IT Security in Automation

A good level of IT security can only be achieved by ensuring that organizational and technical measures within the company interact in close collaboration with suppliers. Phoenix Contact will support its customers throughout the entire process

by Lutz Jänicke

The topic of IT security is currently receiving a great deal of attention. Studies such as the one by VDMA (Verband Deutscher Maschinen- und Anlagenbau)(1) have documented that production has already been affected by this kind of problems within a significant number of companies. Despite this, only around half of the companies questioned as part of a survey conducted by ZVEI – the German Electrical and Electronic Manufacturers’ Association – had completed a risk analysis of their production sector(2). A major challenge is being able to assess the risk of potential future attacks for which there are no documented incidents. There is practically no reliable information that companies could use to assess the threat level.

From best practices to the information security management
If security measures are to be introduced into production, the “top-down” and “bottom-up” concepts implemented in standard engineering processes could be a possible solution. Let’s start from best practices (bottom-up).
There is a number of measures that will always increase security levels regardless of a specific threat analyses. These include segmenting networks and protecting them with firewalls, introducing a user and password management system, as well as recording and evaluating events.
These activities will quickly ensure that a basic security level is established. However, any subsequent targeted improvement to the security level requires a systematic approach.
The German Federal Office for Information Security (BSI) supports systematization using the LARS tool (Light and Right Security)(3).
With regards to the information security management (top-down), a target-oriented approach is detailed in the ISO/IEC 27000-series(4) and ISO/IEC 62443(5) standards. The initial assessment determines the protection requirements: what needs to be protected against which threat? Organizational and technical measures can then be implemented based on these considerations.

Further development measures
While automation systems were isolated in the past, nowadays they are closely linked to the company’s IT infrastructure. Thanks to the development of digitalization and Industry 4.0 concepts, networking is becoming increasingly important and now also includes inter-company aspects and cloud services. IT security must therefore be developed accordingly.
An ISMS will examine all aspects of IT security. A continually high level of security can only be implemented in an organizational context. The general ISMS detailed in the ISO/IEC 27000-series(4) is currently being introduced in IT systems at larger companies.
However, automation differs from IT in a large number of criteria and must therefore be given special consideration in an ISMS, as is the case in section 2-1 of ISO/IEC 62443(5).
In order to ensure that the specified characteristics and different perspectives are taken into consideration, the responsibilities must be controlled accordingly. One of the suggestions for realizing this was developed as part of the Industry 4.0 platform(6). The overall coordination of the activities is an important part of this concept, because the desired security level can only be achieved by means of an agreed approach.

The importance of the identification and classification of company values
To effectively and efficiently implement IT security, the company’s assets that are to be protected – i.e. systems, plants and processes – must be identified and rated according to their criticality such that a threat analysis can be implemented. Potential threats must be determined first, before any resulting risks can be evaluated.
This risk assessment, which takes the extent of the damage and probability of occurrence into consideration, is particularly challenging. While accidents and technical faults can be assigned high levels of probability, targeted attacks are based on statistical estimates. The ISO/IEC 62443(5) therefore uses security levels 1 to 4, which are based on the capabilities of possible attackers. Are we working on the basis that professional attacks must be prevented? Or will it suffice to protect against simple, untargeted attacks – such as viruses? Even if the threat analysis needs to be completed by external specialists, it provides a basis for subsequent prioritizations and is thus a sensible economic investment. Technical and organizational measures are then to be selected and implemented based on the results of the risk evaluation.

Which are the areas of action in the automation sector
Different areas of action can be defined in the automation sector. The automation system should be split into zones that are arranged by tasks, classification or protection requirements. Particular attention must be paid to the transitions between the individual zones. Separating the automation networks into different segments that can be based on the zones is recommended. The use of firewalls ensures that the flow of information between segments can be controlled.
The selected systems should comprise the necessary safety characteristics.
Anyway, total IT security cannot be achieved. It is therefore necessary that available software updates/patches are assessed according to their criticality and are installed accordingly.
Records must be collated and evaluated to be able to detect attacks.
An emergency plan to safeguard and restore the system should also be created.