(image: copyright Plattform Industrie 4.0)
Supported by the Federal Ministry for Economic Affairs and Energy, the “Plattform Industrie 4.0” initiative has issued a new guideline: “IT Security in Industry 4.0” (link for download: English brochure / German brochure). It includes important ideas for companies that plan to network their production in terms of Industry 4.0.
As I recently addressed in a post on this subject , security becomes an important issue for a smart factory as soon as Internet-connected IT systems are included in the network. On the other hand, one of the basic ideas of Industry 4.0 is the integration of supply chains across locations and companies. But if you network your production, you create potential targets for espionage. The problem: we have proven recommendations and standards for classic IT security, but not for the privacy of machine data.The recently published guideline is supposed to provide some basic tips.
It recommends the installation of an information security management system (ISMS) as per ISO/IEC 27001 with a corresponding Plan – Do – Check – Act cycle. The ISMS determines with which methods and tools management should govern, plan, implement, execute, monitor and improve security-related tasks and activities. Focusing initially on processes and responsibilities, IT security should be introduced enterprise-wide, including in all production and supply chain areas that were not traditionally included in such endeavors.
Of particular interest is the guideline’s next chapter, which covers risk management. The goal is to find out and document the value of the company’s information and how worthy of protection it is. What are the critical assets? With which information, for example, would a competitor gain access to manufacturing know-how? How can customer secrets be divulged? What must be protected? How high is the risk of a data security breach? What measures are needed? Who is responsible?
By the way, such analyses are useful in any case, because sensitive data may be lost long before everything is networked.
Defining protection levels is not only important for risk assessment purposes – it is also a good organizational approach. The goal is to identify zones with similar protection requirements and separate them from each other. Communication between the zones may continue, but the transfer points must be clearly defined and appropriately protected. Needless to say, remote access points are especially critical. Network communication control, monitoring, troubleshooting and cryptography are just a few points being addressed by the guideline, along with identity and access management, authentication, and permission management. Let me summarize it this way: the network of a smart factory must be administered just like a business-critical IT network.
In connection with software development and maintenance, the guideline furthermore points out that Industry 4.0 requires “robust, reliable and trustworthy software”, which is why the authors demand software governance and systems hardening. Since this affects purchasing, the authors provide a few checklists with requirements for machine manufacturers. Traceability and documentation are especially important in this context. The authors recommend following the “IEC 62443 Industrial communication networks – Network and system security” standard, because it addresses the particular responsibilities of manufacturers, integrators and operators. The guideline closes with information about other relevant directives in Germany.
My conclusion: a good set of proposals. IT security in a smart factory is initially a question of risk analysis, organization and clean processes, because effective countermeasures can only be taken by someone who knows where the risks are.