The Internet of Things promises a boom in sales and differentiation opportunities. But the digital revolution – in the context of manufacturing, often termed Industry 4.0 or Advanced Manufacturing – also means new threats. Or rather: old threats with new faces. Integrated machines are rarely properly protected against external attacks.
The technology hype surrounding intelligent products and production systems, or even smart systems and complete smart factories, has spread to entire industrial sectors. In particular, the machinery and plant engineering, the electrical engineering and the chemical industries have high hopes that this IT revolution will generate massive growth in sales. According to the German Association for Information Technology (BITKOM), the ICT sector sees Industry 4.0 as one of the top five trends of the year. Not without reason: By 2025 BITKOM predicts potential productivity gains totaling about 78 billion euros in just six economically important industries.
So what is so special about the new trend? It is no longer the machine that determines the production process, but rather the product. With the help of the Internet of Things, vehicle parts interact with processing machines and, for example, order their own paint job, as needed. This makes production systems more flexible and more dynamic and allows them to continuously evolve. However, if production plants and all manufacturing processes are even more highly automated and integrated in the future, companies must increasingly worry about finding the right – and reliable – IT security solutions to meet their needs.
This is also true for the Internet of Things. Just take a look at cars. It was announced a few weeks ago that hackers needed hardware costing less than 1,000 euros and freely available software to break into the IT system of a German-manufactured car. Meanwhile, in America, a researcher managed to hack into the interface of the onboard diagnostic system in a different automobile. In another instance, there was the case of an intelligent leg prosthesis fitted with a Bluetooth module that allegedly kept signaling its readiness to pair with any nearby mobile device.
With respect to the integrated part of industrial production, the problem is often that: "No one can really say what the threat scenarios are. A dearth of research characterizes the entire area," according to Manfred Hauswirth, Director of FOKUS (Fraunhofer Institute for Open Communication Systems). What is sure is that the distributed denial-of-service attacks (DDoS) that Internet servers face could also threaten machines connected to the Internet.
An important aspect is that because of the long service lives of industrial IT components, they are often substantially less advanced than in an office environment. "There are actually companies that visit auction sites to stock up on legacy equipment because they do not want to, or cannot leave the world of Windows XP. There are even projects today which still worry about Windows NT security. And there are robotic systems that are actually accessed exclusively via USB," explains Olaf Mischkovsky, specialist for endpoint security at software producer Symantec.
"In our opinion the market for IT security in automation systems is lagging up to ten years behind the office IT market," reports Ramon Mörl, managing director of Munich-based itWatch GmbH (Hall 6, Stand E16). itWatch specializes in securing complete networks and distributes a range of software components to protect industrial systems. Mörl believes that one serious security problem facing Industry 4.0 is the lack of accountability: "The security and continuity of the production side of a business, including its built-in IT, is generally not the responsibility of the same people heading up the office communications side. Even if the security products already available for office applications could meet the industrial requirements in an ideal fashion, there is often a lack of communication between the two responsible sides, which prevents the transfer."
John Röcher , IT security specialist at Computacenter (Hall 4, Stand B04) holds a similar view: "Probably the most important measure that needs to be taken is defining roles and responsibilities. In contrast to office IT systems, on the production side there is usually no security officer. This role should be occupied at each production plant by someone with the requisite experience." Only then should companies select specific security architectures and solutions and install them in a reference project, he explains.