When criminals hack industrial plants
By Ulf Theike, TÜV Nord Systems
Industry 4.0 makes it possible: a sensor detects the wrong colour in a paint batch. Without human intervention or lengthy laboratory tests, machines correct the error and adjust quality and colour. They get the right recipe from the cloud. Not only can defects be quickly repaired, but coatings of identical quality can also be produced worldwide.
The main features of this service are internal networking and interfaces to the internet, which enable the machines to communicate with each other in real time. In addition, employees worldwide can access the industrial plant via the internet, for example to analyse data. This makes production processes more profitable and efficient. But there is also a snag: when IT and production-related automation systems are closely connected with each other, they become vulnerable..
If IT systems are not secure, unauthorised persons can gain access to a machine via an unprotected access point. Such an intervention in automated industrial processes can, for example, take place via the process control system. These systems are usually software-based and process digital, safety-relevant data. Via unproteced interfaces to the internet, hackers can manipulate data or software so that the system either switches itself off or even destroys itself. In the worst case, human lives can be harmed.
Protection through prevention
To protect themselves from external intervention, companies need a secure system that protects IT and machines from manipulation. Many companies have already introduced information security management based on ISO 2700x for their IT systems. This series of standards deals with classic IT systems, i.e. in particular with the protection of information and data. To protect industrial plants, it is therefore advisable to develop a safety system based on the IEC 62443 standards. This additionally covers systems, components and processes and provides requirements, procedures and assessments to define safe processes for the implementation of industrial automation and control systems.
——————————————————————–
Content tip: The free European Coatings Dossier Industry 4.0 will help you to discover the latest technical and market developments in this field and access the new EC Dossier, bundling the best contributions to the coatings conference “Industry 4.0”.
——————————————————————–
In addition, IEC 62443 identifies three protagonists that can influence industrial operational processes and assigns them clear areas of responsibility. The protagonists are device and machine manufacturers, system integrators who integrate the machines and processes in the industrial plants, and, last but not least, the plant operators. All three groups have different roles within the standard and are dealt with in separate sections. This is particularly important because in order to protect themselves against cyber attacks, these groups have to deal with internal processes and their strict application by employees and external parties as well as with technical security measures. The standard is therefore also relevant to all those involved in the design, implementation, management, manufacturing, sale and operation of automation and control systems.
Defense-in-Depth: more layers for more protection
In addition to the above-mentioned clear structure, allocation and interfaces, the IEC 62443 series of standards is also characterised by a multi-layer safety net, also known as Defense-in-Depth. The principle originally comes from the military and describes a multi-layered mechanism that prevents hackers or otherwise triggered incidents from spreading unhindered and causing major damage by suspending a single measure. The mechanism is based on the fact that there is an additional layer under each safety layer that prevents damage or minimises the extent of damage. IEC 62443 defines measures for all production-related areas of the company (such as systems, guidelines, processes and operating personnel) and thus enables comprehensive protection on the basis of differently working protective layers.
Safety level
IEC 62443 defines graduated quality levels for technical and organisational requirements. These security and maturity levels enable the user of the standard to implement individual quality levels depending on the company’s own risk assessment and, if necessary, to upgrade them over time. The protection of organizational processes and employees is very important, as hackers often gain access to sensitive data via employees, for example via phishing e-mails. The security levels can be divided into four levels: security level 1 offers “protection against accidental mistakes”, security levels 2 and 3 describe ascending demands and the highest level, security level 4, provides “protection against intentional attempts with specific knowledge and considerable means”. With the security levels, systems, networks, components, processes and employees can be evaluated with regard to their IT security, for example limited data access, authentication, system integrity, reaction to incidents and much more. The two graduated quality levels give users of the standard clear guidelines for the design of automation systems and provide them with a comprehensive security concept that offers far more protection potential than purely technical considerations. When applying IEC 62443 responsibly, it can now be assumed that the necessary damage precautions can also be adequately implemented with regard to cyber risks.
IEC 62443: the standard for industrial plant safety
Due to its holistic approach, structure, interfaces and areas of responsibility, which define the specific security requirements for manufacturers, integrators and plant operators, the IEC 62443 standard family is regarded as the essential series of standards for the responsible handling of cyber risks and industrial plants. For example, other standards such as IEC 61508 (basic standard for functional safety) or IEC 61511 (sector standard for process plants) or recommendations such as the NAMUR worksheet (NA 162) or the Cybersecurity Framework of the National Institute of Standards and Technology (NIST) already refer to IEC 62443. The series of standards is an important tool for industry. TÜV Nord is the first testing company to be acknowledged for all sub-areas of IEC 62443.
Content tip
The free European Coatings Dossier Industry 4.0 will help you to discover the latest technical and market developments in this field and access the new EC Dossier, bundling the best contributions to the coatings conference “Industry 4.0”.