What the ARC Advisory Group’s recently completed Plant Security survey revealed was that they are not only taking the tasks of creating a security plan for their manufacturing seriously, but they are also not willing to talk to outsiders about the specific details of what they are doing. While they will not say much about specific details, they are willing to consider outside expertise, as long as the expertise comes from trusted sources.
For much of the 20th century, security in most manufacturing facilities meant locks, perhaps fences, and an occasional roving guard. The Internet caused the first major awakening that security was not just to keep intruders out physically. Through the Internet, intruders could enter and not only disrupt manufacturing operations, but they could also leave with valuable intellectual property. The Y2K threat alerted manufacturers to the vulnerability of their Information Technology and Automation Systems.
Then came 9/11. After the initial shock, manufacturers started to reassess their priorities and strategies to address the holistic issue of security. The ARC survey, completed July 2003, aims at determining best practices for security. What was found is that the full range of security aspects is indeed being taken with extreme seriousness. In some cases, the serious nature of the manufacturers’ activities are being closely guarded for fear that the knowledge of exactly what they are doing could actually breach their security measures.
The survey showed that, for most respondents, physical security measures are further ahead than their plans for cyber security. For more than 60 percent of the respondents, fire and safety measures are considered complete. Perimeter security and access control were also security aspects that are considered complete or nearly complete.
For the two categories of security assessment—physical and cyber—manufacturing respondents indicated that, for the most part, they have plans in place. Over 40 percent indicated that they have completed the necessary physical threat assessment, while about 35 percent felt that way about cyber security.
Over half indicated that physical threat assessments were handled locally by individual plant site management, while over 70 percent said that cyber security issues were handled through a central authority. This is an indication of how electronic connections of plants have become extended beyond their boundaries, leading to the importance of a assessment of cyber vulnerabilities.
When asked who was helping them with these assessments, the majority indicated that they were attempting to do these in house. Over 55 percent indicated that they were managing their own cyber threat assessment, while 70 percent indicated that in-house personnel were conducting their physical threat assessments.
Budgeting for Security
Most manufacturers that took the survey have increased their budgets for security enhancements by about 5 percent since 9/11. A few companies reported increases of over 30 percent. When viewed in terms of increased personnel, most indicated that they had no additions to their security staff. A few had added more staff, with the average about three people.
The consensus showed that most plants spend about 1 percent to 2 percent of their annual budgets on security related expenses. It was almost evenly split when respondents were asked what the expectation would be for their security budget over the next five years. About half said they expected it to stay at about the same current level, while about 45 percent expected the security budgets to increase with increased threats.
Unfortunately, spending for security is similar to the spending for the Y2K threat. Since most never experienced any Y2K disasters, many executives questioned whether the spending was worthwhile. In the case of security, as long as a plant has no security breaches, then the question will always be, “Was the money well spent?”
Dick Hill, is vice president and general manager, Manufacturing Advisory Services, ARC Advisory Group.
