One of the world’s leading global and regional industrial companies, and a leader in the GCC region, wanted an independent review of the cybersecurity of its core manufacturing operations, covering both the information technology (IT) and operational technology (OT) used in its plants worldwide. The aim was to ensure a consistent level of cybersecurity control at every site, and across both types of technology.
Strong cybersecurity is essential for the company, which is part of the critical national infrastructure of the region and a key part of the economy. This makes it a high-value target for potential cyber attackers. The scale of the organisation’s global operations also means it works with a wide range of technology suppliers and joint venture partners, and the company wanted a deeper understanding of the risks and potential vulnerabilities across this complex network.
Leading GCC industrial company
Beginning in the second quarter of 2019, PwC’s team assessed the cybersecurity of our client’s manufacturing plants across Europe, the Middle East, India and Africa (the EMEIA region). Using our proprietary solutions and working with technology partners, we identified fixes for remediation and provided recommendations on where the potential vulnerabilities lay. We then worked with the client’s own teams to strengthen controls for the future and reduce the risk of non-compliance with national cybersecurity regulations. We also assisted in researching and designing their new global cybersecurity operating model and advanced monitoring capabilities.
Once established, these new capabilities will oversee continuous OT cybersecurity services, as more digital processes and a greater number of network connections increase cyber risks at the manufacturing sites. In helping design these advanced capabilities, we worked alongside the client’s OT cybersecurity teams to define the roles that people, processes and technology will play in the company’s new cybersecurity strategy, and to implement the necessary changes. As an independent adviser, we were able to bring our understanding of the business risk posed by a cyber attack in this critical sector, as well as the technology risk.
A cyber attack on an industrial plant has the potential to put human lives at risk, and to cause enormous environmental and financial damage. As a result, attempted attacks by cyber criminals and state actors are inevitable for such a high-value target. Constant vigilance is the key to protecting employees, plants and the wider population. With these factors in mind, our client wanted to ensure its existing cybersecurity controls were implemented and effective, in addition to creating a detailed picture of any potential vulnerabilities in its IT/OT manufacturing networks, and strengthening its defences for the future as its sites and processes become increasingly digitised and connected.
PwC has worked with the company for more than two decades as an adviser, and they chose to partner with us on this project because we have invested in our cybersecurity expertise in the region over a number of years, developing a centre of excellence for the Middle East.
During the project, we had up to 20 people on the ground at the company’s sites at any one time, plus five people based permanently at the company’s operational hub. The team of five was responsible for central reporting and building the overall picture of threats and vulnerabilities, based on the data gathered from the various plants.
We divided up the sites according to the technology used and their level of risk. When gaps were identified, our team worked with the original third-party technology vendors to build up controls in order to prevent the vulnerabilities being exploited.
Traditionally, cyber risk has been assessed by technology companies. However, that can create a situation in which the company that installed the IT/OT solutions is being asked to check its own work. In addition, in the case of large companies, IT/OT systems are often managed by third party vendors, and this results in risks being handled in silos. PwC’s technology is agnostic and we were able to assess all the systems and give the company a comprehensive picture of its cybersecurity.
With connected systems, vulnerabilities and cyber risk are a fact of life. As countries introduce 5G and more industrial processes join digital networks, the potential risk will inevitably increase. The challenge for companies is to be proactive and ensure strong oversight of all their systems and potential vulnerabilities.
Our client is now working with PwC to build its long-term resilience by going deeper into its critical systems, targeting potential vulnerabilities in advance of a problem.
Partner, Digital, CyberSecurity, Resilience and Infrastructure, PwC Middle East
Tel: +971 52 4166879
Middle East Senior Partner, PwC Middle East
Tel: +971 4 304 3100
Middle East Strategy and Markets Leader, PwC Middle East
Tel: +971 4 304 3100