In the world of production, the digital transformation is making appreciable headway under the motto “Industry 4.0.” The advantages are obvious: connected machines and systems offer insight into the status of individual orders, provide comprehensive process control, enable monitoring of inventory levels and consumables in real time, ensure fully automated processes, and proactively notify operators when maintenance is and will be required.
Nevertheless, the gains in efficiency, transparency, and flexibility within the production and manufacturing process environment also entail risks: conventional fieldbuses, such as Profibus, Profinet, Modbus RTU, and CC-Link are increasingly being replaced by Industrial Ethernet. The resulting increase in connectivity and addressability of systems via Internet Protocol (IP) also increases the risk of unauthorized access to control software or sensitive company information. In the worst case, this puts the operation of entire production networks or lines at risk, and sometimes even supply chains or customer processes. Potential consequences include enormous sales losses or even regression payments or fines.
And yet, the need for security measures that keep pace with increasing digitalization and connected industrial facilities is often underestimated. There are some common misconceptions that indicate an inadequate risk awareness; we’ve drawn on those to derive “5+1 good reasons for industrial cyber security.”
5+1 good reasons for industrial cyber security
“Production won’t be attacked. There are far more likely targets.” – Wrong!
Correct would be: Due to a continued low level of protection, manufacturing is a very likely target.
“Production isn’t an attractive target because it isn’t a direct financial transaction.” – Wrong!
Correct would be: Manufacturing is a major part of the supply chain, which is readily susceptible to extortion and is thus a very attractive target.
“My production isn’t interesting or lucrative enough.” – Wrong!
Correct would be: Many of the current threats are highly automated and specifically developed to run on their victims’ systems.
“Cyber security is too expensive for production. It’s not worth the investment.” – Wrong!
Correct would be: Cyber security isn’t an option, but an absolute must. Additional future tightening of legal provisions and insurance regulations will only create additional pressure to introduce comprehensive cyber security measures.
“My production isn’t connected. I’m safe!” – Wrong!
Correct would be: Even unconnected production IT can be affected, for instance through local maintenance processes using a PC and uncontrolled USB interfaces.
- +1 “Cyber security adds no value to my production.” – Wrong!
Correct would be: The cyber security of your production will give you a significant competitive advantage going forward, as well as an additional selling point.
Recognizing that IT security isn’t merely a nice-to-have, but a must-have for connected, digital industrial manufacturing is just the first important step. The issue of implementing and effectively realizing industrial IT security still remains.
Good practice: protective measures in existing manufacturing
In traditional industrial IT, it’s difficult to implement protective measures on the systems themselves, so individual machines or security zones in the production line should be protected by upstream systems. In manufacturing IT, a zone model of this kind uses firewall systems of varying security levels to explicitly allow only essential communication (based on the respective source and target information) and secure, authorized, and authenticated remote maintenance access. In addition, anti-virus software or intrusion protection functions and application and user recognition and control can be installed on these security systems and updated at any time.
Another crucial requirement is a higher-level operating and emergency plan. All parties concerned should take care to ensure that the necessarily complex security environment resulting from the multiple security zones is easy to administrate and allows updates and modifications, legally compliant reporting, and change management.
Best practice: end-to-end security by design
The situation is different when originally establishing a digitally controlled, connected smart factory with all its opportunities for greater effectiveness and efficiency in production. In this case, a comprehensive concept for industrial cyber security can be integrated into the software and hardware controls for the production lines right from the start and implemented in the form of extensive IT security measures. The initial focus of the cycle of prevention, recognition, emergency response, and improvement can be aimed at sustainable security throughout the production line’s service life.
The goal of such a chain of recurrent measures is to achieve comprehensive end-to-end security by design. The production facility or entire production areas are viewed as a connected IT-based system and are developed, together with all of their related and connected systems, on the premise of comprehensive IT security right from the outset. In this way, security is embedded as an important core element in planning intelligent manufacturing in Industry 4.0.
You can find a detailed technical article (available only in German) on holistic IT security in the Industry 4.0 production environment by ESCRYPT Security Engineer Norman Wenk at https://www.all-electronics.de/warum-industrial-cyber-security-zwingend-notwendig-ist-und-wie-man-sie-umsetzt/