INDUSTRY 4.0 AND CYBERSECURITY Andrew Cooke, Head of Consulting, Airbus CyberSecurity
Protecting Industry 4.0
The whole concept of Industry 4.0 is one of “super-connected plants” with product and service on demand and instant access to real time data. The principle it embodies includes the creation of interoperable manufacturing environments, integrated sales and delivery data sets, real time plant management data and remote and autonomous service and maintenance management. It is the embodiment of the future that was imagined in the science fiction of the seventies and eighties.
However with this all connected, autonomous and self-managed industry environment comes a set of risks and threats and the potential for system breakdown that the same science fictional world relied on for its story lines.
Insecurely Driving Industry Forward
Coming back to reality for a moment the drive for efficiency and our ‘on demand’ society has placed an expectation on industry that a consumer’s order today will be delivered tomorrow. This result is a real need for super connectivity to translate demand into service delivery instantly. From that societal requirement consequently comes a need for high availability of plant, the requirement for an ability to make instant configuration change and to maintain plant and equipment remotely to maximise up time and minimise delays from travel and repair time. In order to deliver product and service to the customers expectations supply chains have to be more integrated, services and processes need to be capable of evolving to meet changing need and data needs to be made available instantly to the supplier and the customer to manage the delivery programme.
This connected world clearly presents us with a whole set of different cyber challenges. If the supplier has remote access to your systems to manage inventory, upgrade firmware or maintain control systems then you can bet someone who wants to steal goods or intellectual property can get the same access. If power demand and transmission needs to be balanced across a network from a remote control centre then it can equally be interfered with and potentially control taken by a malevolent actor as well. Interoperability and openness of systems is a huge advantage in management and control of process but also allows malevolent code, malware and viruses to spread rapidly around a system as well.
There are huge efficiency and intelligence benefits in sharing data between systems, functions, suppliers and customers. We must recognise though that it presents a huge risk in terms of aggregation of information and intelligence. It makes breaking in and stealing that data more attractive and more lucrative and presents the attacker with more information potentially allowing him to penetrate deeper into systems and networks proliferating damage or generating more and more intelligence for future attack. The potential for an attacker to access that critical “big data” not only risks the integrity of your systems now but also brings the potential for data loss and a prosecution under the General Data Protection Regulations if you are operating in Europe.
It all seems very gloomy at first sight but help really is at hand. Increased digitisation doesn’t have to mean increased threat of attack or compromise. Technology can offer as much protection as it can create the threat in the first place.
Furthermore it is always tempting to look to for a technological solution to a technological threat yet technology is not always the answer.
The first thing that industry must do to protect itself is to understand what it has in the first place. What does its network really look like? What is connected to what? What big data sets are being used to create critical information? What is critical and what information can safely be made available to anyone? Which systems are more vulnerable to external threat? How does the networks and processes work and which processes are dependant on those more vulnerable systems. A large (confidential) European FMCG manufacturer only discovered an external line connecting its control system network to the internet when one of its suppliers engineers was seen by a network discovery tool and a previously assumed air gapped system was revealed to be open to the internet.
For any organisation to start to manage the risks it faces as it moves to Industry 4.0 it needs to start with a comprehensive risk assessment. Particularly in the Industry 4.0 environment a cyber risk is a business risk and vice versa. In Industry 4.0 business does not exist without interoperable technology and the networks that provide them. Before investing in technology it is critical to invest in an understanding of the risk that that technology is subject to and where the threats to it might come from. Understanding the network and processes and where risk sits on those processes is the first step in developing an effective strategy to protect Industry 4.0.
Once those networks and processes are understood and the risks are identified and quantified then appropriate mitigation strategies can be developed, investment in protection can be planned and technology can be mobilised. Cyber risks are first and foremost business risks so the essential next step is to link the cyber risk to the top level organisational goals. What is important to the business and how can cyber cause you to fail. This will help to prioritise systems and processes and moreover prioritise what data is critical to the mission. Understanding what needs to be kept most secure and what data is less important or more critically needs to be made available to external bodies presents the key to a strategy for sharing it in a secure way.
Once you have this understanding of business risk and how to mitigate then you can look at the technology that can help you to do that. The first thing should always be to have a protective monitoring solution. The protective monitoring regime needs to be appropriate for the business. There is no point in having a solution that generates 500 alerts a minute and is therefore unmanageable, or have the protective monitoring team working office hours while the business works twenty four hours. Similarly there is little point in investing in expensive operational technology threat assessment and protective monitoring equipment if the organisational architecture makes it inoperable.
Unblurring the blurred boundaries
The second critical technological consideration is in data sharing. Making sure information is available where it is needed but only shared securely and with those who really need it is paramount in having an effective, efficient and secure business. As eluded to above, the most important interface to manage is the sharing of information between operational technology (OT) and enterprise systems (IT). The blurring of the boundaries between OT and IT has both facilitated better more effective information sharing but also raised the risk of malware, viruses and other malevolent code proliferating across operational technology networks. The classic recent example of this is the Ukranian power network attack in December 2016 when the Industroyer malware crossed to the OT network, rapidly spread across the network, disabled control systems with a resulting lengthy power outage across the country. Historically organisations planned to keep those systems separate and not share data but in Industry 4.0 that separation is impossible as operational data is critical to delivering the mission. Data diode based solutions have been used in the past to make sure data can only pass one way and malware can’t get from enterprise technology to operational technology. This is not necessarily the only or even the best technology though to protect operational technology networks. An appropriate risk assessment is needed but increasingly end point protection and encryption devices designed specifically to function with IoT and operational technology protocols can prove more effective and offer greater utility.
Industry 4.0 is driving manufacturing and critical infrastructure to adopt 21st century communications and technology into its daily delivery processes. There is no realistic reason why it should bring 21st century IT risks with it.