Cyber considerations for Industrial manufacturing in 2024

• Common goals but disjointed regulatory landscape– The global regulatory landscape is beginning to coalesce around common regulatory patterns and approaches, but significant differences still exist across regions and markets for cybersecurity, privacy, and (AI) regulations. Organizations must carefully manage data sovereignty requirements to ensure compliance.
  
  Data sovereignty laws dictate how and where data can be collected, stored, and processed, varying significantly from country to country. For example, the US International Traffic in Arms Regulations stipulates requirements for access to controlled technologies (e.g., technologies with military applications). The European Union (EU) has strict requirements for the transfer of personal data outside of the EU. China, India, and many other countries have similar laws restricting the flow of data across borders.¹

• Shifting global dynamics influencing response speed and adaptability – With a wide range of approaches to data regulation (including differing definitions of personal data, governance frameworks, and accountability rules), navigating incident detection, response, and business continuity is an increasingly complex undertaking for global businesses.
  
  Industrial manufacturing businesses must navigate detecting and investigating incidents as well as responding and recovery to ensure resiliency within the context of this complex regulatory environment. 

• Supply chain visibility –Large organizations can have thousands of suppliers, and often they cannot accurately assess their activities with traditional methods. It would require an army of security personnel to do all the physical endpoint assessments, which is humanly impossible. It would cost tens of millions of dollars, making it unrealistic logistically and financially.
• Supply chain dependency – Cyber intruders often target software and hardware vulnerabilities, posing a significant threat to supply chains. The industrial manufacturing sector operates within a complex ecosystem that includes intricate information exchange through dynamic APIs. Security weakness in this ecosystem can create a massive ripple effect. Instances like the SolarWinds attack remind us of the far-reaching consequences of these dependencies. 
  
• Weakest link – Industrial manufacturing firms often share sensitive information with business partners, exposing them to data leakages and/or cyberattacks through these links. The strength of cybersecurity measures is dependent on the weakest link in the chain, underlining the crucial yet challenging task of conducting thorough third-party due diligence.
  
• Regulatory consequences – Many industrial manufacturing firms work with a complex array of suppliers to deliver products and services and some regulations require that organizational suppliers meet the same or similar cybersecurity requirements to the primary organization.
  

• Maintain trust following an incident – A cybersecurity incident can threaten the trust organizations must maintain with vital stakeholders, and thus harm operational resilience. Rebuilding trust can be about rapid technical recovery or identifying alternate ways of delivering services. It is critical to identify impacted stakeholders and expeditiously address their needs to minimize disruption.
• Identify and protect critical assets – To respond effectively to an incident and facilitate efficient and effective recovery, organizations must know which assets are most critical to business processes and have enabled enhanced resiliency processes to safeguard these assets. Organizations can ensure their most critical assets are protected by engaging in business impact assessments to determine asset criticality and tabletop exercises to test response and recovery capabilities.
• Outdated infrastructure contains cyber vulnerabilities – Many organizations in the industrial manufacturing sector rely on outdated software and manufacturing technologies. This can be due to the risks to operational resilience if they replace tools and processes that are currently in use to meet production goals. However, unpatched vulnerabilities can present significant cybersecurity risks and lead to cybersecurity incidents that compromise organizational resiliency.
• Internet-of-Things (IoT) and Operational Technology (OT) are difficult to secure – IoT and OT technologies often utilize rare operating systems and feature niche environments. As a result, vulnerability scanning, patching, and incident response are more difficult when IoT/OT is used within an organization’s networks.
• Adapt to an evolving threat landscape – As cyber defenses improve, attackers are getting more sophisticated as well, changing the threat landscape. Organizations need to continually improve and adapt. Resilience means being better equipped to address an incident quickly, comprehensively, and with minimal business impact. It does not mean there will never be another incident. Chief information security officers cannot control external threats but can control an organization’s preparedness.

KPMG professionals can assist with assessing cybersecurity programs, aligning them with business priorities, developing digital solutions, advising on risk implementation and monitoring, and designing responses to cyber incidents. They offer innovative strategies and solutions such as cyber cloud assessments, privacy automation, third-party security optimization, AI security, managed detection, and response.