Bridging IT with OT and securing Industry 4.0

It is clear manufacturers must step up their game when it comes to security and businesses must support their IT departments both culturally and financially to make the most of the transition to Industry 4.0.

  • By Paul Crompton
  • 4 min read

It is clear manufacturers must step up their game when it comes to security and businesses must support their IT departments both culturally and financially to make the most of the transition to Industry 4.0.

Data is the new gold, its worth measured by how the information is collected, stored and used. It’s therefore no surprise Industry 4.0 is intrinsically linked to Cybersecurity, and with so much valuable raw data being generated companies are beginning to ask how their data can be stored securely.

Security challenges therefore have the potential to make IoT the Asbestos of Industry 4.0, with associated security problems requiring ‘cleaning up ‘ for years to come as huge quantities of data is continually generated from industrial plants at almost every step of the production chain.

Bridging the IT and OT divide

It’s clear manufacturers must step up their game when it comes to security and businesses must support their IT departments both culturally and financially to make the most of the transition to Industry 4.0.

However, the challenge of bringing Operational Technology (OT) and Information Technology (IT) departments — worlds that have traditionally existed independently of each other — together will be key to this.

Paul Sear, from control and measurement instruments supplier Eurotherm, says the secret is bringing the IT world into the discussion, and ensuring they understand the protocols and the technologies they’re using. This can reduce the alarm or risk they perceive with a “You’re touching their IT infrastructure” mentality.

“It’s reassuring them providing the insights to ensure that the right levels of security are in place,” says Paul. “Cyber security is fundamentally a key part of the discussion that we have with our customers when we talk to them about our Cloud-based applications, such as mobile apps and site plants, that are pushing data from the mobile app up to the cloud. It’s key that you know cyber security is at the forefront of those devices and that technology.”

Mitigating risk

However, sometimes a company’s base level of understanding is so low that it becomes a default “No, we’re not doing it,” when thinking about automating a plant.

As security conversations inevitably begin, it’s clear some companies are running devices with very low spec processors that can’t run any security because they’re not powerful enough, but still use bluetooth, which is a bigger risk than an industrial PC that has the computing power to run security.

The key to helping people on the factory side of a company understand cyber security challenges, especially when bringing multiple data sets together, is helping them understand that actually, in many cases, the cloud is more secure.

Then, once they’ve understood that, it’s about giving them the tools to visualise and bring that data to life.

Hack and Craft’s client RS Components give their customers an ‘education pack’ and information on perceived additional risk’s associated with cyber security.

The company’s Richard Jeffers says that in a connected world, and all the risks that inherently exist in a factory today, the right architecture with cloud, edge and device can reduce a company’s inherent security risk, not increase it.

Its very easy to throw technology at a problem and go, look at the shiny tech we’ve got you know, but actually if you don’t really understand the problem you‘re trying to solve, then you can’t really deliver anything of value
Richard Jeffers Technical Director of Richard Jeffers RS Components
Tablet

The Edge versus Cloud

When it comes to the Edge versus Cloud discussion, policies are already defining that data does not go off site. Typically data centres or banks, for example, have strict policies about data management and the people who use the operational data at times may not have any control over this. An example of this would be a manufacturing company with numerous, global sites that must follow standard policies.

This means a very different commercial strategy is required involving multiple stakeholders in making a value proposition clear.

Companies like Schneider Electric invest in “Cyber security embedded” within its design lifecycle to allow internal standards in every hardware that’s designed. Typically an object or the one product that sends data out is usually defined or designed in a push-mechanism, but cannot receive commands.

The company’s Shashwat Khare says this means there are different levels of cyber security to be embedded that tests can be performed on.

The problem is whom do you speak to when you’re working in a B2B space? Traditionally it would be one person, now it’s important to prepare a really detailed proposal that satisfies four or five people.

So it becomes more than the technical solution about how to solve the cyber security issue, and becomes more about commercial deployment of a solution that involves the right stakeholders. That is a big change when dealing with the people side of security deployment.

So the secured development lifecycle is what Schneider is practising by building security into the development process rather than trying to bring it up to speed retrospectively, which can be difficult.

Shashwat shared with us, that Schneider Electric recently put their in-hour software on its relationship management portal. This contains a cyber security certificate which has to be signed before anything can go onto it.