Professionals insist that IT security is a matter for the management when industry is networked. Security strategies often fail to take account of IOT devices in production areas.
Huge numbers of IOT sensors are used in the networked industry. Even in devices where you wouldn’t expect them at all. Today, an industrial cordless screwdriver knows whether the right screw is being used in the right place, and automatically adjusts the torque to suit. These new opportunities make it possible to be informed at all times about output and maintenance status in a manufacturing facility. And it means that action can be taken at an early stage if problems arise.
But new opportunities also mean new risks. Networking can often mean that machines unintentionally find their way into the Internet, whether because the manufacturer has access to remote maintenance, or because it is gathering statistics on use. At that point – if not sooner – the devices are susceptible to attack, and there are all kinds of tools available to hunt them out on the Internet.
As the example of Stuxnet showed in 2010, even non-networked machines can be vulnerable. Via USB sticks, for example, which are used to install updates, or via laptops that are connected to perform maintenance tasks. Stuxnet penetrated Iranian nuclear centrifuges via USB sticks and caused severe damage.
Politicians like Ulrich Nussbaum, State Secretary in Germany’s Federal Ministry for Economic Affairs and Energy, therefore realise that IT security is a basic precondition for Industrie 4.0. Nussbaum emphasised the fact at an event on Industrie 4.0 recently. But at the same time, professionals complain that the subject of security has not reached management levels yet. Although security is an established part of IT planning in an office environment, that is not the case in manufacturing. This is due in part to different priorities and other responsibilities. IT security officers are often responsible only for office PCs, Internet services or the data centre, but not for production facilities.
While IT systems need redundancy to ensure they are fail-safe, simply installing a second production line is not an option. In other words, permanent availability is the key interest in production, which means interruptions to operation must be avoided at all cost. But taking no interest in security questions can quickly mean having to deal with a situation that is escalating out of control.
That is why security advisers recommend that IT security must be a subject for management in Industrie 4.0, and that this area must report directly to management. There is a lot at stake, after all, if attackers can control production facilities by remote, as in the case of Stuxnet.
Security precautions require investment, however, and also mean processes have to be adapted – and these are decisions that can be taken only at senior management level. These include emergency plans and exercises, and setting up alarm sequences. The alarm sequences must be constantly updated, since telephone numbers change. If the fact someone cannot be reached is discovered only when a fault occurs, the situation can quickly spiral into an emergency.
We will look at the technical side of this subject in a further article.