Date post: | 22-Jan-2017 |
Category: |
Technology |
Upload: | beat-fischer |
View: | 339 times |
Download: | 2 times |
Cybergefahren in der digitalen Supply Chain
The PRISM of PRIvacy, Security and regulatory coMpliance
Roger Müller, Director PwC Consulting and Head Supply Chain & Operations, PricewaterhouseCoopers AG
Rodney Fortune, Manager, Cybersecurity, PricewaterhouseCoopers AG
© GS1 Switzerland 2016 11. GS1 Forum Logistics & Supply Chain | 2. März 2016
The fourth industrial revolution has started – But..…is your Supply Chain safe against cyber threats?
Fle
xib
ilit
y a
nd
co
mp
lexit
y
Industry1.0
Steam engine manufacturing
Industry2.0
Mass production and assembly lines
Industry3.0
Automation and robotic
Industry 4.0
Digitization and Integration of Value Chains and Products/ Services
(Internet of Things/Services)
New Digital Business models Integrated Data
Analytics as core capability
Digital Enterprise
End of 18th
century
Beginning of20th century
1970s
2015+
1800 1900 2000 2014 2020
© GS1 Switzerland 2016 11. GS1 Forum Logistics & Supply Chain | 2. März 2016
© GS1 Switzerland 2016 11. GS1 Forum Logistics & Supply Chain | 2. März 2016
Towards a new industrial revolution – The Industry 4.0 framework
Source: PwC Industry 4.0 Study, 2015
Innovative digital business models
III
IV
Digitizationof product
andservice
offerings
Digitization andintegration ofvertical andhorizontal valuechains
Industry 4.0
II
Compliance, security, legal & tax
Dig
ital
En
ab
lers
Organisation, employees and digital culture
IT Architecture and data management
Dig
ital
Core e
lem
en
ts
Because of the Internet, mobile devices, applications, and cloud computing, companies and their suppliers can now share a large amount of data at the click of a button.
Today, information about everything from order volumes and capacity status to activity-based management protocols and transportation metrics is electronically transmitted between business partners.
Cybersecurity is essential in order for Industry 4.0 to work, not only in technological terms, but also in terms of the processes in the value chain.
© GS1 Switzerland 2016 11. GS1 Forum Logistics & Supply Chain | 2. März 2016
The integrated use of data is the core capability within theframework of Industry 4.0
Importance of data and analysis capabilities within Industry 4.0
93%
76%
68%
61%
61%
54%
5%
22%
20%
27%
27%
20%
2%
2%
12%
12%
12%
26%Generation of additional data
(e.g. through expandedsensor technology)
Use of realtime data to controlproduction
Clear labeling(barcode, RFID, NFC)
Use/exchange of data withcooperation partners
Analysis of extensive amountsof data in real time
Efficient exchange of data alongthe own value-add chain
Neither nor (3) Not important (1,2)Important (4,5)
Source: PwC Industry 4.0 Study, 2015
© GS1 Switzerland 2016 11. GS1 Forum Logistics & Supply Chain | 2. März 2016
Cyber Threats are real and affect business and life
91% of large organisations and
87% of smallbusinesses had
security breaches in the last year
• Cyber security is now a persistent business risk
• Organisations are undoubtedly worried about the rising tide of cybercrime
• Looking at security investments by industry shows that spending is down in most sectors, with a few notable exceptions.
• The black markets for stolen data are growing in size and complexity.
Source: PwC 2015 The Global State of Information Security Survey 2015
91%
87%
© GS1 Switzerland 2016 11. GS1 Forum Logistics & Supply Chain | 2. März 2016
The dilemma: functionality and simplicity versus security
Digitization Globalization The human being
The 10-80-10 rule of honesty:
According to insiders, it is considered proven that only 10% of adults are
completely honest. For80%, it depends on the environment and 10% are
dishonest.
The digital transformation will change the way how
people do business
The danger to businesses and their customers from hacking and cyberattacks
has become pervasive
The markets and the customers are globally not locally
Laws and regulations as well as jurisdiction is national
© GS1 Switzerland 2016 11. GS1 Forum Logistics & Supply Chain | 2. März 2016
Industry 4.0 and Security – Trust versus Risk profile?
