Cyber security: a threat to Industry 4.0 implementation?
13 December 2016
In 2010 the Stuxnet computer worm was a wake-up call to the industrial world that an ostensibly closed and secure system could be compromised by nothing more than an infected USB memory stick during a routine maintenance procedure. Barry Graham offers advice on ensuring plant network security in an era of the open enterprise.
Since Stuxnet other malicious code, designed to disrupt the industrial control systems of utilities and their supply networks, are thought to have entered systems via the internet, with phishing emails and/or Trojans being the suspected vectors.
Whatever the mode of access, and despite the efforts of governments and other agencies to make industry more aware of the threats and their consequences, it is evident that many of today’s industrial networks remain vulnerable to cyber attack and so measures to protect them must be taken.
If the benefits of Industry 4.0, in terms of ‘Smart Factories’, the ‘Internet of Things’ and ‘big data’ are to be delivered networks in the future will need to be much more open and therefore will be at an enhanced risk of cyber attack.
The smart factory – perhaps more accurately termed a cyber-physical production system (CPS) – will comprise not just ‘smart’ machines, but will incorporate warehousing systems and all manner of discrete and process production facilities.
Industry 4.0 inspired implementations of the CPS will need end-to-end ICT based integration of production systems, from factory floor automation to the manufacturing execution system; moreover, they will be subject to extensive web and third-party cloud-based exposure, so tackling the threat of attacks is of paramount importance. The potential risks – compromised intellectual property, brand damage, financial loss, customer grievances following late deliveries or batch inconsistencies, the safety of production personnel and even the safety of manufactured products (to name but a few) – go far beyond the perceived threats in everyday personal computing and online banking.
Cyber security standards have been in force for decades to protect medical records (HIPAA/SOC 1/2/3/), credit and debit card dealings (PCI DSS Level 1) and the information that organisations, in general, hold about us (ISO27001). The industrial automation industry has not exactly been sitting on its hands either. The International Society of Automation's ISA99 committee has been working to define security standards for industrial automation and control systems since 2007. In 2010, these standards were aligned with the corresponding International Electrotechnical Commission (IEC) standards to become the ISA/IEC 62443 series - currently the most comprehensive set of standards dedicated to the security of industrial control and automation systems.
It is fair to say, these standards have yet to be fully assimilated industry-wide. Meanwhile, responsible automation hardware/software suppliers have not been tardy in developing innovative solutions to the problems of cyber-physical production system security, and have addressed the issues in a variety of ways.
For a decade or more, it has been possible to connect remotely to a PLC via a serial bus for monitoring and diagnostic purposes. Today's machine controllers are equipped with Ethernet ports that, for example, provide internet connection via the enterprise IT system to a remote, cloud-based SQL database in order to download stored recipe data.
However, any vulnerability in that connection could potentially lead to compromised intellectual property relating to that recipe. The security of such open systems – and, by inference, the necessary level of co-operation that will be required between information technology (IT) and operational technology (OT) departments – have become critical considerations.
Omron’s approach to the problem is to provide basic security for its factory automation systems using http Port 80 – the default port number for a web server – which protects Sysmac machine controllers by allowing communication only from within the Sysmac Studio configuration, programming, simulation, and monitoring software environment. Communication between the machine controllers and Sysmac Studio is not encrypted; instead, it is protected via digest authentication – a method that enables a web server to check a user's credentials, such as their username and/or password, with their web browser. The identity of a user can be confirmed before information is released to the network by applying a hash function to the username and password before transmission. Moreover, Sysmac controllers cannot send service data object (SDO) messages to the control network from external sources, so it is essentially isolated from the information network.
Advanced functions to protect investment in, and the security of, machines are standard in the Sysmac Studio software. Preventing incorrect connections, unauthorised operation or theft of assets are protected by features such as confirmation of controller names and serial IDs, administrator access rights and controller write protections. Meanwhile, authentication of user program execution and password protection for project files provide protection for the user’s intellectual property.
Barriers that have traditionally existed between IT and OT departments will have to come down if a true Industry 4.0 implementation is to be realised. IT departments have, for many years, been fully aware of cyber threats and the potential damage that can ensue if systems are not adequately protected. For OT engineers, however, attacks on their systems are a relatively recent phenomenon and the threats and risks may or may not yet be fully understood.
Even today, the IT and OT functions remain generally independent of one another and it is normally the IT department that has any control over the prevention of cyber attacks on the enterprise by restricting access to the enterprise networks. Within the concepts of Industry 4.0 restricting access to the enterprise networks would be unacceptable, so it is important that IT and OT departments start to work together so that they are able to combat the greater risks posed by the open networks of Industry 4.0 together.
A productive collaboration between IT and OT departments would inevitably improve business efficiency as well as raise awareness of the cyber threat issues that must be addressed at all levels of the enterprise. Such a collaboration would also go a long way to improving the skills of those less familiar with cyber security and its relevance to their operations.
Manufacturers embracing the Industry 4.0 paradigm need to up-skill their operational staff, assess the potential cyber threat risks and develop a security plan commensurate with their organisational structures.
Barry Graham is automation product marketing manager at Omron
Contact Details and Archive...
Most Viewed Articles...