According to PwC’s Insights (https://www.pwc.com/gx/en/research-insights.html
), Industry 4.0 “refers to the fourth industrial
revolution, which connects machines, people and physical assets into an
integrated digital ecosystem that seamlessly generates, analyzes and
communicates data, and sometimes takes action based on that data without the
need for human intervention.”
While the Industry 4.0 approach creates fantastic opportunities, it also
expands the risks associated with cybersecurity.
If you, like me, are not well versed in cybersecurity, an excellent place to
begin is Cybersecurity Resources for Manufacturers (https://www.nist.gov/mep/cybersecurity-resources-manufacturers)
TIP: Google®
cybersecurity industry 4.0 to find other
resources
///////
EXCERPTS FROM Cybersecurity Resources for Manufacturers
According to PwC’s Insights, Industry 4.0 “refers to the fourth industrial revolution,
which connects machines, people and physical assets into an integrated digital
ecosystem that seamlessly generates, analyzes and communicates data, and
sometimes takes action based on that data without the need for human
intervention.” It is focused heavily on interconnectivity, automation,
machine learning and real-time data. Industry 4.0 encompasses the Industrial
Internet of Things (IIoT) and smart manufacturing. It joins physical production
and operations with smart digital technology, machine learning and big data to
create better connected systems for companies that focus on manufacturing and
supply chain management.
These new technologies will serve to advance manufacturing, but they also
introduce risk. Company-sensitive data may be streamed across a network of
small, power-sensitive and deeply embedded devices, which is a completely
different threat landscape than the PC-based approach most SMMs use today.
Four Key Areas of Industry 4.0
It’s helpful to think of Industry 4.0 in four overlapping pieces:
- Cyber-Physical Systems (CPS) and Cobots
- Internet of Things (IoT) and Big Data
- Cloud Manufacturing (CMfg)
- Automation
Cyber-Physical Systems (CPS) and Cobots
According to NIST Special Publication 1500-201, Framework for Cyber-Physical
Systems: Volume 1, “cyber-physical systems are smart
systems that include engineered interacting networks of physical and
computational components.”
CPS generally combine sensors and sensor networks with embedded computing to
monitor and control the physical environment, with feedback loops that allow
external stimuli to activate the system either through communication, control
or computing. From a manufacturing industry perspective, a CPS is an internet-enabled physical entity, such as a pump
or compressor, embedded with computers and control components consisting of
sensors and actuators.
Manufacturers are rapidly adopting the use of cobots,
which are robots with direct physical interaction with a human user within a
shared workspace. Cobots, just like traditional industrial robots,
consist of a mechanical arm that can be programmed to perform tasks in a
manufacturing facility, such as material handling, assembly, quality inspection
and packaging, while working alongside humans.
Internet of Things (IoT) and Big Data
IoT refers to the network of devices that contain the
hardware, software, firmware and actuators that allow the devices to connect,
interact and freely exchange data and information. IoT is about connecting
"things," such as objects and machines, to the internet and
eventually to each other.
While IoT collects data from physical objects like a sensor, big data allows
for more efficient and effective processing and storage of this data. The
combination of IoT and big data makes the collection and analysis of data
available to improve production.
Cloud Manufacturing (CMfg)
Use of both internal or external cloud applications in
manufacturing can transform resources and capabilities into services. These
services can then be managed and operated in a unified way, enabling sharing
and circulating of resources and capabilities. Cloud manufacturing can
provide safe and reliable, high quality, inexpensive and on-demand
manufacturing services for the whole lifecycle of manufacturing.
CMfg is a type of parallel, networked and distributed
system consisting of an integrated and inter-connected virtualized service
pool, known as a “manufacturing cloud,” of manufacturing resources and
capabilities. This also includes capabilities of intelligent management
and on-demand use of services to provide solutions for all kinds of users
involved in the manufacturing of a product.
Automation
All systems that collect and communicate data are there
to serve the purpose of making industrial and manufacturing practices more
efficient and autonomous. This is the foundational piece of Industry 4.0.
Technology serves to connect previously discrete systems through
hardware and software, provide information transparency, augment the human
decision-making process, allow for real-time decision making, and to
decentralize decisions within technological systems so the frequency of human
interference is reduced.
All four pieces of Industry 4.0 hinge on the
interconnection of:
Machinery and production management
systems.
Information across manufacturing
processes.
Information throughout the
manufacturing lifecycle.
The MEP (Manufacturing Extension
Partnership) National Network™ Can Help
https://www.nist.gov/mep/centers
Industry 4.0 is a term we can expect to hear more of as manufacturers begin to
adapt its concepts. Cybersecurity will be an important aspect of the
integration of IT and OT and the future success of the next phase of the
Industrial Revolution. Companies should contact their local MEP Center for
assistance in implementing an Industry 4.0 approach.