Cybersecurity is more than an IT challenge—it’s a business imperative.
New technologies, well-funded and determined adversaries, and interconnected business ecosystems have combined to increase your exposure to cyberattacks.
Your critical digital assets are being targeted at an unprecedented rate and the potential impact to your business has never been greater.
Can I trust mycommunicationtools?
Can I trust mydata andinformation?
Can I trust mymy identity?
Can I trust mybusinesspartner?
Can I trust mytechnology?
© GS1 Switzerland 2016 11. GS1 Forum Logistics & Supply Chain | 2. März 2016
Industry 4.0 - Adapt to the new realities of cybersecurity
With Industry 4.0 Information and Data has become a critical supply chain asset, making it increasingly important to protect your data.
Information sharing is not limited to supply chain functions like transportation, distribution, logistics, warehousing, inventory management, sourcing, procurement, and order and production planning. Companies share proprietary data across their value chain.
Supply chain managers must play a larger role in cybersecurity
Purcha-sing
Production Logis-tics
Planning
Company CustomerSupplier
Supplier network
Cooperationpartner
Customernetwork
Purchasing Production Logistics
Sales
Product Development (R&D)
Planning
Service
Horizontal value-add chain (Network)
Vertical value-add chain (Company)
© GS1 Switzerland 2016 11. GS1 Forum Logistics & Supply Chain | 2. März 2016
Each organisation has a unique environment andtherefore specific requirements
Technology Risks
Yourbusiness
vision
Businessprocesses
Business applications
Devices, systems and
platforms
Network andcommunication
Digitaldata
Identify valuable data Identify threats & risks Apply appropriate protection
© GS1 Switzerland 2016 11. GS1 Forum Logistics & Supply Chain | 2. März 2016
Industrial processes demand a high level of connectivity between components of a vertical supply chain
Vertical integration of supply/value chain processes
• Cyber attacks to CPS systems (incl. industrial espionage)
• Privacy
• Reverse Engineering
• Knowledge of Hardware by integrators, incl. manufacturers
• Non-restricted staff access to critical components, systems and data
Potential Cyber ThreatsPlanning/ERP
Planning
Manufacturing Execution System (MES)
Cloud/datamanagement
Enterprise Resource Planning(ERP)
Horizontal integrationwithpartners
Machineto machinecommunication
Engineering for“lot size”
CyberSecurityShop floor
Machine
Sensors/Control
Product
Sensors & control
Internet of things
New technologies(e. g. 3D print)
Autonomous logistics
© GS1 Switzerland 2016 11. GS1 Forum Logistics & Supply Chain | 2. März 2016
Digitally driven horizontal integration across value chains allows the creation of a virtual SC model
Integrated Planning & Operations – Cross-Tier Inventory Optimization Digital Implications
Suppliers OEM DealerTier 1Plants
EndCustomer
Make to OrderMake to Order
InventoryMachiningAssemblyInventory
Tier 1 HQ
Market 1
Market 2
Engine 1
Engine 2
Engine n
Forecast
Forecast Planning
ForecastForecast
Real-time/near-real-time forecast data propagationcan increase efficiency, e. g., optimizing supplierinventory levels
Virtual Supply Chain Model
Information Flows
Components
Suppliers IDMs Contract Electronics Mfg
P
S M D
Customers
OEM
P
S M D
Material
Flows
P
S M D
P
S M D
P
S M D
Information
Hub
Components Suppliers / IDMs OEM/CEM
P
S M D
P
S M D
P
S M D
Material Flows
Customers
P
S M D
© GS1 Switzerland 2016 11. GS1 Forum Logistics & Supply Chain | 2. März 2016
Greed, absence of ethics and weak prosecution / sanctions
Adversary motives and tactics evolve as business strategies change and business activities are executed. Not only the ‘good guys’ usetechnology for their benefit (CCaS/Cyber Crime as a Service))!
Organized crime
Hacktivists
Nation state
Adversary
Insiders
What’s most at risk?
