Different factors put the operational continuity of companies at risk, from financial aspects to those related to suppliers, logistics and maintenance. However, the unstoppable thrust towards the digitization of all business processes is bringing issue connected to cyber threats to the forefront.
Crime, cryptolocker and lack of digital skills have climbed the rankings in the risk tables of the World Economic Forum and leading global insurance companies. Faced with the complexities of a new problem, often people drift towards inaction or fatalism.
Quite the opposite, it is time to seize the opportunities of digitization with a pro-active approach to security, but we need a managerial mentality suited to the times. The prevalent culture in the last decades has promoted efficiency, rationalization, spending reduction. Unfortunately, the pandemic confirmed to us how fragile extremely efficient processes are. Operational continuity requires not only redundancy, but additional resources to monitor and check that replicas work. Even a data backup may seem an unproductive investment, but it becomes vital in case of disk failure or data encrypted by a ransomware.
There are multiple threats to digital services, from human errors to criminal attacks, from environmental factors to failures. However, such services have a huge advantage compared to manufacturing plants: thanks to modern technologies, like efficient networks and virtualization, they can be duplicated, migrated, and outsourced quite easily.
Any solution is acceptable in order to avoid the single points of failure of our current systems that are very vulnerable. The modern industrial control is represented by software systems that manage processes in real time sending commands to innumerable sensors, actuators, communications nodes, and distributed devices. These systems can exchange enormous quantities of data, at high speed, on communication networks, with the aim of monitoring and controlling physical devices. The OT (operational technology) control systems work based on rules that have different priorities and procedures if compared to the traditional IT systems. In the past, the two systems were isolated one from the other. In modern industrial plants, the OT and the IT systems are connected, therefore cyberattacks can start on the IT side and migrate towards the industrial systems, or there have been cases when the attack started from the OT side to then get to the IT side.
Such a complexity is not evolutionary, it is disruptive. Therefore, it must be dealt with structurally not only with security in mind, but as a possible factor for innovation. Every business should set the goal, achievable today, of guaranteeing operational continuity, scalability, and usability. For the simple reason that these factors guarantee and will guarantee the business of the companies that are transforming, more or less knowingly and rapidly, into software-enriched, data-driven, always connected companies. The extreme rationalization and containment of the IT service costs cannot be our current priority.
With the due proportions in terms of budget and business, the model to strive to is the service model of Google, Facebook, Amazon, always operative, scalable, and simple to use. Or again, for our manufacturing territory, we could look at Tesla, that in just over 15 years has become the world’s most listed automotive company on the stock exchange. A handful of models, derided by the traditional French, German and Japanese companies that stated, “we could acquire it any time, but we’d rather not do it because it hasn’t got a profitable business model”. True at the time, but only because Tesla was looking ahead, far in time, and (re)designed the entire automotive ecosystem of the future, well beyond a mere car: a vehicle that is always connected and geolocalized, equipped with app services, assisted and with semi-autonomous driving, but also enriched with long-lasting batteries, efficient recharging systems and remote maintenance/evolution mechanisms.
From crises opportunities may arise. Probably, for many companies, the time has come to rethink, at least in part, their business starting from (re)designing resilient systems and services that are able to adapt to the market changing conditions, that can resist threats and can quickly recover from interruptions due to deliberate attacks, accidents or natural factors.
It can be done in a reactive way after being the victim of an attack or because a new industrial standard has been imposed. Alternatively, the process can be guided pro-actively by enlightened managers who can imagine the opportunities of new markets and are able to seize them. Protection and redundancy will be needed, from infrastructures to networks, from data to skills. Probably the lack of skills is the main limiting factor that we will need to overcome through the synergic collaboration of the public and private sectors.