While the implementation of Industry 4.0 appears to solve many of AthCo’s
production issues, new cybersecurity concerns may be introduced. The use of
sensors and remote access may provide entry points for hackers, cybercriminals
or industry competitors to gain access to AthCo’s systems. Before implementing
new technologies, a cyber risk assessment should be performed to provide a full
understanding of the company’s cybersecurity needs and capabilities. AthCo
should understand the benefits and the potential cybersecurity risks
implementing Industry 4.0 may introduce.
Cybersecurity Resources for Manufacturers
https://www.nist.gov/mep/cybersecurity-resources-manufacturers
About the author
Pat Toth
Pat has over 30 years of experience in Cybersecurity and worked on various NIST
Cybersecurity guidance documents including NISTIR 7621 Small Business
Information Security: The Fundamentals.
source: https://www.nist.gov/blogs/manufacturing-innovation-blog/cybersecurity-and-industry-40-what-you-need-know
///////
Cybersecurity –
A Critical Component of Industry 4.0 Implementation
September 7, 2022
By: Pat Toth
This blog is the second in a series on cybersecurity and Industry 4.0.
In blog one of this series on “Cybersecurity and
Industry 4.0 – What You Need to Know” we discussed the four aspects of Industry
4.0: cyber-physical systems (CPS)/cobots, Internet of Things (IoT), cloud
manufacturing and automation, as well as how they are interconnected. Strong cybersecurity practices protect
those interconnections, ensuring manufacturers’ systems consistently deliver
accurate data in a timely manner – something critical to the success of an
Industry 4.0 model.
In the past, enterprise systems in manufacturing facilities had distinct
boundaries. The shop floor was separated from the office functions of the
company both physically and electronically. Few production systems were
connected to each other or the internet. In some ways, this approach, commonly
known as “air gapping,” gave reasonable protection for small manufacturers.
Without the risks associated with connectivity, manufacturers were seen by
attackers as hard targets and not worth the effort.
Today, with the growing use of the internet and mobile devices, boundaries
between traditional information technology (IT) systems, production systems,
operational technologies (OT), or other equipment have almost disappeared. With
the recent increase in the number of employees working remotely, the boundaries
that remained in place were weakened further. Meanwhile, attacks to get around
the air gap have become well known. Manufacturing is now the most targeted industry
for cybersecurity attacks.
The fundamental guiding principle of cybersecurity is the CIA triad –
confidentiality, integrity and availability. Confidentiality limits access to sensitive
company information, integrity ensures that company data and equipment remains
trustworthy and accurate, and availability provides timely access to company
data and equipment. Other attributes are sometimes added to the CIA triad, such
as privacy and safety, but these are the generally accepted core principles and
are things any Industry 4.0 adopter should consider.
What Manufacturers Need to Consider With Industry 4.0 Implementation
My last blog introduced AthCo, a fictional medium-sized manufacturer of
athletic apparel. AthCo had recently achieved rapid growth after the launch of
its new athleisure collection, which relies on the inhouse development of a new
breathable fabric. The production method for the fabric is company proprietary
information and needs to be protected.
For many years, AthCo has used an Enterprise Resource Planning (ERP) system and
a Customer Relationship Management (CRM) system. A great deal of data is
produced from the ERP, CRM and the “back office,” including transactional
information.
With the implementation of Industry 4.0 through the use of sensors, cobots,
cloud-based data analytics, a programmable logic controller (PLC), and data
visualization, AthCo leadership can now retrieve and access data from every
stage of the production process. This provides an instant snapshot of
production status and helps to monitor fluctuations and quickly address
potential issues. Plus, the data AthCo now collects allows it to rapidly
communicate internally and with its customers, suppliers and business partners
about things such as inventory levels.
But AthCo is learning that these improvements are not without risks. AthCo,
just like any manufacturing company, needs to build the right infrastructure
that can support and protect the collection, transformation, storage and
analysis of data.
Threats to Manufacturers
Manufacturing systems need to be protected against many types of threats. Most threats affecting small and medium-sized manufacturers
fall into three categories:
Traditional
IT –These are the types of threat most companies are familiar with:
ransomware, data loss or theft, and intellectual property theft. They often
target a company’s IT infrastructure and employees through phishing attacks
(i.e., fake emails) or weak passwords. Successful traditional attacks can cost
a manufacturer time and money and damage its reputation and the manufacturer’s
business partners and supply chain. Often, smaller manufacturers are vulnerable
to these traditional attacks because they do not consistently monitor and
update their cybersecurity protections.
Operational
Technology (OT) – Industrial control systems (ICS), industrial IoT
(IIoT) or other shop-floor equipment usually have very little internal
cybersecurity protection as they were always considered secure if air-gapped.