Input from Office of the National Counterintelligence Executive, Report to Congress on the Foreign Economic Collection and Industrial Espionage, 2009-2011, October 2011.
Emerging technologies
Executive travel
Automation
Health and safety records
Business deals information
Information and communication technology and data
Industrial ControlSystems (SCADA)
Geological surveys and industrial design (Intellectual Property)
Thirdparty connections
© GS1 Switzerland 2016 11. GS1 Forum Logistics & Supply Chain | 2. März 2016
Industry 4.0 and Data Security – Introducting the conceptof «PRISM»
Digital operations(Industry 4.0)
Dependence andabuse of IT increases(cyber resilience)
Megatrends
Business processes of the firm
Applied Digital Trust (PRISM)
Digital PRIvacy
Cyber Security
Regulatory CoMplianceSupply chain
Suppliers Clients
© GS1 Switzerland 2016 11. GS1 Forum Logistics & Supply Chain | 2. März 2016
Applied Digital Trust (PRISM) as an integral part ofelectronic business processes
Guiding Principles:1. Processes should be designed and displayed electronically, that the system only allows what is possible2. Process steps must be designed in a way that controls are integrated and compliance-related data are collected
systematically and continuously3. Data analysis and continuous auditing lay the foundations that compliance-related data are systematically analyzed and
reported
Process Integrated Compliance
Processes
Controllingund QA*
Data
Measuring Measuring Measuring
Access data Process data Transaction data
ReportsData Analytics / BIG DATA
* Quality assurance
© GS1 Switzerland 2016 11. GS1 Forum Logistics & Supply Chain | 2. März 2016
Applied Digital Trust (PRISM) requires the collection andpreparation of relevant data
People, Processes, Technology Governance & Control Framework
Security, Privacy, Compliance Information(big data)
Digital Dataclassified, separatedin trust-domains
ICT Infrastructureon premise, outsourcedor in the cloud
User and devicestrusted? Compliant?
Sec & Compliance Layer 2:Infrastructure and data access
Sec & Compliance Layer 1:user and device identification
PRISMDashboard(s)
Strategy andrisk appetite
In
frastr
uctu
re,
Devic
e, D
ata
M
gm
t.
Regulation & Standards@
Sec & Compliance Layer 3:Gateways and zone transitions
Com
pli
an
ce
Mg
mt.
Data analytics(SIEM, etc.)
Requirements& policies
© GS1 Switzerland 2016 11. GS1 Forum Logistics & Supply Chain | 2. März 2016
Two options how to avoid digital data loss: A: protect and monitor or B: detect and respond
‘Crown jewels’ must be identified and their protection prioritised, monitored and adjusted accordingly.
• Technology risk strategy
• Security architecture
• Target operations model
• Security governance
• Security assessments
• Breach indicator assessment
• Data analytics for security information
• Threat intelligence
Detect malware, attacks and data exfiltration quickly and reliably
• Incident response
• Forensic services
• Crisis management
• eDiscovery
• Data analytics
Respond to incidents efficiently and effectively. Remediate and learn.
Monitor & DetectPrevent & Protect
Respond &Remediate
‘Data protection by design’ by considering people, processes and technology
© GS1 Switzerland 2016 11. GS1 Forum Logistics & Supply Chain | 2. März 2016
Five Steps to identify and protect enterprise dataappropriately
Assess cyber risks and ensure risk landscape is aligned with riskappetite. Reduce, avoid or transfer inacceptable risks
Select applicable cyber threat scenarios (10-15) and analyse impact toyour business data and customer data
Identify your most valuable information assets, align your cyber security strategywith business objectives and get funding
Analyse current safeguards and their effectiveness, assessvulnerabilities in your infrastructure and supply chain
Implement safeguards, monitor effectiveness, improve processes for earlierdetection and reduce the time from detect to respond
1
2
3
4
5
© GS1 Switzerland 2016 11. GS1 Forum Logistics & Supply Chain | 2. März 2016
Summary: Applied Digital Trust by PRISM Privacy, Security and regulatory compliance?
