Industrial Cybersecurity: The Elephant on the Factory Floor

23 February, 2023

By Alexander Köppen, Oliver Hanka and Florian Gibala. 

Machines that transmit their maintenance status to the cloud, fully automated control centres, power supply with real-time workload overview and retrofitted measurement technology on old-fashioned plants: there are many ways in which industrial plants emerge their way into the internet.

Unfortunately, there are just as many ways to exploit the often poor cybersecurity in these operational technologies (OT for short, from Operational Technology). According to our Digital Trust Insights 2023 study, one out of four companies (26%) expects a significant increase in attacks on operational technology. 

Whether attacks on energy service providers, adulterated batches in pharmaceutical manufacturing or destroyed materials by compromised industrial robots: depending on the area of application of the endangered plant technology, there can be critical consequences: for the operation of the company, for our environment and for our society. What are the reasons for this? How can companies not only secure themselves during ongoing operations, but also establish a general operating model in which potential and actual vulnerabilities are identified and controlled? To answer these questions is essential, because in view of increasing incidents and ever higher damages, one thing is for sure: the pressure to act is enormous.

The most important in 30 seconds

Based on our daily consulting experience in the OT environment, we have identified five fields of action that effectively help to improve industrial security and prevent damage: 

  1. Development of an OT strategy and an industrial security strategy
  2. Development of an Industrial Security Target Operating Model
  3. Linking business continuity and industrial security
  4. Supplementing service provider management with industrial security aspects
  5. Strengthen IT/OT security architecture competence

The security status quo

Information security is already high on the agenda of managers and executives. However, one aspect in particular is currently coming into focus: the digitalisation and increasing interconnection of critical infrastructure and production facilities with a simultaneous increase in cyberattacks by professionalising hacker units and state actors is leading to an unprecedented threat situation. To make matters worse, the latest technologies often come up against outdated legacy equipment and systems that were never intended to be interconnected, especially not to untrustworthy networks like the internet.

This is because while in pioneering industries where products themselves are networked or production processes have been modernised and digitalised, security aspects have usually also been considered. This is often not the case with legacy production processes and technologies. Those are used heavily in critical infrastructures. Digitising them often means adding features like remote maintenance and monitoring functions to legacy control systems by using unsecure technology and interfaces.

The potential consequences are enormous – and many companies are well aware of them. But in the field of tension between digitalisation, competition and customer needs, industrial security often remains the elephant in the room. Studies also show that even successful certifications are no guarantee of sufficient security.

The biggest challenges for industrial security

When legacy technology is interconnected and enhanced with digital capabilities, IT and OT converge. The risks of this convergence should not be underestimated for several reasons:

  1. In times of new geopolitical conflicts, economic espionage and terrorism, industrial plants are becoming worthwhile targets with high blackmail potential, even beyond critical infrastructures.
  2. Completely destroyed production batches, robots that go rogue, power outages in entire districts: The damage potential for OT attacks is often immensely greater than for pure IT incidents.
  3. There is often a lack of mature technical and organisational protective measures. If a non-connected facility suddenly needs to be accessible via the internet, insecure workarounds are often used. Inadequately protected remote access or lax rules for physical access? Not uncommon.
  4. In many places, outdated operating systems are no longer supported by the manufacturer. Replacements or updates often require fundamental changes in the production processes and associated investments in the millions.

“At the same time, the companies concerned are under great external pressure.”

Dr. Alexander Köppen,Partner, Cyber Security & Privacy at PwC Germany

Many companies, for example from critical infrastructures, as well as many SMEs, are economically forced to digitise quickly in order not to lose touch with customer needs and thus match their sales expectations. On the other hand, they are obliged by law to comply with stricter regulations (KRITIS, IT-SiG 2.0/3.0, NIS 2.0).

The conclusion: an overarching industrial security strategy is becoming a must for companies. How and in which phases should the OT transformation and the associated IT-OT convergence take place? How can this be secured with regard to physical security and cybersecurity? What security capabilities need to be built? How can manufacturers, suppliers and partners be integrated optimally?

Fertile ground for incidents: High speed, little strategy

In operational reality, however, OT security or the digitalisation of industrial plants in general is often still a niche topic. Beyond operational safety or operational maintenance, it is rarely strategically planned or systematically addressed. The fact that, in addition to advantages and business potentials, digital and networked OT can sometimes also bring tangible dangers into the production halls is often overlooked.

