Peter Kronfeld
Peter Kronfeld
Peter Kronfeld, born in 1962, has always taken great interest in the subject of technological change in the economy, society and business. This already started when he was a student of economics and communication and he has been keeping track of these topics as a journalist and as managing director of HighTech communications GmbH until today.

IT security in Industry 4.0 – New guideline provides food for thought

Guidelines for security in the IoT

(image: copyright Plattform Industrie 4.0)

Supported by the Federal Ministry for Economic Affairs and Energy, the “Plattform Industrie 4.0” initiative has issued a new guideline: “IT Security in Industry 4.0” (link for download: English brochure / German brochure).  It includes important ideas for companies that plan to network their production in terms of Industry 4.0.

Privacy of machine data

As I recently addressed in a post on this subject , security becomes an important issue for a smart factory as soon as Internet-connected IT systems are included in the network. On the other hand, one of the basic ideas of Industry 4.0 is the integration of supply chains across locations and companies. But if you network your production, you create potential targets for espionage. The problem: we have proven recommendations and standards for classic IT security, but not for the privacy of machine data.The recently published guideline is supposed to provide some basic tips.

Information Security Management System

It recommends the installation of an information security management system (ISMS) as per ISO/IEC 27001 with a corresponding Plan – Do – Check – Act cycle. The ISMS determines with which methods and tools management should govern, plan, implement, execute, monitor and improve security-related tasks and activities. Focusing initially on processes and responsibilities, IT security should be introduced enterprise-wide, including in all production and supply chain areas that were not traditionally included in such endeavors.

Of particular interest is the guideline’s next chapter, which covers risk management. The goal is to find out and document the value of the company’s information and how worthy of protection it is. What are the critical assets? With which information, for example, would a competitor gain access to manufacturing know-how? How can customer secrets be divulged? What must be protected? How high is the risk of a data security breach? What measures are needed? Who is responsible?
By the way, such analyses are useful in any case, because sensitive data may be lost long before everything is networked.

Important concept: Safety zones

Defining protection levels is not only important for risk assessment purposes – it is also a good organizational approach. The goal is to identify zones with similar protection requirements and separate them from each other. Communication between the zones may continue, but the transfer points must be clearly defined and appropriately protected. Needless to say, remote access points are especially critical. Network communication control, monitoring, troubleshooting and cryptography are just a few points being addressed by the guideline, along with identity and access management, authentication, and permission management. Let me summarize it this way: the network of a smart factory must be administered just like a business-critical IT network.

In connection with software development and maintenance, the guideline furthermore points out that Industry 4.0 requires “robust, reliable and trustworthy software”, which is why the authors demand software governance and systems hardening. Since this affects purchasing, the authors provide a few checklists with requirements for machine manufacturers. Traceability and documentation are especially important in this context. The authors recommend following the “IEC 62443 Industrial communication networks – Network and system security” standard, because it addresses the particular responsibilities of manufacturers, integrators and operators. The guideline closes with information about other relevant directives in Germany.

My conclusion: a good set of proposals. IT security in a smart factory is initially a question of risk analysis, organization and clean processes, because effective countermeasures can only be taken by someone who knows where the risks are.

1 Comment

  1. Peter Kronfeld says:

    Hello, seems to be a lot of movement in IIoT security currently. Kaspersky launched a new operating system (Kaspersky OS) for embedded systems and the IIoT and will exhibit this on the Embedded World fair. Have a look at their press release:

Leave a Reply

Your email address will not be published.