Security in Industry 4.0
Industry 4.0 and security - quo vadis?
Security in the industrial environment has many facets. A distinction must also be made between safety and security and the different perspectives - OT and IT. An overview. By Udo Schneider
Security is and remains one of the dominant topics in the Industry 4.0 environment. This applies to both OT and IT - whether as a concern for one group or an opportunity for the other. However, the topic of security in this context is often characterized by misunderstandings and sometimes even contradictions. Some of these contradictions will be highlighted below and possible solutions presented.
Security versus safety
The word "safety" is not clearly defined in German. In English, for example, there is a clear distinction between "safety", i.e. the risk to operators, processes and the environment, and "security", which is often used synonymously with IT security today. Both protection goals are important - but it must be clear to everyone involved when it comes to which protection goal. In reality, however, it is unfortunately often the case that different things are meant by the same term "security": One person talks about safety, another about security. Unfortunately, safety is not the only term that can lead to confusion. Even when it comes to terms such as "risk assessment", there are different views between OT and IT.
In the area of functional safety, the assessment is based on parameters such as the severity of the injury, duration of exposure or structural mitigation measures. Security, on the other hand, uses terms such as vulnerability, attack surface or patch cycle. In addition, the associated processes differ from one another.
With functional safety, the risk assessment process is "classically" completed at some point: Either existing risks can be mitigated and the (acceptable) residual risks documented; in this case, for example, a machine can be delivered. If the risks cannot be reduced to an acceptable level, no delivery would take place.
The risk assessment process in security, on the other hand, is cyclical from the outset and is therefore never complete. Every change in the risk situation, for example due to new security vulnerabilities, requires a re-evaluation of the process.
This difference is well known and has now been addressed. Recent industry standards also deal explicitly with IT processes. One example of this is IEC62443/ISA99. For OT, this results in standardized procedures for dealing with IT security. Perhaps even more importantly, however, these standards represent a guideline for IT as to what security in the OT area should and may look like. These standards also clearly define the position of IT in the project (in terms of content as well as time) and the terminology to be used. You could say that these standards are a kind of dictionary for the language and concepts of the industry for IT; at the same time, however, they also clearly show the - not omnipotent - position of IT. After all, IT is not an end in itself in this environment, but a service provider!
Define protection goals
If you ask IT security experts about the most important protection objectives, you often hear "CIA" - confidentiality, integrity and availability. With OT, on the other hand, it is very often "AIC" - in that order. The focus is therefore more on availability, followed by integrity. Both sequences make sense on their own, especially in non-networked industrial environments. It becomes critical in the environment of networked production. The "patch at all costs" approach typical of IT does not really make sense in this context, nor does the "never patch in the name of availability" approach typical of OT. In many environments, on the other hand, there is a focus on integrity as the primary protection goal. After all, what use is encrypted data if it has been corrupted? Or what use is the availability of a cell if parts are processed incorrectly? Integrity thus crystallizes here as one of the primary protection goals of networked production.
In terms of trustworthiness, integrity is even the basis for subsequent protection goals. This naturally includes safety and security, but goes far beyond this with objectives such as privacy and resilience.
Meaningfulness of security
Most people instinctively understand why safety is necessary. After all, one's own health is a good whose value is generally highly valued. When it comes to security, the question of "why" is more complex. The idea of IT security as an end in itself is perhaps sensible and appropriate in the office IT environment. After all, the danger posed by inadequately secured systems is greater than the possible side effects of security mechanisms.
In the OT area, the question of the "why" of security is absolutely essential, as the impact may be considerably greater - and often not just financially. In the area of office IT, explanations often fall back on the simple double play of "threat" on the one hand and "solution" on the other. However, if - as in OT - a very specific risk due to faulty security comes into play, security experts must also accept the question of whether it makes sense. What's more, they must be able to demonstrate the benefits of introducing this security function.
IT and OT under one roof
Industry 4.0 can only work if OT and IT work together. Different terms or their definitions must not prevent cooperation. Fortunately, cooperation becomes easier with newer standards as a "translation aid". However, this also means questioning or expanding cherished truths. After all, the context in which they were created is also changing. In particular, it is the task of IT to see itself as a service provider and to speak the language of the customer - in this case the industry - and to understand these environments. This also includes questioning and possibly adapting one's own priorities. Just like the willingness to be able to explain and justify cherished truths or to adapt them to current circumstances if necessary.
Udo Schneider, Security Evangelist at Trend Micro / ag
[1] ZVEI: Whitepaper Integrity of data, systems and processes as a core element of digitalization. ZVEI Automation Association, Industry 4.0 management group, SG Security. November 2017.
You might also be interested in
Protection against electrostatic discharge
StoFloor ESD KU 614 from StoCretec: dissipative flooring with the latest technology meets all ESD standards, is economical, extremely durable, mechanically and chemically resistant. The surface can be adjusted to be slip-resistant. The system is...
read more...Cables and wires from Helukabel
Food cultivation on a new level
Vertical farming - cultivation in multi-storey greenhouses - is considered one of the most exciting trends in food production. One of the pioneers in this field is the Romanian start-up Ultragreens. The company relies on solutions from Helukabel to...
read more...Further training for specialists to become security experts
With the "CESA - Certified Expert for Security in Automation" qualification, automation expert Pilz offers a two-day expert course designed to provide participants with compact security knowledge in line with the latest standards.
read more...Meaningful data on the service life of the seal
Seals prevent substances from penetrating or entering technical components. The intelligent seals from Freudenberg Sealing Technologies can significantly expand this core task in the future: the seal itself is also a sensor and becomes a "smart...
read more...Online stud configurator according to drawing
For standard bolts, with head, thread or hole
For standard bolts, with head, thread, bore or as a version with recess, mbo Osswald configurators map the standard specifications, are very easy to use, take a lot of work off the user's hands and save a lot of time.
read more...Safe palletizing with the Cobot
Verla-Pharm's medicinal products and food supplements have been available for decades. Ever-increasing throughputs result in ever-increasing logistics costs, whereby optimum utilization of the available production space is necessary.
read more...The tiger among processors
Since the move towards the Industrial Internet of Things (IIoT) and Industry 4.0 has picked up speed, processor boards and modules must be able to process exponentially growing amounts of data.
read more...VDWF publishes "Sustainability Compendium"
Nowadays, nobody can avoid "sustainability": In addition to a far-reaching presence in the media, it is also becoming increasingly important for companies in the tool and mold making industry to develop and implement appropriate concepts.
read more...More transparency and synergies with QM software
Weber, manufacturer of wood and metal sanding machines and extruders, has reorganized its quality management with ConSense IMS Professional. The software solution enables transparent documentation and more efficient processes.
read more...