The term “Industry 4.0” was coined by the German government for a campaign to modernize their industry. It stands for the increased automation and data exchange in industrial processes. Like the steam engine was a major driver of the Industrial Revolution, the Internet of Things (IoT) would be one for Industry 4.0. Many people hungry for the new buzz are using this word now too, but one could argue there is nothing going on like a revolution, but more of a gradual change.
Current state of affairs
Many factories, especially in the critical infrastructure, use ancient systems and usually don’t have the mindset and processes for adopting the newest technologies. People working in factories are very aware of physical security, and generally much less of digital security. By connecting physical devices to the internet, these two worlds of physical and digital security are converging now and the people responsible for it need to be aware of that.
Availability still is the number one priority in factories and is frequently used as a reason not to update or replace systems. The potential disastrous consequences of this are demonstrated by recent ransomware attacks, including the one on APM terminals in Holland. APM operates about a quarter of the total container capacity in Rotterdam, and most of their systems were locked within an hour, according to an anonymous source. As a result, they couldn’t process thousands of containers, costing millions of euros. It took them 4 days to get back to normal operations.
Internet of Things (IoT)
The Internet of Things (IoT) consists of sensors, processors, and actuators. Actuators act upon the processed sensory data and manipulate an aspect of the physical world. An example would be a smart thermostat measuring the temperature (sensor), and based on some temperature threshold value (logic in the processor), start heating the house by physical means (actuate).
Currently (2017) there are roughly 20 billion IoT devices and this number is expected to grow to 30 billion in 2020.
What could go wrong?
In 2016 about 1.5 million IoT devices were infected with the Mirai malware, which were used in a massive DDoS attack. The abused devices were relatively innocent like digital video recorders, but the attack demonstrates that collectively they can be used to cause big disruptions to internet services.
A computer controlling the cooling fluid in a nuclear plant taken over by a hacker can be much more hazardous. If devices affecting the physical world are insecurely connected to the internet in a bidirectional fashion, we offer hackers (either criminals or hackers) the possibility to affect the real world. Surely we want to think very carefully about the security of these so called “cyber-physical” systems.
The path to secure Industrial Networks
Production networks in industrial environments have been isolated for a long time and the old software and protocols have not been designed with security in mind. In fact, it is completely lacking in most cases. The goal of Industry 4.0 is to start connecting production devices to the Internet of Things, and allow them to make more autonomous decisions by integrating sensory data. In our experience the necessary first step would be to update and secure those networks. Commitment to security by management is needed, and a complete security program has to be designed. Only then one should start thinking about increased connection of industrial networks.
Regulation can help make our digital world more secure. As we have seen the market mechanisms don’t lead to secure software. Customers favor cheap feature-rich over expensive and secure software. Even though most people say they are worried about digital security, their (buying) behavior does not necessarily match up.
Companies from countries that have devised laws with strict security requirements show themselves much more interested and committed to achieving the highest security. With a number of exceptions, we see this much less in countries lacking these laws, or countries only having guidelines. The usual problem is convincing management of the need for security, and regulation can simply oblige them. Regulation could also demand secure design of all kinds of software, especially if the software will face the internet.
Companies in the critical infrastructure should think critically about their security. They should ask themselves: does my operations network really need to be connected to the internet? Or maybe just a specific isolated part? And if so, in what way?
One of the security measures that can be taken in industrial networks is the use of a data diode. The Fox-IT DataDiode is implemented all over the world and guarantees one-way flow of data. Factories and plants can send data in real-time over the Diode to their IT networks, but this channel cannot be used by hackers to get into the industrial network.
There are many steps to be taken to reach a high level of security in industrial networks. If we want to connect more devices to the internet, especially cyber-physical ones, let’s think carefully about how to do it securely. After all, adding security afterwards is much more costly.