IT security is a major success factor for realising the benefits of Industry 4.0. It must be a top management priority, says Paul Taylor, head of industrial products (UK) at global product testing and certification organisation TÜV SÜD Product Service.
While the third industrial revolution was characterised by a shift from analogue electronic to digital control technologies, Industry 4.0’s fourth industrial revolution brings fully connected, self-organising and intelligent smart factories.
Key technological enablers like the internet of things, big data, cyber-physical systems and cloud computing are having an impact on business models and the daily operations of factories by making possible the digitisation of processes that support highly flexible, automated “plug and produce” manufacturing.
In a major shift for industry, advanced sensors are already finding their way into modern manufacturing lines, facilitating informed decision-making, and influencing business models and the daily operations of factories. But this is just the beginning, and industrial manufacturing will face massive disruption as Industry 4.0 develops.
The intensive communication and huge amounts of data characterising Industry 4.0 also bring new challenges. As the convergence of enterprise information technology and operational technology results in systems and devices exchanging and interpreting shared data, one of these challenges is dealing with IT security.
As Industry 4.0 uses more complex IT, these systems face greater possibilities for attack and have the potential to cause a much more severe impact than office automation systems. For example, hackers could tap into smart factory networks and steal valuable information about customers, product designs or production processes.
This means that IT security is a major success factor for realising the benefits of smart factories without risking serious damage to factory operations, sensitive data, machines or even people and the environment.
Successful IT security cannot be considered a simple extension of office IT security. Firewalls and virus scanners are basic protection mechanisms in office IT systems, but they have limited value in smart factories. It is not possible to install a virus scanner on a 10-year old production machine running a legacy operating system that is incapable of being updated and has real-time performance requirements. It is therefore essential to deal with IT security measures at the early planning stage.
There is a wide variety of ways in which the smart factory of the future could be vulnerable. These include a lack of knowledge in the different industry sectors about how to apply IT security protection to machinery that has traditionally not required it. Such systems can operate very differently from office-based IT and may still be running legacy communication networks, with which more modern cyber security software is incompatible.
Another is merging traditional ways of working with the needs of the smart factory. External systems, such as USB drives used for machine maintenance, monitoring or programming, can infect one machine, and then be passed on through the smart network.
Remote maintenance by equipment suppliers or subcontractors requires a connection to their network, which may be infected or have less stringent IT security. Likewise, any existing machines on the factory floor which lack digital identification and authentication functionality will not have the capability to verify that operating instructions received by the network are from an authorised source. There is also the risk that smart tags on components or the final product being produced may be manipulated by an attacker.
It is not only the technical aspects that must be addressed, but also organisational, procedural, legal, and general awareness measures. Management teams must understand not only the business potential but also the risks of smart factory implementations, actively managing both in order to assure sustainable growth.
Security risks can be mitigated and they must be identified, analysed and prioritised as part of smart factory planning. Preventive measures therefore include raising and maintaining employee awareness through training, which is a relatively simple issue to tackle and prevents the most common problems. Implementation of an information security management system will provide continuous monitoring and improvement of IT security. The IT team should conduct regular penetration tests to identify any security weaknesses in the IT system which could be exploited by hackers.
To make sure this is all being done appropriately, IT security audits should be performed by an accredited certification body, something that customers and business partners in the supply chain will increasingly ask for before they are happy to connect a smart factory to their own system.
End-to-end encryption and electronic signing of sensitive communications, whether originating from a person, a control system or a sensor, is also an important principle. However, the real-time control environments associated with industry 4.0 will make this a challenging concept to achieve.
Only end-to-end encryption can make sure that:
• unauthorised persons or machines cannot access data on the system
• data cannot be corrupted or manipulated by hackers
• the receiver can be sure the information originates from a trustworthy source.
The robust authentication of all people, machines and processes is critical. For example, every machine operator and maintenance engineer should electronically identify themselves before performing an activity. Separation of subsystems in the overall smart factory architecture would also assure that potential attacks can be restricted to one single production line or specific production processes, without spreading across the entire factory. Business continuity planning is a key consideration, to make sure the entire organisation is prepared for dealing with an IT security incident.
Data and information exchange are a key part of the smart factory business model. This results in vast volumes of data being generated and processed, and raising questions about data ownership – who “owns” the data generated, exchanged and analysed and how should this business data be protected? It also unleashes questions of privacy – how can the protection of personal data of employees and customers be assured in a smart factory environment?
Smart factories must therefore protect and control the use of data by suitable organisational, technical and contractual measures. This should include use agreements, which will determine the scope of data use and its purpose, alongside continuous monitoring of data generation and use. Other technical measures can be taken to reduce uncertainty about the origin, manipulation and use of data, such as signature of data and authentication of machines and operators. And it goes without saying that data protection compliance should be considered from the early planning stages of a smart factory implementation.
The required information flow across external communication networks raises questions about IT security, which was not relevant in an era in which machines were only programmable locally and were not connected to any other infrastructure beyond the power plug. Today even a machine that is not directly connected to the internet may be targeted, for example by using a service engineer’s PC or laptop as a relay station. And in instances where older machines are connected to the outside world, additional measures are needed to protect valuable information from leaking out or malicious software disrupting production processes.
These challenges bring IT security to the forefront as a success factor for realising the benefits of Industry 4.0. IT security must therefore be a top management priority, requiring close cooperation between all departments. It should also be a key consideration in all stages of planning a smart factory, rather than something that is considered at a later stage, carrying the same level of importance as other crucial business considerations.