Stepwise procedure:
1. The industrial sector will change in the coming years due to the industrialization / digitization This is a chance
to integrate "Applied Digital Trust"
2. Digital Trust calls for requirements of privacy, security and regulatory compliance that are formulated not only as
a policy, but are integrated into the technical infrastructure
3. Security, privacy and compliance should be consolidated into a common architecture and integrated in the
process (and not appended)
4. The processes should be designed in a way that only those things are possible, which are permissible
5. Controls should be designed so that their effectiveness is constantly measured and the enforcement of the rules
is ensured
6. Digital Trust shall define which reports are to be generated in order to provide quality assurance / that the
auditor are satisfied
Applied Digital Trust through PRISM is the discipline of designing products or processes that have very low tolerances, are repeatable, and are stable over time
© GS1 Switzerland 2016 11. GS1 Forum Logistics & Supply Chain | 2. März 2016
Thank you - Your PwC Industry 4.0 expertsTalk to us…
PwC Risk Assurance PricewaterhouseCoopers AGBirchstrasse 160CH-8050 ZurichSwitzerlandDirect +41 58 792 19 46Mobile + 41 79 128 67 [email protected]
Rodney FortuneManager Cybersecurity
Cybersecurity: Threat, Vulnerability & ICS Specialist, Switzerland
PwC ManagementConsulting
PricewaterhouseCoopers AGBirchstrasse 160CH-8050 ZurichSwitzerlandDirect +41 58 792 1637Mobile +41 79 878 [email protected]
Roger MüllerDirector
Head Supply Chain & Operations Switzerland, Industry 4.0 Lead
© GS1 Switzerland 2016 11. GS1 Forum Logistics & Supply Chain | 2. März 2016
PwC’s Global Operations Consulting Network – From Strategy to Execution (Category of One)
PwC's global operations practice connects clients' strategies with execution.
We start with the premise that operations can and should be a strategic asset, and we bring the industry, functional, and technology depth required to rapidly close the gap between ideas and results.
Integrated, best-of-breed capabilities and thought leadership
Unique combination of strategy, operations, technology, and marketing capabilities to support future consumer businesses
© GS1 Switzerland 2016 11. GS1 Forum Logistics & Supply Chain | 2. März 2016
PwC’s Global Operations Consulting Network – From Strategy to Execution (Category of One)
Together, we bring more than 250 years of experience helping global clients solve their toughest problems
Global Supply Chain strategists network with morethan 4.500 consultants
Unique Supply Chain Strategy, Operations and Execution service portfolio
Practical strategists committed to our client’s success
Leading Supply Chain Strategy firm Local teams with access to global network
Broad and in-depth experience Approach
ManagementConsultants
&
Coaching oriented consulting approach using know-how and methodology
Industry 4.0 Tax & CustomSCM Benchmarking
Supply Chain Reference Model (SCOR)
Plan
Source Make Deliver
Swiss-based core team and technical subject matter experts, well linked into
© GS1 Switzerland 2016 11. GS1 Forum Logistics & Supply Chain | 2. März 2016
We think and advise on end-to-end processes across the entire Supply Chain
How does my supply chain performance compare to that of my competitors?
How confident are we in the resiliency of our supply chain operations?
How do we quickly assess our functional strengths and weaknesses?
How can we maximize return on our existing assets and gauge the value of future improvements?
How do we align our supply chain initiatives with overall strategic objectives?
28.10.2015 | © GS1 Switzerland 2015 | 52
Disclaimer
This publication has been prepared for general guidance on matters of interest only, and does not constitute professional advice. You
should not act upon the information contained in this publication without obtaining specific professional advice. No representation or
warranty (express or implied) is given as to the accuracy or completeness of the information contained in this publication, and, to the
extent permitted by law, PricewaterhouseCoopers AG, its members, employees and agents do not accept or assume any liability,
responsibility or duty of care for any consequences of you or anyone else acting, or refraining to act, in reliance on the information
contained in this publication or for any decision based on it.
© 2016 PwC. All rights reserved. In this document, “PwC” refers to PricewaterhouseCoopers AG which is a member firm of
PricewaterhouseCoopers International Limited, each member firm of which is a separate legal entity.