Little cyber security in industrial plants
Blackmail, sabotage and industrial espionage are the main motivations for attacks on companies and their infrastructure. Cyber attacks on production facilities that trigger a production standstill are absolutely crucial. The industry is in a dilemma: on the one hand, the digital transformation requires the opening of production and IT systems, but on the other hand, there is a lack of knowledge and practice to implement standards and routines to appropriately protect the facilities that are now accessible via the internet. A 2020 study by KPMG shows that only a quarter of the 16,000 companies surveyed worldwide actively defend their industrial control systems. Moreover, 58 per cent of the companies stated that they lack in-house security expertise.
"Since the publication of Stuxnet in 2010 and the subsequent attacks on production plants and component manufacturers in the recent past, it has become clear that we will not be able to manage without solid protection of industrial plants in the future," explains Matthias Schmidt, Co-Lead Technical Committee Cyber Security of the Open Industry 4.0 Alliance and Product Manager Industrial Security at ifm solutions. "In the Open Industry 4.0 Alliance, we are now providing members with a strategy on how they can implement the existing security standards. In doing so, we bring ISO/IEC standards, MITRE's lists of common weaknesses, recommendations from the Cloud Security Alliance or OWASP on cloud and app security and the FIRST Forum into a strategic framework."
"The Alliance defines four layers, two each on the factory floor and in the cloud," explains Dr Stephan Theis, Co-Lead Cyber Security Group of the Open Industry 4.0 Alliance and Managing Director of nekst one GmbH. "Cyber security takes place in all layers. A pure software application based on a container, for example, cannot contain or guarantee any security functionalities of the layers below and above it. The Full Stack Secure Solution Architecture we have defined therefore encompasses all layers, starting with egde computing and connectivity on the factory floor and extending to the cloud with the Open Operator Cloud Platform and Common Cloud Central. This approach provides Alliance members with a sound and solid basis for systematically implementing and offering the principle of 'security by design' in their products and solutions."
Safety for the operational technology of industrial plants
Where IT is already struggling to keep up with developments in cyber security, companies seem overwhelmed with plant technology (OT; Operational Technology) and industrial control system (ICS; Industrial Control ICS) security. The Open Industry 4.0 Alliance white paper on "Industrial Cyber Security Design Principles" is divided into the following contents:
- Roles of stakeholders such as providers of apps, connectivity and other technology as well as manufacturers, system integrators and finally end users and service providers.
- Security by Design across all layers with the Full Stack Secure Solution Architecture
- a table on the integrated standards and best practices of other cyber security organisations
- and a structuring of the requirements for security compliance across the four layers of the Alliance from the edge to the cloud.