order and production planning. Companies share proprietary data across their value chain.

Supply chain managers must play a larger role in cybersecurity

Purcha-sing

Production Logis-tics

Planning

Company CustomerSupplier

Supplier network

Cooperationpartner

Customernetwork

Purchasing Production Logistics

Sales

Product Development (R&D)

Planning

Service

Horizontal value-add chain (Network)

Vertical value-add chain (Company)


Each organisation has a unique environment andtherefore specific requirements

Technology Risks

Yourbusiness

vision

Businessprocesses

Business applications

Devices, systems and

platforms

Network andcommunication

Digitaldata

Identify valuable data Identify threats & risks Apply appropriate protection


Industrial processes demand a high level of connectivity between components of a vertical supply chain

Vertical integration of supply/value chain processes

• Cyber attacks to CPS systems (incl. industrial espionage)

• Privacy

• Reverse Engineering

• Knowledge of Hardware by integrators, incl. manufacturers

• Non-restricted staff access to critical components, systems and data

Potential Cyber ThreatsPlanning/ERP

Planning

Manufacturing Execution System (MES)

Cloud/datamanagement

Enterprise Resource Planning(ERP)

Horizontal integrationwithpartners

Machineto machinecommunication

Engineering for“lot size”

CyberSecurityShop floor

Machine

Sensors/Control

Product

Sensors & control

Internet of things

New technologies(e. g. 3D print)

Autonomous logistics


Digitally driven horizontal integration across value chains allows the creation of a virtual SC model

Integrated Planning & Operations – Cross-Tier Inventory Optimization Digital Implications

Suppliers OEM DealerTier 1Plants

EndCustomer

Make to OrderMake to Order

InventoryMachiningAssemblyInventory

Tier 1 HQ

Market 1

Market 2

Engine 1

Engine 2

Engine n

Forecast

Forecast Planning

ForecastForecast

Real-time/near-real-time forecast data propagationcan increase efficiency, e. g., optimizing supplierinventory levels

Virtual Supply Chain Model

Information Flows

Components

Suppliers IDMs Contract Electronics Mfg

P

S M D

Customers

OEM

P

S M D

Material

Flows

P

S M D

P

S M D

P

S M D

Information

Hub

Components Suppliers / IDMs OEM/CEM

P

S M D

P

S M D

P

S M D

Material Flows

Customers

P

S M D


Greed, absence of ethics and weak prosecution / sanctions

Adversary motives and tactics evolve as business strategies change and business activities are executed. Not only the ‘good guys’ usetechnology for their benefit (CCaS/Cyber Crime as a Service))!

Organized crime

Hacktivists

Nation state

Adversary

Insiders

What’s most at risk?

Input from Office of the National Counterintelligence Executive, Report to Congress on the Foreign Economic Collection and Industrial Espionage, 2009-2011, October 2011.

Emerging technologies

Executive travel

Automation

Health and safety records

Business deals information

Information and communication technology and data

Industrial ControlSystems (SCADA)

Geological surveys and industrial design (Intellectual Property)

Thirdparty connections


Industry 4.0 and Data Security – Introducting the conceptof «PRISM»

Digital operations(Industry 4.0)

Dependence andabuse of IT increases(cyber resilience)

Megatrends

Business processes of the firm

Applied Digital Trust (PRISM)

Digital PRIvacy

Cyber Security

Regulatory CoMplianceSupply chain

Suppliers Clients


Applied Digital Trust (PRISM) as an integral part ofelectronic business processes

Guiding Principles:1. Processes should be designed and displayed electronically, that the system only allows what is possible2. Process steps must be designed in a way that controls are integrated and compliance-related data are collected

systematically and continuously3. Data analysis and continuous auditing lay the foundations that compliance-related data are systematically analyzed and

reported

Process Integrated Compliance

Processes

Controllingund QA*

Data

Measuring Measuring Measuring

Access data Process data Transaction data

ReportsData Analytics / BIG DATA

* Quality assurance


Applied Digital Trust (PRISM) requires the collection andpreparation of relevant data

People, Processes, Technology Governance & Control Framework

Security, Privacy, Compliance Information(big data)

Digital Dataclassified, separatedin trust-domains

ICT Infrastructureon premise, outsourcedor in the cloud

User and devicestrusted? Compliant?

Sec & Compliance Layer 2:Infrastructure and data access

Sec & Compliance Layer 1:user and device identification

PRISMDashboard(s)

Strategy andrisk appetite

In

frastr

uctu

re,

Devic

e, D

ata

M

gm

t.

Regulation & Standards@

Sec & Compliance Layer 3:Gateways and zone transitions

Com

pli

an

ce

Mg

mt.

Data analytics(SIEM, etc.)

Requirements& policies


Two options how to avoid digital data loss: A: protect and monitor or B: detect and respond

‘Crown jewels’ must be identified and their protection prioritised, monitored and adjusted accordingly.

