The definition of Industry 4.0 is based on a series of differentiating features aimed at integration with other intelligent infrastructures such as mobile/logistic infrastructures and intelligent buildings and at accelerating technological change.
Under these premises, representative characteristics of industry 4.0 are defined:
- Vertical networks allow a quick response to dynamic changes in demand and/or stock or failures that may occur. They focus on resource efficiency, focusing on material, energy and human resource efficiency.
- Horizontal integration is achieved through new value chain networks. The new networks work in real time, enabling integrated transparency and offering a flexible and robust service.
- Cross-sector engineering is a cross-section of disciplines through engineering throughout the value chain and the life cycle in the development of products and services, enabling new synergies between different actors that enrich and add value.
- The ability to accelerate through the exponential growth of technologies, which acts as a catalyst in creating individual, flexible and productive solutions.
Key points of cybersecurity in industrial environments
1. Get to know your industrial network
The first step in Industrial Cybersecurity is in line with what Paul Galeski, CEO and founder of Maverick Tech, said in his article “Identifying and overcoming cybersecurity challenges in industrial networks” (InTech Magazine, November 2015), in which he stated that the first step is to recognize and “draw” the industrial network(s), with their perimeters, security domains or zones, ducts or transfer zones (DMZs) and technological security controls. Take the test and you will be amazed at the number of undefined points found.
2. Eliminate the “isolated” industrial network paradigm
The isolation paradigm of the industrial network is now obsolete. Upgrade! Most industrial networks today are not isolated from the corporate network and with IIoT (Industrial Internet of Things), they are not isolated from the Internet either.
In fact, productivity and efficiency gains have been the result of such integration. However, without proper security controls, it brings new risks to the industrial network, so we must be prepared.
3. Establish a frame of reference
There are international standards that define frameworks for the management of Industrial Cybersecurity.
They propose models against which gaps can be identified, and on their results, concrete mitigation and improvement plans can be generated, forming an initial baseline and projecting a roadmap over time. This is the answer to methodologically justifying the “how to leave?
4. Meet your supplier’s security requirements
Identifying the safety measures published by the manufacturers of the industrial systems and, once again, carrying out a gap analysis in this respect, allows rapid and substantial improvements to be achieved simply by applying controls already approved and recommended by the brand.
Therefore, this means analyzing compliance with securitization, hardening or blueprint requirements of systems (suppliers), such as CBM (Rockwell Automation), PI (ABB), Dispatch (Modular Mining), Spectrum (Siemens), EBI (Honeywell), among others.
5. Formalize the governance structure
An organizational structure must be formalized to govern the management of Industrial Cybersecurity. For this, roles and responsibilities must be established at various organizational levels, such as Strategic, Tactical and Operational.
The great challenge is to establish an organizational structure that allows an effective and efficient governance of Industrial Cybersecurity, both at a central and distributed level, allowing the integration of the different visions – administrative, commercial and industrial – as well as the convergence of IT/OT, IIoT and Industry 4.0.
6. Generate a minimum regulatory body
Similar to the governance structure, the elements of the regulatory body for Industrial Cybersecurity should be generated at the Strategic, Tactical and Operational levels. Therefore, the necessary documents should be identified – at the Strategic level – as the General Security Policy for Administrative, Commercial and Industrial Information; at the Tactical level, Security Policies for Specific Industrial Issues (such as the use of technological resources, access control and encryption); and at the Operational level, procedures, internal standards, instructions, practical security guides, security tips and other low-level elements to clarify the way in which industrial activities are carried out.
7. Implement continuous improvement management
To achieve continuous improvement management, we must use models such as the DEMING Cycle or PDCA (“Plan- Do-Check-Act”), which is based on virtuous cycles of continuous improvement. In order to move towards establishing an Industrial Cybersecurity Management System (IACS-SMS), and given that the wheel should not be “reinvented”, it is recommended to analyze the ANSI/ISA 62443.2.1 (99.02.01) standard.
8. Assess vulnerabilities affecting Industrial Cybersecurity
Vulnerability assessments are recommended to define, identify and classify weaknesses in the industrial environment. This includes hardening (blueprint) compliance review of systems and platforms, vulnerability review by technology platform, vulnerability assessment of network architecture (zones and ducts).
The weaknesses identified should be associated with industrial risk, thus generating a baseline and mitigation plan for technological vulnerabilities.
9. Raise awareness on Industrial Cybersecurity
The paradigm shift in isolation, IT/TO convergence, the Industrial Internet of Things (IIoT) and Industry 4.0 have all highlighted Industrial Cybersecurity, and require the understanding and active participation of all staff.
As with any cultural change, dissemination and training, among other measures, are required, but above all, awareness of the role of cybersecurity in the industrial environment must be raised.
10. Improve the relationship between Industrial Cybersecurity managers and their corporate counterpart
The main factor to be considered to improve Industrial Cybersecurity is the human factor, specifically the level of maturity of the relationship between Cybersecurity management for corporate and industrial networks.
In this regard, a maturity level model is proposed for the Industrial Cybersecurity Governance vs Corporate Cybersecurity Governance relationship. Using this model allows the current level to be identified and the gap analysis to be approached as an improvement plan.