Networked industrial plants and cybersecurity – two subjects that crop up today in practically any IT discussion. And no wonder: as companies who have not digitalised their production find themselves lagging behind – and, if failing to secure their plants, in major difficulties too. But although the subject of security is highly relevant, it doesn’t need be a cause for panic. Instead, the challenge is to close possible entry points using a few – albeit highly effective – measures. The key thing is that every networking project is managed by the top company management.
Even without knowing a single statistic on the subject, every managing director, CIO, CISO or CIISO (Chief Industrial Information Security Officer) in manufacturing companies knows how relevant this subject is. After all, barely a day passes without talk of the “Internet of Things” (IoT) or Industry 4.0. No manufacturing company nowadays can manage without “networked production”. The advantages are simply too compelling: greater efficiency, lower downtimes or even new business models are possible if production plants can generate, send and receive data. One of the magic expressions is predictive maintenance, which kicks in even before the machine requires downtime. Now that, even on older machines, it is possible to retrofit at least rudimentary networking capabilities, the road to Industry 4.0 is open to practically any business.
So how likely is it that criminal hackers might be able to take over computers in unprotected production plants? Extremely likely. Although the question is somewhat misleading, at least for now. That’s because, unlike an attack on an office PC, having control of the computer is not enough in itself (unless it is a ransomware attack). The actual attack on the industrial control components requires specialist knowledge, such as a far-reaching knowledge of protocols such as S7 (Siemens) or Remo (Heidenhain)—abilities that fortunately are not widely found in the cyber-underground. Moreover, for more complex production processes (as are common in chemicals or pharmaceuticals companies), knowledge of the actual process is essential. At present, an engineering workstation infected with malware is generally not sufficient to force production operations in a company to shut down.
However, all that is no reason for company managers to rest easy when networking their own production environment. After all, once the underground has tasted blood and, for example, is able to generate cash from blackmailing affected companies, the criminals also start to find it easier to recruit compliant production specialists. That’s why, right from the start, top management should be contributing to every networking project and demanding that their own specialists take full account of a few key points.
The most important of these is separating the office IT from the production environment at the network level. The connection between production machines fundamentally requires a dedicated networking arrangement that is separated from the rest of the network via a firewall. If that is not the case, vulnerable office computers can serve as a springboard for attackers. Modern control systems for production plants are already equipped ex works with a firewall. How networks can meaningfully be segmented is described, for instance, in the guidelines on “IT Security in Industry 4.0” ( “IT-Security in der Industrie 4.0”) published by Plattform Industrie 4.0, an association that brings together politicians, business people, academics, trade associations and the trade unions.
One further thing must be clear to business managers: the in-house specialists working in production security are not necessarily speaking the same language as the cybersecurity specialists. Where the one group (production) are looking to protect people from machines, the other group (cyber security) need to protect machines from people. In order to avoid problems of communication, and later of security, both worlds need to work together from the very start on networking projects—which, in turn, needs to be initiated and managed by the company management. That’s so that the networking not only involves the plant later on, but also the employees—and right from the start.
Security aspects of networked production was part of the theme world Digital Factory at the Command Control 2018.