Industrial Security is about securing information technology in industrial plants, including their machines and systems. Not only the IT security of the company network is important, but the security of interconnected plants and production chains. They are part of flexible value-added networks, that, as part of the digital transformation, are increasingly used to produce ever-changing and customized products.
This increasing level of connectivity also opens up many potential gateways to cyber criminals. Attacks such as Stuxnet were only the beginning. Kaspersky Lab discovered that in the first half of the year 2017 already every third cyber-attack has targeted computers for the industrial control systems in the manufacturing sector. An overall protection of all involved components of the added-value networks is therefore essential. The following aspects have to be considered right from the beginning.
Security by Design
The focus must be on ensuring the security of all machines and plants along the value-added chain and the entire life cycle. With this in mind, industrial security has to significantly influence the entire product development process of the machine and plant engineering from the very beginning (Security by Design).
Implementation of a Management System for Information Security
A management system for information security (ISMS) according to ISO 27001, helps to achieve the goals of information security, minimizes the company risk and fulfills regulatory requirements. It consists of four components: security process, resources, employees and management principles. Specified therein are binding regulations and procedures for the adherence as well as the optimization of IT security. A ISMS contains technical as well as organizational measures and has to be introduced by management, as they bear the responsibility for it in the end. Moreover, it is important to raise awareness for the security of IT and plants among the whole workforce.
Initially it is necessary to find out which values are most critical and most worthy of protection in the company and document them accordingly. In production, these can be plants and machines, information on production processes, production parameters and other process know-how. After that the responsibilities for the particular assets have to be distributed. An emergency plan describes necessary procedures to be able to initiate fast and efficient restoration processes in the event of damage.
It makes sense to separate the networks in a company and introduce a segmentation for plants, devices and networks. This means: identifying zones with similar needs of protection and separate them from each other. A vertical separation of office-IT and production-IT as well as a horizontal separation of plants through a setup of subnetworks.
Secure identities are a basic requirement for successful value-added networks. Every communication partner needs to get a secure identity which is suitable for its purpose and allows an identification and if applicable an authentication. Moreover, it is necessary to be able to differentiate between the login of users to the operating system of the machine and to the applications. An individual user management and a profound rights and roles management are also required.
In interconnected plants, a software indicates safety-critical processes. From ERP and MES system to process control and SCADA systems to PLC control, industrial companies have to pay attention to the fact, that the deployed software fulfills modern security requirements during its development. That is valid for in-house developments as well as for software of third-party providers. Standards, such as ISO/IEC 25000 and ISO/IEC 250xx provide useful guidance. Especially a regular maintenance of the deployed software remains indispensable, along with an elaborated software governance. Industrial companies should systematically and consequently asset the principle of the slightest possible privileges. That means, that every module, no matter if process, user or a further system, only accesses the functions, data and services he or she has an authorization for. Not needed services and functions of a software should be deactivated to minimize the threat of a hacker attack.
The unencrypted transmission of data is one of the main gateways for corporate espionage. Thus, it is essential to transmit, store and archive data exclusively in an encrypted way.
Considering IT-Security when purchasing
Nowadays, industrial companies should already think about comprehensive security measures when purchasing a plant. The threat situation in the internet is constantly evolving and that is the reason why industrial plants must be safeguarded during their whole life cycle. Hence, IT-security has to be actively integrated into the procurement process. In addition, during the selection of partners and integrators in the entire value-added network, it is essential to consider security aspects right from the beginning. Thus, industrial companies should accordingly prove and review their purchase policy.
SMS digital supports industrial companies by incorporating innovative software into its value-added network in a secure and efficient way. For example, Smart Alarm offers an intelligent alarm management system and visualizes all alarms in a clear interface. The software helps to detect and remedy disturbances quickly, to see alarms of different plants at any time and to document solutions corresponding to the occurring alarm. At the same time, all data is signed and encrypted before being transmitted and it is then stored securely.