• Technology risk strategy

• Security architecture

• Target operations model

• Security governance

• Security assessments

• Breach indicator assessment

• Data analytics for security information

• Threat intelligence

Detect malware, attacks and data exfiltration quickly and reliably

• Incident response

• Forensic services

• Crisis management

• eDiscovery

• Data analytics

Respond to incidents efficiently and effectively. Remediate and learn.

Monitor & DetectPrevent & Protect

Respond &Remediate

‘Data protection by design’ by considering people, processes and technology


Five Steps to identify and protect enterprise dataappropriately

Assess cyber risks and ensure risk landscape is aligned with riskappetite. Reduce, avoid or transfer inacceptable risks

Select applicable cyber threat scenarios (10-15) and analyse impact toyour business data and customer data

Identify your most valuable information assets, align your cyber security strategywith business objectives and get funding

Analyse current safeguards and their effectiveness, assessvulnerabilities in your infrastructure and supply chain

Implement safeguards, monitor effectiveness, improve processes for earlierdetection and reduce the time from detect to respond

1

2

3

4

5


Summary: Applied Digital Trust by PRISM Privacy, Security and regulatory compliance?

Stepwise procedure:

1. The industrial sector will change in the coming years due to the industrialization / digitization This is a chance

to integrate "Applied Digital Trust"

2. Digital Trust calls for requirements of privacy, security and regulatory compliance that are formulated not only as

a policy, but are integrated into the technical infrastructure

3. Security, privacy and compliance should be consolidated into a common architecture and integrated in the

process (and not appended)

4. The processes should be designed in a way that only those things are possible, which are permissible

5. Controls should be designed so that their effectiveness is constantly measured and the enforcement of the rules

is ensured

6. Digital Trust shall define which reports are to be generated in order to provide quality assurance / that the

auditor are satisfied

Applied Digital Trust through PRISM is the discipline of designing products or processes that have very low tolerances, are repeatable, and are stable over time


Thank you - Your PwC Industry 4.0 expertsTalk to us…

PwC Risk Assurance PricewaterhouseCoopers AGBirchstrasse 160CH-8050 ZurichSwitzerlandDirect +41 58 792 19 46Mobile + 41 79 128 67 [email protected]

Rodney FortuneManager Cybersecurity

Cybersecurity: Threat, Vulnerability & ICS Specialist, Switzerland

PwC ManagementConsulting

PricewaterhouseCoopers AGBirchstrasse 160CH-8050 ZurichSwitzerlandDirect +41 58 792 1637Mobile +41 79 878 [email protected]

Roger MüllerDirector

Head Supply Chain & Operations Switzerland, Industry 4.0 Lead


PwC’s Global Operations Consulting Network – From Strategy to Execution (Category of One)

PwC's global operations practice connects clients' strategies with execution.

We start with the premise that operations can and should be a strategic asset, and we bring the industry, functional, and technology depth required to rapidly close the gap between ideas and results.

Integrated, best-of-breed capabilities and thought leadership

Unique combination of strategy, operations, technology, and marketing capabilities to support future consumer businesses


PwC’s Global Operations Consulting Network – From Strategy to Execution (Category of One)

Together, we bring more than 250 years of experience helping global clients solve their toughest problems

Global Supply Chain strategists network with morethan 4.500 consultants

Unique Supply Chain Strategy, Operations and Execution service portfolio

Practical strategists committed to our client’s success

Leading Supply Chain Strategy firm Local teams with access to global network

Broad and in-depth experience Approach

ManagementConsultants

&

Coaching oriented consulting approach using know-how and methodology

Industry 4.0 Tax & CustomSCM Benchmarking

Supply Chain Reference Model (SCOR)

Plan

Source Make Deliver

Swiss-based core team and technical subject matter experts, well linked into


We think and advise on end-to-end processes across the entire Supply Chain

How does my supply chain performance compare to that of my competitors?

How confident are we in the resiliency of our supply chain operations?

How do we quickly assess our functional strengths and weaknesses?

How can we maximize return on our existing assets and gauge the value of future improvements?

How do we align our supply chain initiatives with overall strategic objectives?

28.10.2015 | © GS1 Switzerland 2015 | 52

Disclaimer

This publication has been prepared for general guidance on matters of interest only, and does not constitute professional advice. You

should not act upon the information contained in this publication without obtaining specific professional advice. No representation or

warranty (express or implied) is given as to the accuracy or completeness of the information contained in this publication, and, to the

extent permitted by law, PricewaterhouseCoopers AG, its members, employees and agents do not accept or assume any liability,

responsibility or duty of care for any consequences of you or anyone else acting, or refraining to act, in reliance on the information

contained in this publication or for any decision based on it.

© 2016 PwC. All rights reserved. In this document, “PwC” refers to PricewaterhouseCoopers AG which is a member firm of

PricewaterhouseCoopers International Limited, each member firm of which is a separate legal entity.

Date post:	22-Jan-2017
Category:	Technology
Upload:	beat-fischer
View:	339 times
Download:	2 times