OT Security
18.May.2020
Intelligent manufacturing faces security challenges and opportunities in the coming IIoT era
With the advancement of artificial intelligence (AI) technology, intelligentization has become the main theme of technology development in the 21st century. The core technology of intelligent manufacturing is the Internet of Things (IoT) technology and the Cyber-Physical System (CPS). By combining big data analysis, artificial intelligence, cloud computing and other technologies, intelligent manufacturing is trying to intelligentize every step of the production process, thereby achieve the customized business goal to meet the small and diverse market demand.
In the past, the manufacturing concept was to pursue production automation and mass-produce the production version products in a Standard Operation Procedure (SOP). The concept of intelligent manufacturing is not the case. Due to changes in consumer shopping habits, manufacturing methods that can quickly customize production are gradually welcomed. This is a very important core concept in Industry 4.0. The future intelligent factory will not only refer to the improvement of industrial technology, but will integrate technology, sales and product experience, so that manufacturing, sales, logistics, after-sales service and other business concepts will be connected as a whole. Eventually it will build an intelligent world with perceptual consciousness, and the "customization of demand" will be one of the main goals pursued by intelligent manufacturing.
In the past, the manufacturing concept was to pursue production automation and mass-produce the production version products in a Standard Operation Procedure (SOP). The concept of intelligent manufacturing is not the case. Due to changes in consumer shopping habits, manufacturing methods that can quickly customize production are gradually welcomed. This is a very important core concept in Industry 4.0. The future intelligent factory will not only refer to the improvement of industrial technology, but will integrate technology, sales and product experience, so that manufacturing, sales, logistics, after-sales service and other business concepts will be connected as a whole. Eventually it will build an intelligent world with perceptual consciousness, and the "customization of demand" will be one of the main goals pursued by intelligent manufacturing.
In addition to customization of demand, intelligent manufacturing combined with big data can even analyze the market trend, weather forecast, raw material quantity and inventory, transportation process, defect improvement, etc. The massive data analysis enables manufacturers to precisely control the production quantities, schedule the existing resources as well as reduce the excess costs and waste to achieve production optimization. [1]
The advent of Industry 4.0 has led countries around the world to launch policies. As the birthplace of the Industrial Revolution, the United Kingdom proposed the "High Value Manufacturing Strategy" as early as 2008 to encourage the local British companies to manufacture more world-class high value-added products. In 2013, it released the "British Industry 2050 Strategy" to create a guideline for the UK’s manufacturing industry before 2050. The core concept is to be highly customized and respond quickly to consumer demand.
The United States, which was also an industrial power, did not fall behind. Its federal government started the "Advanced Manufacturing Partnership (AMP)" in 2011. Moreover, the proposal is for dealing with the old and unsuitable manufacturing concepts. It also proposed AMP 2.0 in 2014, emphasizing specific implementation measures. Among them, the focus of advanced manufacturing is on the new business model brought by intelligent manufacturing to stimulate the US-based manufacturers to reshore production back to the America. The same concept is also spreading in France. After Germany officially released the Industry 4.0 Plan, French government unveiled the "New Industrial France" program too, which has a similar purpose to the U.S.
In addition to the above-mentioned well-known industrial powers, other powers also proposed the related plans. For example, Japan initiated a series of strategic measures such as Industry Revitalization Plan, Japan Industry 4.1J, and Social 5.0. China, as a major manufacturing power in the 21st century, launched a 10-year plan in 2015, called Made in China 2025. India, one of the BRIC countries, has also kept up with the trend of Industry 4.0, proposing a "Make in India Initiative" to reorganize India's business environment and manufacturing industry.[2]
Countries around the world have begun to study the model of future manufacturing for Industry 4.0, Asia also developed the "Executive Yuan Office Productivity 4.0 Development Plan" in 2015 and began to implement it in the fourth quarter of the same year. This is an eight-year plan that is expected to come to an end by 2024. Productivity 4.0 has noticed the trend of intelligent manufacturing as well. In order to integrate into the future Industry 4.0 production model, the plan combines intelligent machinery, big data analysis and the IoT on the technical side, and adds intelligent logistics, cross-domain integration and industrial structure optimization on the industrial side. Meanwhile, investing in talent training for 4.0 enables Asia to have a sufficient talent pool in the field of intelligent manufacturing. The above various domestic and foreign policies are to explore the intelligent manufacturing structure.[3]
The advent of Industry 4.0 has led countries around the world to launch policies. As the birthplace of the Industrial Revolution, the United Kingdom proposed the "High Value Manufacturing Strategy" as early as 2008 to encourage the local British companies to manufacture more world-class high value-added products. In 2013, it released the "British Industry 2050 Strategy" to create a guideline for the UK’s manufacturing industry before 2050. The core concept is to be highly customized and respond quickly to consumer demand.
