Security in Smart Factories from the Perspective of Supply Chain Disruptions (Part 3) CAPEX and OPEX

Dec 08, 2020
Smart Factory Security

<Posts in this series>

Part 1: Reconstruction of global supply chains

Part 2: How “remote” will change production operations


A long time has passed since the phrase "age of uncertainty" became widely accepted in the business world. The COVID-19 pandemic is a symbolic example of the uncertainty in manufacturing industry supply chains. We think that many companies are hesitating to make aggressive investments because the future remains unclear. More caution is required for capital expenditures and making investments in research and development. Many projects scheduled for fiscal year 2020 have been postponed. It can be said that the increase in public spending mentioned in Part 1 is the other side of the market environment, which is making companies less willing to carry out strategic investments.


Capital expenditures in factories

Manufacturing industry capital expenditures are planned in accordance with long-term strategies. Here, we will first consider the background by reflecting on trends in manufacturing industry capital expenditures before the pandemic, taking Japan as an example. According to the White Paper on Manufacturing Industries published by the Ministry of Economy, Trade, and Industry in May 2020, the trend in capital expenditures is described thus: "although profits generated by assets have been increasing and the potential for new capital expenditures has been rising year by year, actual growth in capital expenditures appears to be low." The profit ratio has been increasing due to the achievement of continuous improvement in manufacturing new products of high quality with high efficiency using aged equipment at production sites. This suggests that Japanese companies have not been aggressive in making strategic heavy capital expenditures because domestic demand in Japan has been sluggish for 30 years since the burst of the economic bubble in the 1990s, forcing companies to secure retained earnings while maintaining their work forces. As a result, the shortage of workers as well as the aging of factories and equipment have come to be seen as problems in recent years. Large-scale smart factory projects are beginning to be launched in response to the labor savings achievable by digital technologies and automation in order to make up for the labor shortages and factory consolidation.

The Concepts of CAPEX and OPEX

Factory expenditures are divided into capital expenditures (which include lands, buildings, and equipment) and operational expenses (which include maintenance and repair expenses, utility expenses, and salaries and wages). The former is also referred to as CAPEX, while the latter may be referred to as OPEX. A CAPEX is an initial expenditure from the perspective of cash flow. Its depreciation is recorded on the income statement as an expense every year, though no cash is spent. When a factory is constructed and operated, a financial plan is designed in light of the factory's long-term lifecycle in addition to the production and costs for a single fiscal year from the perspective of capital expenditures, operational expenses, and cash flow.

The IT world has transitioned from hardware, which is a tangible fixed asset, to software, which is an intangible fixed asset, and to cloud services, which are operational expenses. From a financial point of view, these transitions enable companies to amortize their assets over a shorter period, making it easy to respond to changes, and reduce the impact of obsolescence in a world with remarkable technological progress. It is conceivable that a similar transition will be made in the OT area of smart factories. The transition from CAPEX to OPEX will be one key for leading smart factories to success.


Making the transition from CAPEX to OPEX from the perspective of cyber security

The transition from hardware and software assets to cloud services is one effective measure for flexible production that responds to changing supply and demand. From the perspective of cyber security, the transition also has the following merits: companies can avoid owning excessive assets, avoid technological obsolescence, and share responsibilities with cloud service providers. Cyber security risks can be calculated by multiplying threats by vulnerabilities. The transition is also advantageous to companies in reducing legacy assets with vulnerabilities that cannot be fixed, comprehending the assets that they do possess, and fixing vulnerabilities.

On the other hand, some threats have emerged as the use of cloud services has become widespread for operations in factories. Joint research by Trend Micro and the Polytechnic University of Milan concerning cyber threats to smart factories demonstrated the feasibility of an attack in which an EWS overlooked the intrusion of malicious code from a cloud library, which resulted in tampering of data from IoT sensors, and an attack in which an MES was exploited to make processing equipment malfunction through database intrusion. Another research study focused on protocol gateways, which handle protocol conversion for IT and OT in factory systems, and found several severe vulnerabilities in assets that were not managed as software.

Not all assets and business operations are migrated to cloud services and digitalized; only part of the systems, production processes, and supply chains are shifted. Therefore, cyber security is to be provided for system environments in which on-premise systems coexist with cloud systems and OT coexists with IT, and the business operations that utilize them. The major issues are how to apprehend security incidents across the entire mixed environment and deal with them at an early stage as well as how to ensure visibility for identifying the scope of incident impacts. From the perspective of CAPEX and OPEX as they relate to the security, mitigation measures that can be introduced without modifying existing facilities, the transitioning of security tools to SaaS, and the use of managed services are effective options.

The use of cloud services and the transformation of business operation processes will surely require security approaches that differ from conventional ones. As companies digitize OT operations, which vary more greatly than IT by company and by business type, it may be difficult to apply a uniform model for cyber security. It is desirable to carry out a qualitative risk assessment based on the new business operation processes and support systems of each organization while referring to practices released by various institutions and companies. We recommend that you assess the impacts on the availability and confidentiality of your operations and assets for your businesses after referring to our aforementioned research and after identifying threat scenarios and vulnerabilities. Prioritizing the threat scenarios to be considered and the assets to be protected will enable you to avoid ineffective investments and excessive countermeasures. We hope that our information and the solutions presented in this series of blog posts will help you to devise and implement a security plan that is suited to you.


Download: Best Practices for Securing Smart Factories: Three Steps to Keep Operations Running

Download: ebook: Strategic Investments to Secure Smart Manufacturers

Download: Practical Risk Assessments for Smart Factories

This website uses cookies for website functionality, traffic analytics, personalization, social media functionality, and advertising. By continuing to browse, you agree to our use of cookies.
Learn moreprivacy policy