Industrial IoT Security: Why and How?

Steve Hanna, Senior Principal Technical, Marketing at Infineon Technologies AG
Steve Hanna, Senior Principal Technical, Marketing at Infineon Technologies AG

The manufacturing sector is undergoing a transformation so exciting and promising, that it is often referred to as the 4th Industrial Revolution. Digital technology, automation and the Internet of Things are dramatically improving manufacturing flexibility, quality and productivity while at the same time reducing costs. Broadly defined, for a manufacturing system to be described as a “smart factory“, it needs to demonstrate that the industrial control mechanisms are connected to cloud intelligence and managed by cyber-physical control systems. The automotive sector, which has always been at the forefront of innovation, leads the Industry 4.0 field, yet the move to smart factories also applies to all other kinds of manufacturing, including sectors that use discrete or continuous production to manufacture, produce or process items or materials, such as oil refining, chemical production, or power generation.

1The manufacturing industry knows that embracing Industry 4.0 is the only way to survive, and that the use and analysis of real-time data provides a competitive edge to work more efficiently. According to a study by PwC, 85% of the companies questioned will have implemented 4.0 in their key areas by 2020. As industrial control systems become more responsive, open to external devices, and interconnected to the Internet, these systems are exposed to cyber risks which have been shown to lead to defective products, equipment damage, stalled production, safety risks – and even business-ending events. A frightening example of such an incident is the reported attack against Ukraine’s power grid in December 2015, which left large sections of the population without power.

The need and demand for industrial security

A secured IT infrastructure that supports connectivity throughout the value chain is a key prerequisite to implementing a „smart factory“.  Manufacturers need plant-wide connectivity in order to connect devices and to share operational data with IT systems within their site and with their suppliers, enabling automated analysis and optimization. This connectivity is of great benefit for businesses, partners, customers and suppliers by enabling production to be adjusted to match demand and maintenance needs to be predicted and scheduled to maximize profits, as well as supporting many other novel inventions and business models. However, the integrity of sensitive equipment and confidentiality of secret designs and formulations must be protected.

Security is of critical importance within an isolated production plant and even more so in an interconnected industrial value chain. The IBM X-Force Cyber Security Intelligence Index 2016 ranks manufacturing as #2 of the most-attacked industries of 2015, right after Healthcare. Automotive manufacturers were the most targeted manufacturing sub-industry (30%), followed by chemical manufacturers. So, with an ever-increasing number of breaches, security remains one of the biggest risks within an Industry 4.0 strategy. According to a 2017 study by Deloitte, “Industry 4.0 and cybersecurity. Managing risk in an age of connected production”, the manufacturing sector is “woefully unprepared” for cyber threats. For manufacturing leaders, therefore, defending against cyber attacks should be high on the agenda. Security cannot be an afterthought but must become part of the corporate strategy.

This change of mindset is essential. Otherwise, companies may face a major risk to critical systems. The well-documented cyber attacks on a media giant and a big US retail corporation reportedly cost the companies hundreds of millions of dollars. There are signs that organizations are focusing more of their attention on cyber security. A recent IDG study predicts that global organizations will spend $101.6 billion yearly by 2020 on security hardware, software and services, compared to $73.7 billion in 2016. Recent market news, such as the acquisition of B&R by ABB, also support the claim that key players are optimizing their industrial automation portfolios to seize the opportunities of Industry 4.0.

2The nervous system of Industry 4.0: industrial control systems

The architecture of Industry 4.0 industrial automation systems, from the control- and supervisory level to plant level, is expected to maximize efficiency gains and accelerate productivity. The architecture can be viewed like the nervous system of Industry 4.0, with servers at plant level acting as the brain and the PLCs being the nerves that control the muscles, the motors and valves. The technology used for the different levels within the architecture differs: At the lowest levels (the field and control level) there is a lot of embedded technology, such as sensing elements, electronic circuits, PLCs or microprocessors. At the supervisory level, hardware tends to include industrial PCs and network devices, gateways and routers with a strong data storage and processing capability. Data from the whole process are funneled to the supervisory control level. At plant level hardware is made up of computing devices, such as servers and PCs. (Add Diagram – IFX to provide)

As information flows upwards from the field level to plant level, measurements collected by sensors on the field level are aggravated and passed over to the supervisory level and so on. Throughout this data flow between the levels, the data and the devices must be protected. The design of industrial control systems often lacks basic security controls such as authentication and encryption, which means that once the network is breached, attackers can read and modify this data at will. They can even get access to industrial controllers like the PLCs and alter their configuration and corrupt the process from the control level. As the PLCs within industrial control systems define the process flow and safety settings, an attack at this level can cause immense damage and disruption while it can stay undetected. The scope of damage is multiplied if the environment is no longer a stand-alone production site, but an interconnected, “smart“ factory environment.

Security solutions that enable and protect smart factories

So how can a smart factory be protected? A defense in depth approach is best. Relying on software alone to protect your industrial control system would be like protecting yourself from the rain with only rain boots. The smartest way to secure the process is by using hardware security and software security together – a rain coat and rain boots. Hardware security products are designed and tested not just on a functional level but also to resist many kinds of security attacks.  Infineon offers hardware security solutions for securing and protecting industrial automated systems that protect data security and device integrity across all levels of the industrial architecture. Together with Infineon’s network of international partners, Infineon’s security controller portfolio is designed to protect intellectual property and Know-How while maintaining uninterrupted secured operations.

3Hardware security protects industrial control systems by ensuring integrity and authentication. Already today, industry standards require hardware security within industrial systems for the most security sensitive applications. By securing the entire manufacturing system with hardware security, a manufacturer can successfully protect their whole production process. When integrated into an overall secure system, hardware security helps the manufacturing industry to minimize the impact of a cyber attack, using proven and tested technology that protects the manufacturing process across all control levels.

 

Share this post