The increasing digitisation of industry and of the machinery and devices used in it is evidence of the continuous ongoing development of former industrial processes. The benefits of networking cannot be denied – interaction between multinational locations, intelligent systems with self-diagnostics, self-maintenance and more, shorter response times when production conditions change, seamless integration of customers and suppliers into the value chain... Basically a commercially operated Internet of Things is being created for Industry 4.0. But has safety found its place there too?This connectivity, which is intended to make business and research easier, also entails greater risk. The other side of the coin is that new opportunities for attack are arising for operators of digital devices - and using an Internet connection as the linking method is risk number 1. Every device that has an IP address is a potential source of risk for the internal network and for Internet users. The consequences of compromised industrial equipment are much more far-reaching than those of hacked PCs. Hence higher security requirements are needed in an environment that cannot be more productive and sensitive. The Cyber Security Report just produced by Deutsche Telekom reveals that 90 percent of decision-makers in politics and commerce see IT security as the biggest challenge for the large-scale implementation of Industry 4.0.
LEARNING FROM MISTAKES
Industry 4.0 frequently comes into contact with the Internet of Things (IoT) on various levels – intelligent kitchen equipment, measuring devices on our wrists that go everywhere with us, networked vehicles and much more. For many of us, all this is now integrated into our everyday lives.
But unfortunately, from our experience, it seems that, even with these intelligent devices, secure update mechanisms, password protection, authentication between devices, opting for secure transmission protocols and much more are not being observed in every case. This is because IT security is still not classed as a major problem in the context of the IoT and, for various reasons, is actually being pushed into the background. This default attitude is presenting attackers with opportunities for misuse. The report mentioned above gives us hope to believe a change of awareness in respect of Industry 4.0 is underway.
Hence, when it comes to the process of developing the equipment and networks that need to be set up, it is important for the subject of security to be taken seriously and treated with priority. Specifically, developers of firmware and software need to follow rules. But there is no need to reinvent the wheel; in many cases, technologies that have been proven on the Internet are being used. But equally well proven are systematic attacks on protocols, services and platforms. In this regard people can – or rather must – learn from others.
Luckily there are no standardised platforms for intelligent devices, especially in the IoT area. This slows attackers and malware developers down somewhat – which operating system are they supposed to focus on, for example? However, the downside of this is that there is no security software for the majority of intelligent devices either.
The fact is that anyone using devices for industrial plants in such a networked environment should be aware of the established attacks, adopt the attacker's perspective when doing so, and take into account proven countermeasures when developing any devices that have an IP address. Well-founded training and, especially, continual retraining of those involved going forwards are essential in this regard! Staff members with interdisciplinary skills are a welcome bonus here, as they are able to see the bigger picture and let other points of views influence the way they work.
SECURITY FROM THE VERY OUTSET
"Security is not any kind of miracle pixie dust you can sprinkle onto your product after it has been programmed," said Internet pioneer Dr Paul Vixie at the Internet Security Days 2015.
All too frequently, developers are compelled to release products when they are not ready, because the release date has been irrevocably planned and the market is expecting the product. Development of the version that is actually ready then takes place while the product is already being used on consumers' devices. Unfortunately we see again and again how manufacturers concern themselves with the functionality and user-friendliness of devices, while their awareness of security is less evident. However, integrated security concepts, also called Security by Design, would be preferable.
Development is surely the basis for a functioning, secure environment, but naturally the question occurs at this point as to who is ultimately responsible for operational security. Here again, qualified specialists need to develop and implement customised concepts. Ideally security guidelines and processes will be implemented – not only from above, but also as part of a security culture within the company, thus reducing risk at every level.
MOVING FORWARDS TOGETHER
Just-in-time production and delivery, agile methods are things we cannot imagine working life without now. Yet security must find a prominent place in this next step of the industrial revolution. You want to know that your data is secure against digital espionage, manipulation and cyber extortion – just as a fireman wants to depend on his clothing being fireproof and know that the protective layer of material will not be sewn in after the first mission.
Industry 4.0 is set to become a major source of revenue for a great many areas of business and research institutions. However, the important thing is the collaboration between the various faculties and experts. This is not – as has been critically remarked – just an idea on the drawing board; rather, the intention needs to be turned into agile development that means future-orientated advancement for all involved.
We now have the opportunity of bringing fundamental security features into the infrastructure for new technologies when they are still in the development stage. And we need to seize this opportunity. That is being "intelligent" about this concept. Besides smart grids, smart factories, smart cities, smart cars, smart everything else, we also need smart security.