Readiness for Industry 4.0: Product security along the entire value chain

What IT security measures need to be taken in relation to development, manufacturing and operator processes? It is this question which is currently exercising numerous manufacturers, integrators and operators of functionally safe products. The problem is this: The applicable regulations, such as the German Product Safety Act, the Industrial Safety Regulation and the Medical Devices Directive, have hitherto considered only questions of functional safety but paid little or no attention to information security. There currently exists no integrated approach to security and safety, either as a standard or as a policy. TÜV NORD wants to close this gap with the Security4Safety (S4S) risk analysis. This pursues an integrated approach to smart product security along the entire value chain.

“Conventional functional safety has to date always been considered separate from information security,” says Matthias Springer, project manager for Security4Safety at TÜV NORD CERT. This separation was intended to secure absence of feedback, in other words, to exclude side effects that could affect the safety of people, equipment and the environment. However, development, manufacturing and operator processes in the age of Industry 4.0 mean that the strict separation of safety and security is no longer possible; if anything, the enshrined goals of the two approaches are now contradictory. “The aim is, on the one hand, to ensure that the machine is safe in itself and, on the other, to protect it from external tampering which might have an effect on development, production or service processes. To put it bluntly, imagine an emergency exit. If you think about it in safety terms, people should be able to get out through it in the event of an emergency. But from a security standpoint the door would need to be bricked up so that no one can enter the building from the outside,” says Mr Springer. So the issue here is to find a way forward for both security and safety requirements.

It is in the light of the above dilemma that Mr Springer and his team developed the S4S risk analysis which follows the integrated approach required of a risk and threat analysis on all logical levels (processes, systems, components) and with regard to all sensitive properties (assets) of Industry 4.0.

“In accordance with existing practices of hazard and risk assessment from EN ISO 12100, EN 62443-3-2 or VDI/VDE 2182, we take a continuous, systematic and structured approach to the assessment of the properties of processes, evaluate systems and components,” Matthias Springer says. This innovative risk management separates out into three phases the risk assessment and the derivation of measures, the implementation of the arrangements put in place as a result and their verification and validation. The phase model is intended to assist the experts as they offer support to customers in different transposition and implementation phases, independently of their expertise and the phase of development of their smart products. “This is the only way to comprehensively evaluate risk, confirm that state-of-the-art technology is being used and comply with the duty of diligence in the launching of secure products in the age of Industry 4.0,” says Matthias Springer. The Security4Safety concept of TÜV NORD takes an integrated approach to safety/security which combines the worlds of IT security and functional safety.