Today, this equipment is often connected to the company network and internet,
and attackers can compromise them even if they aren’t connected. Successful
attacks to the OT environment can endanger proprietary company information,
interrupt the manufacturing process, or impact the quality of products.
Customized
Software – Manufacturers frequently use software that has been adjusted,
modified or adapted to fit the demands and requirements of their businesses.
Often, software must be tailored to allow for communications among different
manufacturing systems. These adjustments may unintentionally introduce security
vulnerabilities. Additionally, to prevent the equipment from malfunctioning,
the software isn’t updated or patched to address newly discovered
vulnerabilities. If the custom software was not designed from the beginning
with security as a priority, or if it’s not implemented and maintained
correctly, it can be a point of entry used to gain access to other systems.
Let’s look at some scenarios that AthCo might face based on each of the three
types of threats:
Traditional IT – AthCo’s IT staff has
been very involved in the implementation of Industry 4.0. In fact, it has been
so busy that it overlooked a new software update that included a number of
security updates. This allows a hacker to penetrate the company’s IT systems
and gain access to its customer database. Although payments are processed using
a third-party that wasn’t affected, customer names, addresses and order
information were compromised. AthCo has to follow local data breach
notification laws, which cost it several thousand dollars. Unfortunately, AthCo
is unable to tell what other information or systems the hacker may have
compromised, and its ability to trust its data and IT infrastructure is now
fractured.
Operational Technology (OT) – A
disgruntled AthCo design department employee shoulder surfs the production
manager’s remote access control credentials during an off-site meeting. Several
days later, the employee uses the stolen credentials to remotely log onto the
production system, bring up screens, and randomly click on things, hoping to do
as much damage as possible. These actions result in a complete production shut
down for three days as the manufacturer is forced to reconfigure its machines.
Customized Software – AthCo has
several pieces of older production equipment that still work but need custom
software to connect the machines to the new production management systems. A local
software developer customized some open-source software to provide this
connection. Unfortunately, AthCo did not stress cybersecurity as a priority to
the software developer and the software contained many vulnerabilities that
were not managed. As a result, AthCo’s production methods for its new
breathable fabric, the reason behind the success of its new collection, was
stolen by its competitor through the vulnerabilities introduced in its custom
software.
AthCo knows cybersecurity needs to be part of the company culture, especially
as it moves toward increased Industry 4.0 implementation. Here are some things
that you and AthCo can do to protect your investment:
Have a cybersecurity awareness and
training program for new and current employees that teaches what behaviors are
appropriate, how to identify suspicious activity, and how to react if they see
a problem. See this list of free and low cost online cybersecurity learning
content compiled by NIST.
Perform a cybersecurity risk
assessment every year. This provides an understanding of which cybersecurity
risks to focus resources on and prevents waste. See NISTIR 7621 Rev. 1, Small
Business Information Security: The Fundamentals for a very simple guide on
conducting a risk assessment.
Have a conversation about
cybersecurity with any service providers. Make sure that cloud service
providers protect your data from misuse and disclosure, that cleaning or
maintenance providers are trustworthy, and that critical utilities such as
power or internet guarantee an appropriate level of “uptime.”
Understand the cybersecurity
practices of suppliers. AthCo could request that each supplier submit a
completed Vendor Assessment Questionnaire. See NIST’s Assessment & Auditing
Resources page. This will provide an understanding of the level of
cybersecurity expertise within the supplier’s company.
AthCo will need to determine the level of risk it is willing to accept and what
specific cybersecurity practices it will want to apply. A useful roadmap for
reducing cybersecurity risk in manufacturing can be found at NISTIR 8133 Rev 1
Cybersecurity Framework 1.1 Manufacturing Profile.
As Industry 4.0 matures and as we approach the fifth industrial revolution
(5IR), your manufacturing company should expect to see the interconnection of
data and technology as a competitive advantage over less technologically
advanced companies. Cybersecurity will continue to be a critical component of
successful implementation of Industry 4.0 and beyond.
About the author
Pat Toth
Pat has over 30 years of experience in Cybersecurity and worked on various NIST
Cybersecurity guidance documents including NISTIR 7621 Small Business
Information Security: The Fundamentals.
source: https://www.nist.gov/blogs/manufacturing-innovation-blog/cybersecurity-critical-component-industry-40-implementation
///////
Google® Better!
Jean Steinhardt served as Librarian,
Aramco Services, Engineering Division, for 13 years. He now heads Jean
Steinhardt Consulting LLC, producing the same high quality research that he
performed for Aramco.
Follow Jean’s blog at: http://desulf.blogspot.com/
for continuing tips on effective online research
Email Jean at research@jeansteinhardtconsulting.com
with questions on research, training, or anything else
Visit Jean’s Web site at http://www.jeansteinhardtconsulting.com/
to see examples of the services we can provide
