A blog post with food for thoughts I like to share, based on work I’ve done recently: reviewing/analyzing key IT characteristics of digitalisation in shop floor environments and its impact on ICT security organizations.

Understanding the Development

This blog post is not undertaking (another) attempt to debate in detail what terms such as Industrial Internet, Internet of Things, or the Digital Factory encompass (and what they don’t). 

For the purpose of this document, however, a technical characterization summary is given from an ICT Security perspective:

Digitalization in manufacturing and the related terms mentioned above are concepts describing a technological change from automation-driven manufacturing to information-driven manufacturing technology. This change is basically driven by the insight that data/information and the technologies known from the Internet have the potential to increase manufacturing productivity (by shortening production cycles, decreasing cost, increasing flexibility).

From an ICT Security perspective, this change can be characterized by the following key developments in manufacturing and shop floor environments: data explosion, hyper connectivity, and IT/OT convergence.

Data Explosion
At the heart of this development is the realization/discovery (or rather re-discovery) of data as a key resource  – this time in the manufacturing world. More specifically: it is the realization that intelligent exploitation of the insights manufacturing data holds is a key opportunity to increase productivity.

At the same time  this insight was obtained, the costs of creating/collecting/gathering and processing and storing even massive amounts of data have dropped to a radically.  This is not news to the office IT and Internet-driven cloud services business world – but it is news to the manufacturing shop floor, where massive data volumes are waiting to be harvested and very inexpensive but powerful data collectors (e.g. smart sensors) are available, ready even now to do exactly that. A “Bring Your Own Sensor” situation, so to speak.

Hyper Connectivity

The second characteristic is an explosion of connectivity in order to connect and interconnect not only the numerous heterogeneous mobile real-time data sources with the data processing systems but also to communicate (or present) the processed information to users, create new control data, and (instantly) send the control data back to control systems.

For intelligent – in other words self-controlled – systems (e.g. robots and smart machines), this may seem like a mostly “internal” communication, but on the other hand, these types of systems depend even more heavily on sensor data and on coordination/cooperation with the environment they are operating in – which requires communication of quality data and a constant, reliable feed of (accurate and consistent) information.

These needs are resulting in a rapid development of high demand for ubiquitous, mobile, broadband, agile networks for instant communication in industrial environments.

IT/OT Convergence
The different worlds of IT and Operational Technology (OT) come together. Traditional IT vendors start to provide (security) solutions/services for real-time operations OT platforms and systems. In contrast, OT vendors, so far mostly using proprietary technologies, now embrace standard IT technologies and approach “IT territory”.

The difference/line between IT and OT will increasingly blur and ultimately disappear. Physical systems become Cyber Physical Systems (CPS).

Change of Production and Cyber Risk Landscape

ICT Security is ultimately about mitigating risks introduced by the use of information technology.
A development towards information-driven manufacturing (data dependency, hyper connectivity dependency, IT/OT convergence) implies changes to the production risk landscape. Production risk managers have to take into account cyber risks and the organization’s cyber risk management now has to take into account the production context.

These changes to the organization’s  risk management scopes must not be underestimated! Once again: Cyber risk management (and Cyber Liability Risk Management) becomes a concern of production risk management.

Risks are assessed based on methods/calculations taking into account threats, vulnerabilities, the impact caused when one or more threats exploiting one or several vulnerabilities, and the probability that this exploitation will actually occur.

There are several studies circulating within the international security community investigating  top cyber risks for industrial production environments. The German Federal Agency for Information Security (BSI),for example, is publishing a list of top threats for Industrial Control Systems, the top five being:

1. Infection with malicious software coming from the office network (Intranet) and Internet
2. Infection with malicious software from thumb drives and external hardware
3. Social engineering
4. Human error and sabotage
5. Attacks via remote maintenance lines

Many existing ICT security risk mitigation controls/safeguards and countermeasures (= security solutions)  have not been designed with production environments, the production cyber  risk landscape, and attack vectors  in mind.

Opportunities for ICT Security

The objective of ICT Security is to protect information (assets) by securing the systems that produce, store, transmit, and process the very same.  

Obviously, a development that changes an entire  technology and business area, that of industrial manufacturing/production supply chain, into an information-driven world, is a development with unique opportunities for ICT Security.  In my opinion it is one of the (rare) opportunities to introduce and establish, basically almost from scratch, Cyber security not as a constraint but rather as a service and as added value to the organization’s manufacturing/production business (rather than imposing it by regulation or organizational governance pressure).

Wanted: Cyber Integrator

A lesson learned by everyone in past technological waves, particularly looking at the Internet and its metamorphosis from a playground for academics and nerds to a revolutionary and most disruptive business game changer, is this:

Security is an indispensable ingredient for maturing a technology from the peak of inflated expectations to the plateau of productivity level!

However, contrary to the past, this time, security is already a generally accepted ingredient for success at a time when the technology is still in its early maturity phase.

Important ramifications of this situation (from an ICT Security point of view) are:

1. Shop floor business projects will be in increased need of ICT security assistance in terms of skills and experience contribution/participation and – more importantly for ICT Security – will (rightfully) expect the new(!) industrial ICT products (solutions, services, consultancy) to be  security-verified/validated.
   In other words, the business expectation is: ICT delivers shop floor products and provides shop floor services “secure by default”.
2. Manufacturing Engineering domains will have increased demand for cyber solutions skills and expertise.
3. Research and Technology domains will have increased demand for technical cyber skills and enterprise.
4. Production domains will have increased demand for cyber risk and cyber risk management skills and competence.

Seizing the Opportunity

To seize this opportunity, ICT Security organizations need to strengthen/enforce, create (where necessary), and market their capabilities centering on a service portfolio that responds directly to the main technical developments of the transformation (data explosion, hyper connectivity, IT/OT convergence).  Hence, the service portfolio must be focussing (at least) on:

• securing industrial connectivity solutions/services
• enabling innovation technologies (support for “Smart Factory” projects)
• support services to  manage (identify, assess, mitigate) production cyber risks 
• support services to manage vendor/COTS systems security (IT/OT convergence partner)

Note that the first two elements in this service portfolio are “embedded services” (services by ICT Security which are integral part of ICT services and hence not necessarily directly customer facing) while the latter two are services where ICT Security is the dedicated service provider (customer facing).

Risks for ICT Security (Organization)

The  risk for an ICT organization is to not seize this opportunities and ultimately being replaced by a provider who is able to do so.

This risk is fed by the following threats and vulnerabilities:

• not understanding the development and/or underestimating its technical implications and information security impact
• underestimating the impact of IT/OT convergence effects
• lack of skills/competency in OT, automation technology, and manufacturing
• lack of capability to build business cases and return of industrial security/cyber investment
• lack of capability to define, implement and present industrial cyber assurance level (security metrics/KPIs) as means of informed management decisions for both: senior ICT management and senior production management