The United States, which was also an industrial power, did not fall behind. Its federal government started the "Advanced Manufacturing Partnership (AMP)" in 2011. Moreover, the proposal is for dealing with the old and unsuitable manufacturing concepts. It also proposed AMP 2.0 in 2014, emphasizing specific implementation measures. Among them, the focus of advanced manufacturing is on the new business model brought by intelligent manufacturing to stimulate the US-based manufacturers to reshore production back to the America. The same concept is also spreading in France. After Germany officially released the Industry 4.0 Plan, French government unveiled the "New Industrial France" program too, which has a similar purpose to the U.S.
In addition to the above-mentioned well-known industrial powers, other powers also proposed the related plans. For example, Japan initiated a series of strategic measures such as Industry Revitalization Plan, Japan Industry 4.1J, and Social 5.0. China, as a major manufacturing power in the 21st century, launched a 10-year plan in 2015, called Made in China 2025. India, one of the BRIC countries, has also kept up with the trend of Industry 4.0, proposing a "Make in India Initiative" to reorganize India's business environment and manufacturing industry.[2]
Countries around the world have begun to study the model of future manufacturing for Industry 4.0, Asia also developed the "Executive Yuan Office Productivity 4.0 Development Plan" in 2015 and began to implement it in the fourth quarter of the same year. This is an eight-year plan that is expected to come to an end by 2024. Productivity 4.0 has noticed the trend of intelligent manufacturing as well. In order to integrate into the future Industry 4.0 production model, the plan combines intelligent machinery, big data analysis and the IoT on the technical side, and adds intelligent logistics, cross-domain integration and industrial structure optimization on the industrial side. Meanwhile, investing in talent training for 4.0 enables Asia to have a sufficient talent pool in the field of intelligent manufacturing. The above various domestic and foreign policies are to explore the intelligent manufacturing structure.[3]
Security problems that are accompanied by intelligent manufacturing
During the process of research and establishment, the complexity of the system architecture is bound to gradually increase, and the information security risk also comes along. A field that combines multiple technologies (e.g. IoT, big data, cloud computing and AI) will expand a lot of data flow spaces. The main implementation method of intelligent manufacturing is to use the IoT as the architectural basis and apply it to the manufacturing industry to form an "Industrial Internet of Things (IIoT)" system. After the deployment, the distribution rate of security vulnerabilities would naturally start to rise. The potential threats are more likely to affect IIoT system through breaches. Even if only a small part is damaged, it will affect the operation of the overall system. If any part is invaded by a hacker, the entire production system might be paralyzed, causing huge financial losses and damage to corporate reputation.
At present, the ISA/IEC 62443 series of standards issued by the International Society of Automation (ISA) and the International Electrotechnical Commission (IEC) are the international standards and specifications related to intelligent manufacturing, which formulated the specifications and guidelines for the policy and process, industrial security and component development of the Industrial Automation Control System (IACS). The U.S. National Institute of Standards and Technology (NIST) also issued NIST.SP.800-82, which revealed the security guidelines for Supervisory Control And Data Acquisition (SCADA), Distributed Control System (DCS), Programmable Logic Controller (PLC) and other industrial control systems. In addition to this instruction manual, other specifications such as NIST.IR.8200 and NIST.IR.8228 have been released. The European Union Agency for Cybersecurity (ENISA) published many relevant guidelines and standards for the IoT and cybersecurity too.
The Industrial Development Bureau (IDB) of Ministry of Economic Affairs (MOEA) drew up the security requirements for intelligent machinery after referring to various international norms, and planned to further develop an assessment method for security maturity. The security issues that are accompanied by intelligent manufacturing have received some attention, but the results of setting too many standards may cause difficulties in the establishment of intelligent manufacturing. Moreover, the inconsistency of the standards of various countries and agencies may cause other security risks in the future. This is bound to be an important factor that must be considered in building intelligent manufacturing.
At present, the ISA/IEC 62443 series of standards issued by the International Society of Automation (ISA) and the International Electrotechnical Commission (IEC) are the international standards and specifications related to intelligent manufacturing, which formulated the specifications and guidelines for the policy and process, industrial security and component development of the Industrial Automation Control System (IACS). The U.S. National Institute of Standards and Technology (NIST) also issued NIST.SP.800-82, which revealed the security guidelines for Supervisory Control And Data Acquisition (SCADA), Distributed Control System (DCS), Programmable Logic Controller (PLC) and other industrial control systems. In addition to this instruction manual, other specifications such as NIST.IR.8200 and NIST.IR.8228 have been released. The European Union Agency for Cybersecurity (ENISA) published many relevant guidelines and standards for the IoT and cybersecurity too.