There are three main reasons for this:

1. Lack of strategic and operational differentiation between OT and IT security
In our day-to-day consulting work, we see it time and again: companies often do not see OT security as a process that has to be continually exercised and improved with its own specific requirements. Without a specific organisation and own domain knowledge, the vision of secure operating technology remains primarily one thing – a vision. Although there is often a separate department for IT security, this lacks the specific understanding of OT requirements. Conversely, the people who operate the OT are not familiar enough with IT security and the challenges of digitalisation. Here, a strict strategic alignment or even new operating models are needed in order to centrally anchor the adaptation to technological change not only in the IT infrastructure, but also in the systems and machines that are needed for "the product".

2. There is not only a lack of skilled workers, but even of roles
If already overworked employees from the plant engineering department suddenly have to be responsible for cybersecurity aspects as well, the shortage of skilled workers is doubled. Where a lack of skilled workers is already a problem today, companies will need a role structure in the future that takes into account the new requirements of the networked industry.

“Without a specific organisation and own domain knowledge, the vision of secure operating technology remains one thing above all – a vision.”

Florian Gibala,Senior Manager, Cyber Security & Privacy at PwC Germany

3. Manufacturer lock-in equals security lock-out
Even before they were networked, industrial plants were highly specialised, complex in design and so expensive that every adaptation had to be carefully considered. If an entire production hall full of machines and systems is to be digitally networked, companies are often only able to network their production processes, machines and technologies appropriately with the close support of individual manufacturers or external service providers. The result: a highly heterogeneous and fragmented manufacturer market in which companies find it difficult to define and, above all, implement their own safety standards across the board.

What can companies do with their own OT?

Based on our daily consulting experience in the OT environment, we have identified five fields of action that effectively help to improve industrial security and prevent damage.

The 5 fields of action for industrial cyber security

1. Develop an OT strategy and an industrial security strategy

In order for the safety capabilities of networked plants and machines to grow with the risks, a uniform understanding of an overarching OT strategy is first needed. This is because corresponding plants and systems are often distributed across different business units without a strategic orientation, e.g. with regard to technological leaps or service provider integration. Therefore, there is often no corresponding role to discuss, coordinate and take responsibility for such considerations and developments across the board: at a minimum, an OT coordinator or an OT architect is needed here. The overarching industrial security strategy must then be aligned with this OT strategy. The integrated consideration of OT security, IT security, physical security, business continuity and integrated product security from the initial concept to quality-of-life maintenance long after delivery is elementary.

2. Develop an industrial security target operating model

How can centralised and decentralised roles and responsibilities then be effectively assigned in terms of the OT security strategy? What principles should the design of a target operating model be based on? Stability and a high level of security are achieved when the target operating model is comprehensively derived and closely coordinated with the relevant stakeholders.

3. Link business continuity and industrial security

Successful companies are currently raising awareness of the fact that the security of networked industrial plants is a direct factor in business continuity management and that employees need to be trained accordingly. A failure of OT caused by cyberattacks often has enormous economic consequences, which can even threaten the existence of the company. In the case of critical infrastructure companies, these effects can also spread to society and the environment. Explicit transparency at management level about the respective business impact and integrated emergency plans are therefore not only vital from a regulatory point of view, but also in the best  interest of the company.

4. Supplement service provider management with industrial security aspects

A clear strategy in dealing with OT service providers and suppliers and the corresponding contract management decisively helps to implement an adequate security level in partnership and on an equal footing.

5. Strengthen IT/OT security architecture competence

Increasing networking can and must be countered with systematic control and management of the underlying architecture. If companies decouple and segment their systems, in the event of an emergency only a part of the systems is affected, but not the entire OT. Another example of risk reduction is the application of the zero-trust approach for OT, i.e. an IT security model with a strict identity check for all devices that want to access resources in a network.

Conclusion: Industrial cybersecurity is often still the elephant in the factory hall. And therefore, it is the order of the day – before critical damage occurs.

PwCs Cyber Security Experience Center für Industrial Security in Frankfurt

Here, security experts show where operational technologies such as industrial robots, gas pressure regulating systems or control systems (ICS, Industrial Control Systems) are particularly vulnerable on the basis of an integrated ecosystem with real components – starting with critical infrastructures, through mobility and production to building management systems. For a realistic representation of possible security incidents and their consequences, the individual scenarios are connected to physical PLC, ICS and SCADA networks. In this way, visitors experience directly what cybercriminals can do if they gain access to OT systems via IT – and also how these systems can be protected.

Contact Dr Oliver Hanka and arrange a guided tour or create an event together.

Learn more

Contact us

Dr. Alexander Köppen

Dr. Alexander Köppen

Partner, Cyber Security & Privacy Strategy, Risk and Compliance, PwC Germany

Tel: +49 1512 9608-114

Dr. Oliver  Hanka

Dr. Oliver Hanka

Partner, Cyber Security & Privacy, PwC Germany

Tel: +49 160 5105836

Florian Gibala

Florian Gibala

Senior Manager, Cyber Security & Privacy, PwC Germany