29 Oct MES and Security
One of the most common concerns when it comes to the implementation of IIoT and Industry 4.0 for manufacturers is the risk to data security and maintaining requisite level of data integrity throughout the value chain.
This is a valid concern; data security and integrity should be an important consideration for leaders, even if their preliminary strategic objective is to gear up their value chains to be ready for the new industrial revolution.
Let’s understand why security is a concern. The way in which Industry 4.0 creates value is predominantly through highly connected ‘smart’ systems communicating with each other over networks, allowing for large amounts of data to be collected, processed and transferred from one location to other and from one entity to another, allowing for intelligent information creation, which leads to positive automated actions and better automated or semi-automated decisions. It creates the desired value across the entire product or service delivery chain using data-driven knowledge for decision-making, to gain improved efficiency, reduced costs and faster business outcomes.
The very nature of Industry 4.0 which demands hyper connectivity also allows for it to become a target for security breaches. Every new device or user gaining access to the system, which, in itself is formed by multi-layered systems, devices and humans interacting continuously over networks connected via the internet of locally, may act as a potential threat, which makes security of the value chain-wide system a major challenge and a mounting concern, as the level of connectivity and volume of data moving across the value chain will only increase in the future.
What complicates the matter further is the fact that while achieving connectivity across IT applications, equipment and devices isn’t as big a challenge today as opposed to ten years back, given the current technological landscape, ensuring that the system post-connection is secure from a data breach perspective is a different story altogether. This infers that while the tools of enabling Industry 4.0 are readily available, the requisite security infrastructure, such as common and well defined standards, industry-specific safety protocols and base level security measures such as access control, are still lagging behind, and it may actually take a few years for security to reach the desired level at par with connectivity.
For manufacturers in particular, loss of sensitive information related to recipes, proprietary intellectual property related to design of existing or new products, loss of sensitive client information, changes in regulatory compliance data, loss of control over system due to malware attacks and data loss owning to unauthorized access- all pose massive mission-critical threats to the very existence of their business, as these possible breaches have the ability to inflict damage far beyond the monetary loss caused due to the event itself. These attacks can potentially ruin the brand name and image of a company, which can lead to irreparable and irreversible damage to their entire value chain. Any company which experiences a cyber-attack, which is made public, will have difficulties retaining their customer base, especially in cases where the information lost is highly sensitive in nature.
The dilemma faced by manufacturers is quite evident and revolves around possible compromises to be made with data security, in order to expedite adoption of Industry 4.0. However, the risk to data security and integrity does not necessarily have to be that high and manufacturers do not need to sacrifice their security in order to roll out Industry 4.0 quickly. If done right, any Industry 4.0 implementation can be made resilient to cyber-attacks and other security breaches. The key is to keep security in mind at the time of planning deployment and to not prefer short term gains over long term security; we will reflect more on this later.
In an article published in 2015, Deloitte talks about the inflated risk which comes with the increased connectivity in an IoT enabled world, and that even a single vulnerable device can leave an entire cyber-physical ecosystem susceptible to attack. The article provides a three-pronged paradigm business owners can take to ensure their value chain better protected, even when it is hyper- connected from a cyber-risk management perspective. It is suggested that devices and systems be designed or reconfigured in a way that they are inherently more ‘Secure,’ thereby becoming less susceptible to potential attacks. The next is for the system to be ‘Vigilant’ which necessitates monitoring of both hardware and software to detect any behavior out of the norm and trigger countermeasures. This leads us to the final aspect of the paradigm, building ‘Resilience’ in the system, which implies the ability to act in a manner which results in the least possible damage; in the event that an attack does eventually happen, it is focused on creating the ability within the system to restrict scope of the attack and restore normalcy with least possible lag or damage.
Getting back to a manufacturing specific scenario, it is a well-known fact that real-time data being generated at the shop floor level is at higher risk, since that is where the process itself is executed and controlled. Targeting specific PLC & SCADA systems can undermine the entire safety and productivity of a plant, leading to theft of data, risk to intellectual property, exposure to worker physical harm and loss of control over process equipment in some instances. Even from a data integrity perspective, the threat of unauthorized access to higher level applications, even in highly automated and modern plants, may lead to theft of proprietary data, release of malware from a device accessing such applications and illegal tampering with compliance-related data.