The Industrial Development Bureau (IDB) of Ministry of Economic Affairs (MOEA) drew up the security requirements for intelligent machinery after referring to various international norms, and planned to further develop an assessment method for security maturity. The security issues that are accompanied by intelligent manufacturing have received some attention, but the results of setting too many standards may cause difficulties in the establishment of intelligent manufacturing. Moreover, the inconsistency of the standards of various countries and agencies may cause other security risks in the future. This is bound to be an important factor that must be considered in building intelligent manufacturing.
IIoT faces security issues and challenges
IIoT mainly focuses on technologies such as Machine to Machine (M2M), CPS, big data and machine learning. It also starts the beginning of the integration of Information Technology (IT) and Operational Technology (OT). However, IT and OT itself already have hundreds of different protocols and standards, coupled with the complex characteristics of the IoT itself. These would lead to the problem about the allocation of responsibilities of network security. Moreover, a large number of stakeholders are involved in the usage life cycle. For example, there may be dozens of component suppliers, their components are applicable to different specifications or standards, and the equipments deployed in different geographic locations may be subject to different legal constraints. For this reason, the IIoT is difficult to unify in standard specifications, resulting in the problem of "technological fragmentation". How to integrate or collaborate with these standards will be the first challenge.[4]
In addition, the IIoT is a novel technology, which is still in the research and development and testing stages. For the technical engineers who have been working in the OT field for decades, how to establish adequate security awareness related to the IIoT, while providing appropriate education and training will be another subject worth studying.
The problem of inadequate security awareness of individuals also involves in the corporate system. There are still many enterprises that do not pay enough attention to the issue of information security. The risks that come with the establishment of tomorrow's intelligent manufacturing will be different from the past. However, insufficient awareness of information security at the top management level would be a major challenge to the IIoT in the future. Because the information security protection requires considerable investment, and it is difficult to perceive or even quantify its benefit value. Hence, it is easy for management to overlook the information security and they do not juxtapose the importance of security with the establishment of business value. This drawback is an old problem, rather than because of the development of Industry 4.0.
In addition, the IIoT is a novel technology, which is still in the research and development and testing stages. For the technical engineers who have been working in the OT field for decades, how to establish adequate security awareness related to the IIoT, while providing appropriate education and training will be another subject worth studying.
The problem of inadequate security awareness of individuals also involves in the corporate system. There are still many enterprises that do not pay enough attention to the issue of information security. The risks that come with the establishment of tomorrow's intelligent manufacturing will be different from the past. However, insufficient awareness of information security at the top management level would be a major challenge to the IIoT in the future. Because the information security protection requires considerable investment, and it is difficult to perceive or even quantify its benefit value. Hence, it is easy for management to overlook the information security and they do not juxtapose the importance of security with the establishment of business value. This drawback is an old problem, rather than because of the development of Industry 4.0.
The above problems are the difficulties faced in the establishment phase. If appropriate measures are not taken against these issues during the establishment process, the system may be subject to huge security risks in the future. Even if the above difficulties are eliminated in advance through building a mature IIoT, it does not mean that the risks will disappear. Under the continuous transmission and operation of a large number of data streams, once the data leaks or is maliciously tampered with, it will cause a bad chain reaction to the IIoT system. Besides, intelligent manufacturing makes a closer connection between the virtual and physical worlds. If a security incident occurs in the IoT system, its damage to the physical world would be quite significant as well.
The increasingly complex intelligent manufacturing environment coupled with the interconnectivity of IoT systems would help broaden the scope of attack. There are not only non-man-made risks, but also man-made threats that require special attention. Hacker invasion is a typical example. Insecure connection ports, components that have not been updated for a long time, incomplete update mechanisms, etc. are all possible breaches that hackers may exploit. Yet the acceptance of updates is quite low in the traditional industrial fields, because the downtime caused by an update will make the company loss. Therefore, the security update would be an important issue for IIoT.
Additionally, many network attacks such as Distributed Denial-of-Service (DDoS), message tampering, eavesdropping and implanting are hacking methodologies that hackers may use against network communication channels. These attacks will cause serious damage to assets or data leakage, if the security protection of network communication is neglected.
