www.pwc.comwww.pwc.com
NAM webinarSeptember 20, 2018
Rik Boren PwC Industrial Products Cyber Leader
Darren OrfPwC Industrial Products Cyber Director
Strengthening manufacturers against cyber shocksManaging cybersecurity to become cyber resilient
PwC | Strengthening manufacturers against cyber shocks
The growing cybersecurity challenge
• Wireless networks, mobile devices and apps, social media, cloud services and data analytics have created entirely new ways for businesses to improve.
• Together, these technologies have created a dynamic, hyper-connected business ecosystem that enables companies to share significantly more digital information with a wider range of partners, suppliers, service providers, and customers.
• As innovation continues to advance and technology domains converge, the cyberattack surface – the points on which adversaries attempt to access systems, applications, critical assets, and highly sensitive information – are expanding exponentially.
• At the same time, traditional threats are dynamically changing like economic conditions, regulatory requirements, geopolitical instability and social demands.
Business are increasingly interconnected, integrated, and interdependent where innovation and technology convergence is creating opportunity and risk.
Geo-political
Global
Technology
Socio-political
Legal
Environmental Regulatory
Economic
Security&
Privacy
ConsumerService
Providers
JV/Partners
Customer Suppliers
Industry/Competitors
2
PwC | Strengthening manufacturers against cyber shocks
The impact of cyber threats
3
What is the bottom line?
$7.35m $5.1m
29% 35%
Average cost of a data breach (US)
Average security budget
Report loss or damage of internal records as result of a cybersecurity incident
Report loss or damage of customer records as result of a cybersecurity incident
PwC | Strengthening manufacturers against cyber shocks
Recent breach themes
Weaknesses in one or more of the following four control themes have been common characteristics of recent breaches
Many breaches happened because of a process breakdown despite technology to deliver the control!
Incident Response
Many recent breaches could have contained or greatly reduced in impact had the incident been detected and responded too more timely
Example: Recent breach impact over 100x more than initial breach estimate
Identity & Access Management
Many attacks could have been thwarted by stronger IAM controls such as MFA or PAM implementations
Example: Attackers able to impersonate someone with only password compromise
Data Encryption
Failure to appropriately encrypt data or comply with data protection regs has eroded brands and led to heavy financial penalties
Example: Exfiltratedpasswords using weak SHA-1 quickly cracked
Vulnerability & Patch Management
Many breaches have occurred when threat actors have scanned for and successfully exploited unpatched vulnerabilities Example: Apache Struts 2 (CVE-2017-9805 and CVE-2017-5638).9
4
PwC | Strengthening manufacturers against cyber shocks
Cybersecurity risks in action for the manufacturing sector
Cybersecurity risk
Privacy risk
Supply chain disruption could result from denial
of service attacks designed to disrupt RFID frequencies
Digitized trade secret
theft is a risk if data protection mechanisms, such as encryption, are not in place
Hackers may install malware purposely built to attack industrial
automation and control systems
Cloud processing enables advanced decision-making algorithms and real-time analytics: actionable information is passed on to employees
Production and IT systems are linked to enable automated reporting and remote operations and maintenance
Automated forklifts and other self-driving vehicles work alongside robots
3-D printing allows rapid prototype development and spare-part printing
Sensors embedded into
machines send data back to control software When a key component is
about to reach the end of its life, it will automatically initiate a repair request
This connection can be exploited if security controls such as firewalls are not in place Corporate espionage could involve
rivals breaching the network to steal pricing and supplier information, as well as counterfeit products made using that data. Personal data could also be compromised by the breach
Bad actors could take control of the smart device, such as a home automation system or vehicle
Nation states are targeting components so the finished product contains embedded malware which also puts personal data at risk
Wearables can reveal a person’s location, personally Identifiable information or improper disclosure of personal data
Data theft via embedded malware stretches back to the supply chain
5
PwC | Strengthening manufacturers against cyber shocks
You can’t eliminate cyber riskbut you can manage the risk and become resilientCyber resilient companies are better prepared to anticipate threats, minimize impact and recover from disruption
6
PwC | Strengthening manufacturers against cyber shocks
Key themes for building cyber resilience in manufacturingLeading manufacturers are building cyber resilience through:
1. Strong C-suite and board engagement in managing cyber risks with the highest impact
2. Integrating security into the fabric of their products and operational processes
4. Rigorous management of their supply chain and stress testing interdependencies
3. Collaborating with peers and other relevant parties to garner lessons learned and better anticipate threats
7
PwC | Strengthening manufacturers against cyber shocks
Cyber resilience – Leading practice #1
Leading manufacturers have strong C-suite and board engagement focused on managing cyber risks with the highest impact
Industry risk tendencies:
• Siloed approaches to managing cyber risk
• Lack of a formal CISO or misalignment functionally
Recommended Actions
• Understand your cyber risks and correlation to business risks
• Engage the board and C-level execs in managing cyber risk as a key business risk
• Establish a top-down strategy to manage cyber risks across the enterprise is essential
• Manage centrally with distributed implementation
• Resilience must be integrated into business operations
Typical Outputs
• Enterprise cybersecurity strategy
• Integrated cyber/business governance structure
8
PwC | Strengthening manufacturers against cyber shocks
Cyber resiliency in action – Example #1
Leading organizations implement a centralized interface into enterprise cybersecurity services, resources and tools with distributed security responsibility in business domains
Benefits
• Promotes applying business context to managing security risk and more efficient business decision making (through the liaison/advisor relationship)
• Consistent application of security controls across domains (through a common liaison gateway to centralized service & control owners)
• Efficient delivery of security technology (through a common liaison gateway to centralized security technology SMEs)
Business Service Domains
Self-Service
Cybersecurity Advisory Team
Security & Privacy Advisors apply their security and privacy knowledge to a narrow domain focus, increasing security and privacy service coverage across the enterprise
Security• Services• SMEs• Tools
Advisors serve as the liaison to the security & privacy offices, and consult with these bodies as necessary
Cybersecurity & Privacy Portal
Business Unit CISOs, Product Owners, Data Protection Officers etc.
