Michael Gerhards is the Head of CyberSecurity Germany at the Airbus Group
A new approach to security is a must for those who want to benefit from the added-value potential of smart industry solutions in the future. As the complexity of the supply chain increases, so do the possible risks. Cyber-security is no longer simply an end in itself; it has now become a key factor behind companies retaining their competitive edge in the age of digital transformation.
When it comes to the digitalisation of the economy, the figures are constantly increasing with each new growth forecast. Industry, and in particular high-tech manufacturing, already feels subject to the huge pressure of ‘going digital’. While every technology manufacturer has to develop and implement their own digital transformation strategy, ultimately all smart industry concepts draw on a common paradigm: manufacturing in the future will be data-driven, networked and transparent. Production processes, flow of materials and enterprise resource planning (ERP) information are fusing, just as the number of real-time data streams and links is growing exponentially – along with the number of possible security vulnerabilities. There is already evidence that ‘classic’ security concepts, which are primarily based on the separation of production systems and office-based IT, will no longer be up to the challenges of the digital factory.
Even if industrial digitalisation is often characterised as a revolution, it is more of a continual process begun in the 1980s and 1990s. As modern automation technology was in its early stages, the internet was also still in its infancy.
At that time, no one had seriously considered the possibility of connecting production systems to the internet. Industrial control systems (ICS) were seen as isolated units, so security functions such as authentication mechanisms, password management or access restrictions were therefore unnecessary and simply not provided. It was enough for a production sub-system to be connected to a programmable logic controller or other higher hierarchical level.
Ultimately all smart industry concepts draw on a common paradigm: manufacturing in the future will be data-driven, networked and transparent
Sometimes, the flexibility offered by internet protocol (IP) – connection to the worldwide web – was beneficial, or costs could be saved. But problems came as this was not done systematically or with enough attention paid to security.
The mix-and-match approach of many industrial networks may not be an initial cause for concern for production specialists and automation engineers: functions that could endanger a facility’s operational safety are still separate, and safety-relevant limits are ‘hard-coded’ to avoid tampering. Industry-specific protocols present a high technical obstacle for possible attackers.
But more can be done. Not only has the number of IP connections significantly increased, but threat levels today are completely different from five years ago. The emergence of Stuxnet, a malicious computer worm that caused substantial damage to Iran’s nuclear programme among other projects, and other industrial network-targeted malware, production system security has increasingly become a topic for public debate.
The initial silo mentality among IT and production managers is also now increasingly being broken down thanks to more coverage, greater enlightenment in research and teaching and standardised security guidelines. Professionally coordinated security initiatives are now welcomed or even actively called for by the majority of production managers. A complicated cyber-attack or malware that targets industrial facilities jeopardises this objective. According to the German Federal Office for Information Security, it takes 227 days for a targeted attack on a company to be noticed – the average length of time that an attacker is present in the company and has the opportunity to spy and prepare manipulations without anyone becoming aware that a problem exists.
Just one security incident can result in prolonged and very costly production downtimes or the disclosure of company secrets. This is particularly the case in high-tech manufacturing and even the building-up of the production environment itself, as this can contain decades of development expertise and therefore valuable intellectual property. A Bitkom study has found that up to €51bn of damage is caused by cyber-attacks on companies each year. ICS security is now far more likely to be viewed as one of the key factors behind reliable production planning.
Industrial security, like digital transformation as a whole, is not a fixed end point but a continual process
For a security provider, the greatest challenge in securing production environments is to develop customised security concepts that can be seamlessly embedded into existing manufacturing processes, both at a technical and organisational level. The prerequisites to achieve this are not only a fundamental theoretical knowledge and highly trained team of specialists, but also a high degree of practical experience. Airbus, for example, draws on a long tradition of manufacturing advanced products with a high level of protection, and much of the experience and analytical methods used by its CyberSecurity business unit derive directly from the company’s own ICS operational environment, tried and tested on multiple occasions.
Industrial security, like digital transformation as a whole, is not a fixed end point but a continual process. A basic first step on the journey towards a valid ICS security strategy has to be a detailed risk analysis, a course of action also recommended by the German Federal Office for Information Security. Its ICS Security Compendium states that carrying out a recurrent (regular and/or event-related) risk analysis is considered compulsory. As part of its extensive security services portfolio, Airbus CyberSecurity develops holistic security strategies based exactly on such an analysis. In direct collaboration with an operator’s IT and production teams, the objective is to identify and document their top five risks as well as recommending feasible countermeasures.
These risks and countermeasures are: developing secure remote access for maintenance and analysis; protecting the production network and isolating or monitoring legacy systems, which are susceptible to vulnerabilities, using passive security sensors; securing endpoints, databases and servers; securely using portable storage devices such as USB sticks or CDs; and transferring knowledge and providing methodology for continual risk analysis.
The protection of production facilities is a complex challenge, especially for high-tech companies, which at times entails high expenditure. In the context of Industry 4.0 and the Internet of Things (IoT) however, a security-related appraisal is essential to achieve a solid base for digital transformation. A security assessment is a sensible entry point for this as well as forming a cornerstone for all further recommendations for action and the development of a long-term security strategy. The costs for such an analysis remain within a manageable scale and will quickly pay off thanks to the minimised risk of downtimes and a generally more reliable production network.
This article was first published in Europe's World print issue number 35. Read more on the issue and order your copy here.
IMAGE CREDIT: Nataliya Hora/Bigstock