Industry 4.0: Risks and side effects

Dhe decentralization of data traffic demands new structures and technologies for networks and data management. In terms of performance and latency times alone, process-related IT faces high demands: on the one hand, because ever larger volumes of data must be processed quickly, and on the other hand, because the requirements for availability and confidentiality of the information to be processed are increasing. Therefore, there will certainly be conflicting goals between IT security and plant availability.

Security and conflicting objectives
A major problem of industrial control systems (ICS: IT system incl. networks), for example, is that a security culture has not yet been established (compared to commercial IT). Process-related IT systems (e.g. firmware) are part of the plants and have much longer time horizons than commercial IT (up to 20 years).

IT security is usually not the primary objective of the plant manufacturer. On the other hand, the plant operator often has no detailed knowledge about the IT technologies he uses. The German Federal Office for Information Security (BSI) has developed the "ICS Security Compendium" to address this issue and to support operators of industrial plants in securing their production and control systems. The compendium provides an overview of the main threats to industrial control systems (organizational threats, human error and intentional acts).

In addition, security best practices for ICS planning, design and implementation are presented, as well as a methodology for auditing ICS systems. The SCADA (supervisory control and data acquisition) systems that are frequently used are the interface between the host systems and the ICS networks.

New dimension in control
ICS networks monitor and control the ICS components. To date, these SCADA systems have been located on proprietary platforms with their own communication infrastructure and no Internet connection. With regard to Industry 4.0, IT specialists are now striving for comprehensive (Internet) networking for such systems, but this will also expose them to the classic dangers of IT security in the future. However, the former developers could not foresee this and so these systems were never designed for this and the threat scenarios presented above were never considered. In addition, when controlling complete production plants, the values of sensors must be available in real time; because in the event of malfunctions (e.g. virus attack), the plant can usually not simply be taken off the grid without endangering operational safety (e.g. chemical industry, power plants). A few years ago, the example of the "Stuxnet" virus successfully introduced into Iranian nuclear facilities showed what such a malfunction could look like: The uranium centrifuges very quickly entered the red speed range. Incidentally, Stuxnet had used security gaps in the control systems of Siemens (Simatic S7).

However, despite the potential threats or such incidents mentioned as examples, automation, process control and process control systems are currently still not the focus of IT security. This must change fundamentally for Industry 4.0! The dissolution of "isolated applications" and the strong networking with a large number of other systems, including the office environment, also results in new requirements for the network environment. Not only the availability of the network, but also network segmentation as a protective measure must be considered by companies. Access authorization concepts, authentication procedures, use of secure network protocols, to name just a few examples, must be defined and implemented. With the increasing networking and exchange of large amounts of data in Industry 4.0, the security requirements in every company must therefore increase. However, measures to increase attack security have so far been implemented only slowly and often only as a solution to partial aspects, although the further development to Industry 4.0 requires approaches that ensure comprehensive protection of the highly networked system structures as well as the exchange of data and information. Operationally, even the regular and timely patching represents a challenge. The often inadequate manufacturer support and the criticality of the systems (availability) make regulated patch management even more difficult. Profound risk management, even during the planning and implementation of IT systems, is a prerequisite for successful security management.

The ISO/IEC 27001 standard
To ensure information security in Industry 4.0, a proactive approach is crucial, as already provided for today by the ISO/IEC 27001 standard, which has a holistic approach. As a management system, it not only focuses on the implementation of security measures, but also demands management attention and constant adaptation to improve the system. The ISO/IEC TR (Information security management guidelines based on ISO/IEC 27019 for process control systems specific to the energy utility) is a useful addition to this generic catalogue of requirements for the energy industry, providing assistance in implementing technical and organizational measures in addition to the requirements of ISO/IEC 27001.

It is not enough to implement security functions after the fact if there have already been security incidents. The topic must be considered from the very beginning - tailored to the processes in the company, integrated into the management system. In addition, with the increasing networking and cooperation of different partners, a strong trust in each other is required. Reliable concepts, architectures and standards in the area of IT security should support this basis of trust, because manufacturers and operators need the certainty that their know-how, intellectual property and data are protected

Other challenges
The challenge is therefore to equip existing IT systems for the new requirements of Industry 4.0 and at the same time develop solutions for new plants. Precautions at the company level are all the more important because it remains to be said: There is currently no technical or digital sovereignty in the area of IT security at either German or European level. For this reason, the German government wants to strengthen confidence in IT security, at least at the national level. A BMBF reference project on protecting production from cyber attacks and espionage serves this goal and explicitly with regard to Industry 4.0. Standardization issues will play a central role in establishing technological sovereignty that protects against cybercrime and ensures secure data in order to provide verifiably trustworthy technologies. Industrial control systems were never designed to meet the requirements of Industry 4.0. Developing highly available and, above all, secure IT is therefore the major technical challenge for the digitalized and highly networked world of tomorrow.

Conclusion
High standards for information security must be created to ensure that information and data protection are maintained. The security of systems and the protection of data are therefore central cross-cutting issues of Industrie 4.0 and every company should develop suitable measures for this in advance. One of the signposts here can be ISO/IEC 27001. IT security and communication security are therefore the neuralgic points! This is where it is decided whether Industry 4.0 will be a success or not.