Industrial Technology - Linked-in Industrial Technology - Twitter Industrial Technology - News Feed
Latest Issue

Smartening up IT security

Smartening up IT security

IT-security is a major success factor for realising the benefits of smart factories, without risking serious damage to factory operations, sensitive data, machines or even people and the environment, as Paul Taylor of TUV SUD Product Service explains.

Industry 4.0’s fourth industrial revolution brings fully connected, self-organising and intelligent factories. Enabling smart factories to digitise processes that support highly flexible, automated ‘plug and produce’ manufacturing, Industry 4.0 includes cyber-physical systems, the Internet of Things (IoT) and cloud computing.

A major paradigm shift for industry, advanced sensors are already finding their way into modern manufacturing lines, facilitating informed decision-making, and impacting business models and the daily operations of factories. But, this is just the beginning, and industrial manufacturing will face massive disruption as Industry 4.0 develops.

As the convergence of enterprise IT and operational technology sees systems and devices exchanging and interpreting shared data, one of these disruptions is dealing with IT-security. It is not only the technical aspects that must be addressed, but also organisational, procedural, legal, and general awareness measures. Managing these risks proactively is already required by corporate governance guidelines such as SOX, Basel II or KonTraG, and increasingly by national or European IT-security Regulations. IT-security must therefore be a top management priority, requiring close cooperation between all departments.

While the smart components that control the production process face the IT-security risks that are common to all IT-systems, smart factory security cannot be considered a simple extension of office IT security. In order to realise the benefits of what Industry 4.0 has to offer industry, without exposing business operations to risk, it is essential to deal with IT security measures at the early planning stage.

There are a wide variety of possible vulnerabilities in the smart factory of the future, including:

  • Lack of knowledge in the manufacturing industry about how to apply IT security protection to systems (machinery) that have traditionally not required it, operate very differently from office-based IT and may also still be running legacy systems, with which more modern cyber security software is incompatible.
  • Merging traditional ways of working with the needs of the smart factory as external systems, such as USB drives used for machine maintenance, monitoring or programming can infect one machine, which is then passed on through the smart network.
  • Remote maintenance by equipment suppliers or subcontractors requires a connection to their network, which may be infected or have less stringent IT security
  • Existing machines on the factory floor that lack digital identification and authentication functionality, cannot be sure that operating instructions received by the network are from an authorised person.
  • The smart tags on components or the final product being produced may be manipulated by an attacker.

It security risks can be mitigated, and as with any risk they must be identified, analysed and prioritised as part of the smart factory planning. Preventive measures include:

  • Raising and maintaining employee awareness through IT-security training. This is a relatively simple issue to tackle and prevents the most common problems, which are often unintentionally created by employees.
  • Implement an information security management system, which delivers the continuous monitoring and improvement of IT-security, and which should be managed by a specialist, using international standards.
  • IT-security audits should be performed by an accredited certification body, something that customers and business partners within the supply chain will increasingly ask for such before they are happy to connect a smart factory to their own system.
  • Regular penetration tests identify any security weaknesses within the IT system, which could be exploited by hackers. 

End-to-end encryption and electronic signing of sensitive communications, whether originating from a person, a control system or a sensor, is also an important principle. However, the real-time control environments associated with industry 4.0 will make this a challenging concept to achieve. Only end-to-end encryption can ensure that:

  • Unauthorised persons or machines cannot access data on the system
  • That data cannot be corrupted or manipulated by hackers
  • The receiver can be sure the information originates from a trustworthy source

The robust authentication of all people, machines and processes is also critical. For example, every machine operator and maintenance engineer should electronically identify themselves before performing an activity. The separation of subsystems in the overall smart factory architecture would also assure that potential attacks can be constrained to one single production line or specific production processes, without spreading across the entire factory. Of course, Business Continuity planning is also a key consideration, to ensure that the entire organisation is prepared for dealing with an IT-security incident.

Data and information exchange it a key part of the smart factory business model. This of course results in vast volumes of data being generated and processed. This therefore raises questions about data ownership - who ‘owns’ the data generated, exchanged and analysed and how should this business data be protected? It also unleashes questions of privacy; how can the protection of personal data of employees and customers be assured in a smart factory environment?

Smart factories must therefore protect and control the use of data by suitable organisational, technical and contractual measures, such as:

  • Use agreements – to determine the scope of data usage and its purpose, and which should contain obligations with respect to security and organisational measures, as well as erasure and return requirements.
  • Continuous monitoring of data generation and use - to assure contractual and regulatory obligations are properly implemented.
  • Technical measures – to reduce uncertainty about the origin, manipulation and usage of data, such as signature of data and authentication of machines and operators.
  • Data Protection compliance should be considered from the early planning stages of smart factory implementations.

The connected world of Industry 4.0’s smart factories adds a new and significant dimension of complexity. Consequently, while Industry 4.0 is a growing reality, much of it still remains a concept as the shift to this new method of working requires significant financial investment in new plant.

The intensive communication and huge amounts of data characterising smart factories brings IT security to the forefront as a major success factor for realising the benefits of Industry 4.0. IT security should therefore be a key consideration in all stages of planning a smart factory, rather than something that is considered at a later stage, carrying the same level of importance as other crucial business considerations.

Download pdf

Other News from TUV SUD

Protection from lithium-ion battery fires

Latest news about Machine Building

Additional Information
Text styles