Mastering the Industry 4.0 security challenge
Factory and process automation are now reaching new levels of integration which opens the way to considerably higher degrees of efficiency, process control and flexibility. However, it also calls for increased security to protect the whole factory from malware and unauthorised intrusion, says Maximillian Korff.
As industry strives to reach new levels of efficiency in industrial production systems and process plants, automation systems and information technology will merge, while remote access, process monitoring, control and maintenance will reach new levels.
Big data will offer new insights and help to efficiently control processes and boost plant availability. With increasingly more connected devices in the Industrial Internet of Things (IIoT), islands of automation will disappear – which is why reliable, secure and future-proof industrial communication networks are crucial.
Siemens knows from experience that cyber-attacks must not be taken lightly. As a global player in the automation field and operator of many factories worldwide, the company has, therefore, adopted a philosophy that actively addresses this issue – and has embedded system security into its product design, system development and services. For example, with its security integrated components the company has not only integrated communication functions but also special security functions such as firewalls and VPN. It is also collaborating closely with customers to openly address any vulnerability and effectively respond to any system intrusion.
For automation system providers and plant operators alike, system vulnerability will always be a delicate subject but it is vital that, with technology partners this issue must be dealt with in an atmosphere of mutual trust and open communication.
In addition to security, another important product attribute is that commissioning and maintenance work must be possible without requiring any on-site engineering skills. This can be achieved by integrating all hardware configurations into either the engineering software or intelligent plug-ins – eliminating the need for manual configuration on site. Service technicians only have to unplug, replace and re-connect a defective component, without having to worry about configuration issues and potential errors.
Taking a holistic approach
System security needs to go far beyond an effective firewall. Considering the ever-present threat of cyber attacks, a holistic approach is required that extends from physically protecting facilities based on an effective access control system, all the way to addressing software issues, such as frequent security patches and updates.
Siemens has established the secure-by-design hardware and software development process which actively integrates all relevant security issues right from the start. In all development projects, the project manager works with a dedicated security expert who is responsible for a comprehensive security review of the requested features and design, and also conducts security testing prior to the release of any product on the market.
The security expert is authorized to stop the release of any project if serious security breaches are identified. The security process must assess and evaluate in detail all threats and risks to the industrial environments where the products will be used. Siemens is also a member of ISA 99, the standardisation body of the international Industrial Security standard IEC 62443, so the company has a clear objective of fully complying with established industry standards. It also actively drives the development of such standards. ?
Security as a quality standard?
As part of the secure-by-design development process, all newly developed hardware components and software are analysed by a team of security experts who look for issues that could make the component vulnerable to external attacks, and thus compromise the security of the overall automation system. This research continues even after the product has been launched into the market.
This is why Siemens security experts collaborate closely with security researchers at universities, security service providers and CERT organisations across the globe. They are able to access the latest security-related information. Any vulnerability that is identified is resolved as quickly as possible by a task force drawn-up specifically for this purpose. Product updates are developed and verified – and security patches are provided to all customers that might be affected.
In other words, these hardware and software products reflect a standard of quality where the emphasis is placed on product security rather than time to market. With the objective of establishing itself as a trusted long-term partner for its customers, based on its secure-by-design development process, Siemens puts far more emphasis on launching a secure product into the market than being the first to introduce a new technology.
Cyber attacks can shut down a complete process plant or manufacturing system. This results in substantial capital loss for the company involved, but also – depending on the industry – it could lead to a great loss of reputation and expose the company to costly liability claims. The goods may even be blacklisted, if they are part of a public infrastructure. As a consequence, more companies are willing to invest in the security of their automation systems. Although investing in hardened products is costlier, it will greatly contribute to lower cost of ownership over the complete life cycle of the system.
Security lifetime services
According to Helmuth Ludwig, chief information officer at Siemens the increasing number of cyber attacks is a fact that cannot be overlooked. However, it must not be seen as a reason to forego the digitalisation of industrial production. Instead, cyber security should be seen as a competitive advantage rather than a cost factor.
Industrial Security is a strategic security concept that is designed to help pave the way to the Digital Enterprise of tomorrow. It is based on the defense-in-depth concept that is proposed in IEC 62443.
Industrial Security not only includes security-related product features, but also the design of automation systems with the help of pre-defined and security-tested software components. It also provides a range of security-related services that continuously monitor automation systems and the development of preventive security measures.
Industrial cyber security is a challenge, but it can be mastered with concerted effort, open communication and dedicated services.
Maximillian Korff is product sales development for Siemens Process Industries and Drives.
Source: Control Engineering Europe - All Articles