Mastering Industry 4.0 safely

Buzzwords such as Industrial Internet of Things (IIoT), Industrial Control System (ICS) or SCADA systems are just a few terms that refer to subareas of networked production or Industry 4.0. Experts estimate that in just a few years, eight out of ten Swiss companies will have (I)IoT components in use. Connectivity is thus linking business areas that were previously independent of each other. In the past, production environments were usually planned and implemented as offline standalone solutions. Many of these isolated solutions are now being "modernized" and trimmed to digital communication. The issue of security is rarely given sufficient consideration. The reason for this is not only the advantages of digital integration, but also concerns about competitiveness and existing investments in production facilities. Unfortunately, to date, no digital system is absolutely secure - especially not machines and control systems that were not actually designed and developed for communication with systems outside. But this also increases the risk that precisely such systems will be manipulated¹. Theft, fraud, blackmail and manipulation are possible consequences. Nevertheless, basic security principles that have been considered best practice in traditional IT for years often do not find their way into the development and maintenance cycle of IIoT systems.

Trust is crucial in Industry 4.0

Security and safety are often still regarded as separate worlds, which leads to imbalances. While clear guidelines apply to safety and elaborate assessments have to be carried out, the topic of security is strongly neglected. However, with IIoT, production environments are evolving into an open "OT world" (Operational Technology) where critical systems are no longer isolated. And so, all of a sudden, new questions arise:

1. How do you protect networked machines from third-party access?
2. Which data do you absolutely want to keep in the company?
3. What data do you share with business partners?
4. What data might be published in full?

With Industrie 4.0, success will depend on security. Because only those who enjoy the trust of customers and partners in security and also data protection issues can operate successfully. Customers have a much greater affinity in this regard than they did a few years ago.

Safety with system, responsibility and competence

Cyber security should therefore be at the top of every agenda - and not just after something has gone wrong. Anyone who deals with IIoT and Industry 4.0 must also deal with the topic of security. International standards (e.g., the ISO/IEC 270xx series or the cyber security framework of the National Institute of Standards and Technology) offer recognized models for the establishment, implementation, review and continuous improvement based on an information security management system (ISMS). If an ISMS is to be established in the context of Industrie 4.0, a holistic approach is required that encompasses the traditional IT landscape, development and production IT. This is the only way to achieve information security goals, minimize corporate risk and meet regulatory requirements.

The implementation of an ISMS requires the definition of roles and responsibilities. A CISO is responsible for information security issues. He also assumes the governance function across company divisions. He or she is responsible for, designs and controls security in traditional IT as well as in development and production IT. This function must be appropriately integrated into the organization and equipped with the necessary competencies. Last but not least, people play a decisive role in the holistic establishment of security. Accordingly, all employees must be sensitized and trained.

Cross-company understanding of safety

But this alone is not enough. For security and sustainable risk management in Industry 4.0, it is essential that a company knows the critical assets that require protection. These include, for example, plant and machinery, production processes and procedures, or data on manufacturing parameters, recipes and process know-how. These must be documented accordingly and updated at regular intervals. In doing so, it is important to identify the possible threats and interrelationships for the individual assets. Based on the probability of occurrence and the expected extent of damage, the criticality and the need for protection as well as the measures are derived. In the context of Industrie 4.0, this requires a cross-company understanding and a uniform classification of the data. This is the only way to guarantee security across company boundaries and eliminate misunderstandings.

Segment, identify and authenticate

Technologically, a key to security lies in suitable authentication, architecture and zoning in Industrie 4.0 networks. Segmentation in IT and production IT often describes vertical separation. Plant subnets, on the other hand, can also be separated horizontally. Zones of similar protection needs must be identified and separated from each other by technical means. This involves setting up different lines of defense to protect data and assets thanks to the segmentation of environments, data flows and operating processes, while at the same time monitoring the zone transitions.

Secure identities are the start of the chain of trust in automated communication. Every communication partner involved in the value network needs a (secure) identity that is suitable for its intended purpose and allows unique identification and, if necessary, authentication. Identity management is already common practice in IT today. This identity management must be extended to production and guaranteed beyond the boundaries of the company. After all, this is the only way to ensure security in the highly networked system landscape of Industry 4.0. Both segmentation and identity management do not require reinventing the wheel. Here, too, it is important to take proven best-practice approaches as a guide and adapt them.

Suppliers and partners in the value chain

In Industrie 4.0 and in the traditional IT landscape, all hardware and software components must be inventoried and documented. On this basis, rules can then be established for the introduction of software updates or new software and hardware components. It is advisable to set clear security requirements for suppliers and to establish a targeted supplier risk management system. After all, security gaps in the value chain can quickly become a security risk for all parties involved. At the same time, unused services and functions of hardware and software components should be deactivated and thus hardened. Suppliers should therefore provide appropriate documentation for the components supplied and the security mechanisms implemented. In addition, new systems should be tested and checked with a penetration test, for example, before going into operation.

IIoT security is not a one-time affair, as the risk situation is constantly changing. Companies must continuously monitor the current threat situation and optimize and continuously improve their security posture, taking into account new threats and vulnerabilities. Important elements of security governance therefore include risk assessments, organizational audits, system security testing, penetration tests and vulnerability scans. At the same time, companies should be able to identify security incidents at any time, respond to them quickly, and minimize their impact.

Specific emergency concepts are required for recovery, such as failure of hardware components, changed data due to external influences, cyberattacks or "just" a power failure. This also includes a regular backup of the relevant data and programs for the production-relevant parts. Security is therefore not a topic that is addressed after the fact - possibly only after an incident has occurred. Anyone who deals with Industry 4.0 must also deal with cyber security. This is the only way to build trust across company boundaries among all parties involved.

1 Report from Melani

Author

Markus Limacher

Head of Security Consulting, InfoGuard AG