Cybersecurity in Industry 4.0

What is Industry 4.0?

Since the late 18th century, the evolution and growth of industry has been mainly due to the existence of 4 revolutions. The first revolution took place between 1870 and 1900, when steam engines began to be used mainly to manufacture products. The second had as a key milestone the introduction of electricity in the production chains.

It was in 1969, when with the appearance of the first programmable logic controller (PLC), called Modicon 084, the term industrial automation was used for the first time, thus initiating the third industrial revolution. From that moment until today, the irruption and adoption of information and communication technologies in the industrial field has been constant.

Currently, technological paradigms such as Cloud Computing, Ubiquitous Computing, BYOD (Bring Your Own Device) or IoT (Internet of Things) are revolutionizing the way we understand technology and the way people interact with it. These paradigms, although slowly, are also reaching the industrial field, coining terms such as WSN (Wireless Sensor Networks), IIoT (Industrial Internet of Things), M2M (Machine to Machine), etc.

When the industry starts using them to integrate field devices and systems horizontally and facilitate the vertical integration of plant information systems; to optimize manufacturing processes and to increase the productivity of people, it is then, when we begin to talk about the fourth industrial revolution or Industry 4.0.

In a nutshell, the term Industry 4.0 refers to the convergence between the physical and the virtual world, from the use of intelligent communication between human beings and machines (in fact, there is talk of CPS or Cyber-Physical Systems), with the same naturalness that develops in a social network. Industry 4.0 or the social network of machines?

The Industry 4.0 wants to turn industrial environments into “Smart Places” where “Smart Products” are made based on the integration of systems and/or, in the optimization of industrial processes and in the professional and personal development of people.

• In addition, eight priority areas of action have been established with the aim of grouping specific actions that boost the adoption of Industry 4.0.
• Design of a reference architecture based on open standards.
• Use of planning and simulation models to manage complex environments.
• Deployment of a broadband communications infrastructure.
• Creation of specific “Safety” and “Security” programs.
• Redesign of the organization of work.
• Creation of training programs, continuous training of people in concepts related to Industry 4.0.
• Creation of a regulatory legal framework that combines technology and law.
• Efficient resource management.

In What Context are the “Safety” and “Security” Programs Created in Industry 4.0?

Industry 4.0 distinguishes programs aimed at ensuring the physical safety of people (Safety) from programs developed to increase the logical security of industrial environments, that is, what is traditionally known as Cybersecurity.

While the industry has traditionally been concerned with developing specific regulations that ensure the safety of people in industrial environments, the industrial cybersecurity part has not been taken into account until recently.

If we start from the idea that within Industry 4.0 an intelligent factory formed by CPS connected by different means (wired and wireless) is developed and that they are ubiquitously accessible, the specific cybersecurity programs must ensure:

• The availability of the facilities, the manufacturing processes and the CPS systems.
• The integrity of the developments and configurations of the field devices and industrial networks, as well as the communication between them through specific protocols.
• The confidentiality of the information and data that these systems handle.

It is also essential to guarantee correct access control to the systems, data and processes associated with these environments through the appropriate IAAA (Identification, Authorization, Authentication and Auditability) schemes and with a coherent choice of the control grain of this access.

That said, both physical and logical security programs must be aligned and must be understood and accepted by all people. A cyber attack can have consequences on the physical safety of people and vice versa. For this, it is essential that the following two principles are put into practice.

1. The design of industrial environments under the principle of “Security by Design”: It is not about designing processes, systems and/or infrastructures and a posteriori incorporating security layers that protect them from possible threats and vulnerabilities. The Industry 4.0 factory will deploy CPS that will carry embedded security functionalities that will help to interact with these devices safely.
2. The development and implementation of cybersecurity strategies, architectures and standards to ensure the aspects that were introduced above: availability, integrity, confidentiality and access control.

At this point, it is necessary to mention that although traditionally industrial cybersecurity has focused heavily on ensuring “availability” as a key element, in the context of Industry 4.0, the importance of the “confidentiality” of information and data is emphasized. Let us remember that ubiquity, remote access, the autonomous behavior of CPS are essential characteristics of Industry 4.0 and that in this context, the concern that data and information are only accessible by authorized persons, or that the know-how or intellectual property of companies is not disclosed, are key aspects to consider.

In addition, in parallel, it is necessary to strategically address two circumstances that currently occur in industrial environments:

• The heterogeneity and the existence of obsolete devices and systems or in a phase of obsolescence, makes it tremendously difficult to deploy security and cybersecurity programs.
• Secondly, and closely related to the first, to replace these devices and systems, it is necessary that the industry has solutions that make the transition from Industry 3.0 to Industry 4.0 as less disruptive as possible. In this sense, it would be essential that the major manufacturers agree on what functionalities and architectures should be basic to help make this transition.

In future entries we will analyze the challenges and barriers that exist to be able to reach a secure intelligent factory and what specific initiatives are proposed to increase the security of “Smart Factories”.