During the transformation, some old equipments and traditional industrial systems are also security vulnerabilities that need attention. Building a new system based on the legacy system may lead to outdated protection measures still being used, and unknown vulnerabilities that have not been discovered for many years in the old system. This allows attackers to find a new way to compromise the system.[5]
Finally, lack of secure development concept in application development and design enables software vulnerabilities to open the door for hackers to invade the system. Lack of security elements in hardware equipment design also opens up an invasion breach for attackers. The above examples show that the IIoT could suffer a wide range of attacks. No matter what end point of the IIoT is destroyed, it may paralyze the entire system, and the resulting damage or even casualties would be difficult to estimate.[6]
Information security solution for IIoT
In view of the various security problems that intelligent manufacturing will face in the future, Onward Security has in-depth ability to solve information security problems. It is the first team with penetration testing and security research capabilities, in the fields of industrial control systems, networked equipment and IoT. The company has won many international awards, including six gold and one silver awards in the 2020 Cybersecurity Excellence Awards, and the Gold Award for the Best Cybersecurity Company in Asia. The security products developed by it have also received multi-national patents and international recognition.
Onward Security is ISO 17025 accredited laboratory to offer seven testing items for information security, and is Asia's first CTIA Authorized Test Lab for cybersecurity, while being the security testing laboratory designated by Amazon Alexa. Its professional testing technology can serve various applications such as IoT devices, intelligent grids, Internet of Vehicles, embedded systems, mobile App, ICS and SCADA devices. So far, the laboratory has found more than 40 world's first published Common Vulnerabilities and Exposures (CVE).
Onward Security is ISO 17025 accredited laboratory to offer seven testing items for information security, and is Asia's first CTIA Authorized Test Lab for cybersecurity, while being the security testing laboratory designated by Amazon Alexa. Its professional testing technology can serve various applications such as IoT devices, intelligent grids, Internet of Vehicles, embedded systems, mobile App, ICS and SCADA devices. So far, the laboratory has found more than 40 world's first published Common Vulnerabilities and Exposures (CVE).
For the security vulnerabilities that may occur in hardware devices of IIoT, the solutions provided by Onward Security include:
- Software and hardware security testing services for industrial control products or systems, as well as providing software security development consulting services for manufacturers, enabling them to have software security development capabilities to meet the security requirements of the industry and customers for hardware and software; the applicable connected products such as Netcom products, mobile devices, security control, smart appliances, smart cars, IoT, etc.
- Self-developed cybersecurity products, including product security management system - HERCULES SecFlow and automatic vulnerability assessment tool - HERCULES SecDevice, providing the compliance tools for the design, development, testing and deployment of networked products, meeting the security requirements of IEC 62443, OWASP TOP 10 and CWE/SANS TOP 25, and applicable to PLC, ICS, SCADA and other intelligent manufacturing related industrial control components.
- One-stop security solution for IEC 62443 and ISO 27001 consulting services; Onward Security has a complete compliance-related service, helping manufacturers quickly obtain certificates of international standards to increase customer trust and corporate business reputation. In addition, providing professional security education and training helps technical engineers build security awareness related to the IIoT to cope with the future establishment of intelligent manufacturing and the coming IIoT era.
2020 will be the stage of full deployment of IoT technology. With the rapid development of technology, people's lives have become more and more convenient. Due to the benefits brought by technology, enterprises have worked hard to catch up with information technology in all major fields of the world in the past few decades, but ignore the security requirements necessary for long-term stable operation. The repeated major security incidents have proven that just installing protective software is unable to keep your organization secure and guarantee the security of production system operation.
In the future, the implementation architecture of intelligent manufacturing would be more complicated than most current production structures. However, it is a two-edged sword. If enterprises blindly pursue the profits and benefits brought by innovative technology but ignore the huge risks hidden behind, the security threat would eventually come again and again and become an untimed bomb. Once triggered, the damage is bound to be higher than before, and the benefits of intelligent manufacturing would go up in smoke.
Faced with the above, enterprises should make complete security management measures and programs, empower employees with adequate security awareness, and take security elements into consideration when developing software and hardware. If all these could be done before the hazard occurs, intelligent manufacturing will be a beautiful blueprint and a future worth working for.
Reference:
[1] 天下雜誌,〈工業4.0-58秒的競爭〉,2016.07。閱於2020.04.08。網址:http://topic.cw.com.tw/2016industry4.0/article.html.
[2] 李國維,〈工業4.0(一):簡單看懂工業4.0〉,2016.08。閱於2020.04.10。網址:https://scitechvista.nat.gov.tw/c/skZM.htm.
[3] 行政院,〈行政院生產力4.0發展方案〉,2015.09。閱於2020.04.10。網址:http://class.nchu.edu.tw/bulletin/MOE/105_MoE_re_allr.pdf.
[4] ENISA,“Industry 4.0 - Cybersecurity Challenges and Recommendations”,2019.05。
[5] ENISA,“Good Practices for Security of Internets of Things”,2018.11。
[6] Trend Micro Inc.“The IoT Attack Surface: Threats and Security Solutions”,2019.05。閱於2020.04.15。網址:https://www.trendmicro.com/vinfo/us/security/news/internet-of-things/the-iot-attack-surface-threats-and-security-solutions.