But dealing with these threats might not be as complicated as you may think, provided a clear, well-defined and data security-centric approach is taken while implementing Industry 4.0 across the value chain. The goal here is not to look at data security as an impediment to Industry 4.0, but rather look at it as an enabler in the long term to take the measures necessary to achieve the desired levels of security by acting today.
How to start your security infrastructure
First and foremost is to ensure that data at the very grass-root or equipment level is secure, which can be done by ensuring sensors which measure and report data points are robust enough to handle potential attacks, and applications at the automation and control level are resilient enough to ensure any breach remains localized and does not lead to value chain-wide repercussions.
For manufacturers, this might mean retrofitting or replacing current sensors, upgrading or replacing current process control applications, but again, we emphasize here that, the trade-offs which compel the management to go for short-term productivity gains at the expense of long-term security robustness, must be avoided at all costs. System engineers working with the automation layer must bear in mind the need to be future ready and consider specifically the current security landscape, at the lower levels, where the actual data is being generated, making necessary changes either by retrofitting, extending functionalities or simply replacing existing hardware and software to make it more resilient. Any decision taken must take into account current and future level of threat in any given plant.
Many manufacturers install what can be called a DMZ—demilitarized zone—to isolate the real-time process control equipment (basically, level 0 (sensors) and level 1 (controllers)) from the outside world. This builds a level of security into your control level which for most manufacturers is the most sensitive and important part of their infrastructure.
Next comes the higher level applications like the MES (level 3) which operates above the automation and control layers and below the business logistics or ERP/SCM (level 4) layer. The MES is more concerned with data integrity, ensuring that real-time data obtained is converted or contextualized to obtain actionable information as accurately and consistently as possible.
To ensure this, the modern MES application should be able to protect the real-time data obtained from the equipment layer and ensure its integrity before it is processed. Ideally, the MES would achieve this in the form of a data platform layer capable of edge processing, which isolates the real-time data from near real-time data, without being exposed to the risk which comes from being connected over wireless networks. Not all MES applications may be able to achieve this, however; MES applications equipped with a modern data platform ensure that there exists a layer between the equipment and the MES application itself, ensuring the data received is accurate and consistent and most importantly directly from the source of truth, without any possible corruption over any network.
Further, as the MES application is responsible for process execution, it relies on industry-specific standards and protocols to ensure that the data, once collected, always exists in requisite formats. In addition to this, a modern MES should have the internal capability for systems security to restrict access to the system for any person not authorized to gain entry to a given function or facet of the application. Furthermore, the MES application should be able to establish a baseline of normal vis-à-vis abnormal data through ML, which would allow for the overall system to become more responsive and vigilant, where any variation from the standard may raise requisite alarms. The ability to secure data at the very source, then being able to ensure that any abnormality is detected and reported would help the entire business become more resilient, as any attack, if detected early can be countered with the least damage.
Industry 4.0 demands security from your MES
There are a few critical factors to take away:
- Your Industry 4.0 implementation should be a strategic priority. The most important uses cases must be given preference for making the implementation a success. However, this shouldn’t happen at the cost of security by making compromises to realize short term gains.
- Ensuring security at source of data is vital and all efforts should be made to ensure equipment, automation and control levels are ready for Industry 4.0 from a data security perspective. This may mean installing a DMZ to protect your real-time processes and data.
- The MES application which is responsible for ensuring data integrity across the value chain must be capable of collecting data from the real-time sources and providing the means for data to remain incorruptible once in the application.
- Finally, while overall levels of data security capabilities might take years to parallel current integration capabilities, it is vital that manufacturers consider a system architecture which is based on loose coupling and which allows for seamless data transfer, while restricting damage in case of an attack. This makes the value chain more robust, while still benefitting from the integration which Industry 4.0 brings.