Knowledge of IT security is lacking in production facilities. Engineers are trained to handle production plants, not cyberattacks. Guidelines from an expert group are intended to help fill the gap.
The term “Industry 4.0” is still relatively new. But according to a survey by the German IT industry association Bitkom, every fourth machine in the domestic manufacturing industry is already connected to the Internet. Ten percent of the companies surveyed even had more than half their machines connected to the Internet.
Cybersecurity has a new relevance for these companies, although many don’t know how to approach the topic. There have already been serious security breaches in OT (operational technology). Although the engineers know their own plants inside and out, they often lack expertise when it comes to IT security in production – especially in medium-sized companies. IT experts are currently hard to come by and training takes time. Guidebooks could ameliorate the problem but so far there has been a shortage of practical assistance. The Industrial Internet Consortium (IIC) is now attempting to meet this need.
The Industrial Internet Consortium (IIC) takes on IT security
The IIC put together an expert group in collaboration with partner companies that spent over two years investigating common security practices in real IoT applications as they’re generally used in OT. According to the group’s own statement, the main problem that they ran up against was the breadth of applications in the industry. They found that different components are being used in many different ways, depending on the particular production plants. This means that uniform, standard solutions are often out of the question. In addition, the plants differ in terms of their significance for the business model. They require different security levels based on relevance.
The result of these requirements is the “Security Maturity Model (SMM) Practitioner’s Guide”. The Practitioner’s Guide is intended to support operators of industrial plants in assessing their current security level and determining the necessary actions. Plants and areas of application can be categorized according to 36 parameters, thus enabling an individual needs assessment. On this basis, the expert group recommends suitable steps for optimizing the IoT security level.
Of particular note are the three supplementary case studies which, for example, can provide management with an overview of suitable security models and procedures that are being used in practice. They range from a connected, data-driven bottling line to updates for connected cars that receive over-the-air (OTA) updates.
U.S. standardisation authorities offer assistance for Industry 4.0
If more help is needed, the somewhat older guide from the U.S. standardisation authority NIST (National Institute of Standards and Technology) can also be consulted. The “Guide to Industrial Control Systems (ICS) Security” takes a slightly different approach. It describes typical threats to industrial plants and discusses suitable forms of protection. After presenting an industry-standard risk assessment, the Guide provides a detailed explanation of security architectures suitable for plants. However, it pays too little attention to the specifics of modern IoT components as well as to current IT procedures such as over-the-air (OTA) updates. That’s why the NIST Guide is recommended only as an ideal supplement to the IIC Practitioner’s Guide.
You will also find news about all aspects of it-sa and the world of IT security in the it-sa Security Newsletter.