Cybersecurity & privacy liaisons Technical experts, specialized security tools and other resources
• Vulnerability Management
• SSDLC Processes• IAM• 3rd party Risk
• Privacy & Security Risk Assessment
• Privacy by Design Processes
Privacy• Services• SMEs• Tools
9
PwC | Strengthening manufacturers against cyber shocks
Cyber resilience – Leading practice #2
Leading manufacturers integrate security into the fabric of their products and operational processes.
Industry risk tendencies
• Security causing friction in product development
• Tension between enterprise IT and OT
Recommended Actions
• Understand friction points in OT and product development
• Modernize cybersecurity policies and standards to reflect emerging paradigms (cloud, IoT, mobile etc.) and regulatory constraints (i.e. localized privacy laws such as GDPR)
• Deliver security capabilities as enterprise services
• Develop a security-by-design framework and processes to increase security posture while reducing dev/op friction
• Build security testing using common toolsets and automation where feasible directly into system and product development lifecycles
Typical Outputs
• Policy and standards refresh
• Security-by-Design & Privacy-by-Design programs
• Security technology rationalization
Impact: high impact vulnerabilities and increased costs
10
PwC | Strengthening manufacturers against cyber shocks
Cyber resiliency in action – Example #2
Evolve from disjointed capabilities to intelligence services
Embed security controls and services deployment and delivery pipelines
Leading manufacturers are developing enterprise security capabilities and building them into distributed IT, OT and product development environments.
11
PwC | Strengthening manufacturers against cyber shocks
Cyber resilience – Leading practice #3
Leading manufacturers collaborate with industry peers and other relevant parties to garner lessons learned and better anticipate threats
Industry risk tendencies:
• Protecting manufacturing techniques, product design and other intellectual property has been a difficult barrier to collaborating within manufacturing domains
• Incident response plans exist but have tended to be fractured
Recommended Actions
• Develop a structured cyber threat intelligence program as a key function of a cybersecurity operations center (CSOC)
• Establish channels to collaborate with and share intelligence with industry peers, law enforcement and other relevant external bodies (such as industry sector ISACs)
• Create efficient internal channels to act on qualified intelligence
• Build an cybersecurity incident response plan & team (CSIRP & CSIRT) that includes interfaces with external parties/partners
• Invest in a threat intelligence platform (TIP) that can leverage big data analytics on enterprise threat & vulnerability management sources to anticipate & proactively thwart threats
Typical Outputs
• Cyber threat intelligence program
• Threat intelligence platform
• Enterprise CSIRP & CSIRT
12
PwC | Strengthening manufacturers against cyber shocks
Cyber resiliency in action – Example #3
Leading organizations have the ability to capture and correlate intelligence from disparate sources into actions that mitigate threats before they have an impact
13
Example from PwC’s Secure Terrain Offering. More information at: https://www.pwc.com/us/en/cybersecurity/secure-terrain.html
PwC | Strengthening manufacturers against cyber shocks
Cyber resilience – Leading practice #4
Leading manufacturers rigorously manage their supply chain and stress test interdependencies across the entire ecosystem
Industry risk tendencies:
• Incomplete accounting of vendors and business partners in the ecosystem
• Inconsistent criteria to measure supplier risk and performance against
Recommended Actions
• Develop enterprise vulnerability management capabilities & disciplined patch management processes
• Conduct rigorous security testing at integration points to identify vulnerabilities introduced outside of your enterprise
• Expand scope of cybersecurity incident response plans and simulation exercises to the supply chain/business partners
• Enhance identity and access management (IAM) capabilities to give better visibility into a more broad access ecosystem and the ability to enforce risk-based controls
Typical Outputs
• Third party risk management capabilities
• Enhanced security testing & vulnerability management programs and services
• IAM investments (PAM, MFA etc.)
14
PwC | Strengthening manufacturers against cyber shocks
Cyber resiliency in action – Example #4
Remote Connectivity | Driving Assistance & Automation | Cyber Physical
Pre-Collision System
TPMS
Telematics (CDMA/3G/4G/LTE)
Bluetooth
Self-Parking
Wi-Fi
Adaptive Cruise Control
V2V & V2I
In-car apps
Risk Assessments
Penetration Testing
Stress testing whole product & individual component testing
Stress testing integration points back to the larger ecosystem
Stress testing within the larger ecosystem (including cloud)
Threat Modeling
Environment & Code Scans
Leading manufacturers conduct rigorous risk-based testing on technology during product engineering and IT deployment and as a matter of operational process
clientecosystem
15
PwC | Strengthening manufacturers against cyber shocks 16
Rik BorenIndustrial Products Cyber [email protected]
Darren OrfIndustrial Products Cyber [email protected]
Read more at
• PwC Cybersecurity & Privacy Homepage: pwc.com/cybersecurity• 2018 Global State of Information Security Survey: pwc.com/gsiss
The final word
Industry leaders should seize the opportunity now to take meaningful actions designed to bolster the resilience of their organizations, withstand disruptive cyber threats, and build a secure digital society
© 2018 PricewaterhouseCoopers LLP, a Delaware limited liability partnership. All rights reserved. PwC refers to the United States member firm, and may sometimes refer tothe PwC network. Each member firm is a separate legal entity. Please see www.pwc.com/structure for further details.
