We live in the internet era, and this means machines can talk to other machines.
In the past, if a machine on your shop-floor needed a spare part, or if a production process in your factory was approaching the end of component reserves stocked in your inventory, you had to contact a specific department or call someone at another company to get hold of it. Today the machine itself can directly order the supplies it needs, simply by talking to other machines in the value network that it is part of.
This interaction and automation is totally re-writing the production process design, redefining supply chain related response requirements, and even changing business models. Now the cheap mass-product is much less important. The complex individualized, in lot-size-1 manufactured product and the services that enable its manufacturing at close to mass-product price-levels is what counts.
It’s the stage beyond the ‘smart factory’ in isolation. It’s the stage when value networks that are spanning across entire industries are taking over. This is industry 4.0.
And I’m lucky enough to have a front row seat, as I represent Fujitsu as a member of the Platform Industry 4.0, a stakeholder group arranged by the German Ministry for Economic Affairs.
Our job is to think about how we can prepare for the onset of industry 4.0. I look into security in particular, as I sit on the working group for “Security of Networked Systems”.
In this blog post I’m going to tell you more about industry 4.0, and what it means for security.
Isolation is not the answer
The security question that Platform Industry 4.0 seeks to address is a very serious one.
Internet of things (IoT) technology has brought about many new aspects that didn’t exist in IT security before.
First, the IT on the shop floor is far less elaborate in security aspects than the technology found in the office. And now that machines in the production line are connected to the IoT, this is a problem. These machines must start “talking” to machines outside the common office related security domains, and this may open new vulnerabilities, create and enable new attack vectors in overall IT/OT security in manufacturing companies.
Currently, there are few set security standards required of connected manufacturing machinery. There should be a base level of security that all machines have in place if they want to connect to the wider network. This will protect these machines – which have the potential to be big targets for hackers and malicious individuals.
Interestingly, security is a bigger problem for smaller companies. The big companies – car manufacturers, chemical plants, etc – recognise that today’s world will bring them closer to suppliers than ever before, and they have the resources to prepare for this.
SME companies, however, do not have the same resources to support their IT departments. They tend to find their own way through the security issue by simply isolating their shop floor. In cutting it off from the rest of the network, they solve all the problems that might arise.
But this isn’t possible in industry 4.0. Small businesses will have to find a new way to protect their machines and systems – and our security working group is aiming to help with this.
Manufacturing is a risky business
Manufacturers who don’t change their approach to security in the wake of industry 4.0 are putting themselves at risk.
First, they risk losing their standing in the supply chain – especially if they are supplying to large OEM companies with short assembly timeframes.
Car manufacturers, for example, typically build a car in a day. This means a supplier has a window of only a few hours to provide the parts to go into the car. Modern high-end cars are a typical example of individualized products with an extremely complex variety of configuration options. In the hundreds of such cars that leave the factory on one day, you will hardly find 2 or even 3 that are totally identical. It would be impossible to store all required components for the day in huge inventories at the OEM. Suppliers must be integrated as if they were part of the same OEM.
If suppliers can’t use IoT to receive messages instantaneously and automatically from the OEM, they won’t be able to move quickly enough to meet the order. They’ll be out of the game.
Equally, big companies are only going to work with suppliers who have proven security credentials across the whole aspect of their network. This means that SMEs need to demonstrate their ability to keep themselves secure to stay competitive.
On top of this, there is the core risk that businesses who lack strong security will be unable to defend themselves against hacking by malicious individuals.
Every company needs to prioritise the prevention of cyberattacks and industrial espionage. The threat is real, as I witnessed a few years ago at the Hanover Messe industrial trade show.
We built a ‘honey-pot’, which looked from the outside like a gate to a manufacturing company.
I expected that maybe there would be one attempt at hacking on the first day, maybe none on the second, and maybe two or even three on the third day.
The reality was a complete shock: we recorded thousands of attacks coming. We did real-time statistics on the nature and origin of those attacks. As you might expect, many came from Asia, but the incoming attack traffic was truly international.
Thousands of attacks to date – many people who don’t specialise in the subject are not aware of the huge number of attack attempts that come through the internet. Many managers of shop-floor equipment may think that observed machine-failure was just caused by wear or by random influence from inside. They may never become aware that such failure is in many cases caused by hostile external effort. It is often beyond imagination that this might happen to your company.
And new threats are emerging every day. In the working group that I am part of, we have just founded a sub-group under my leadership that will write a paper on the impact of artificial intelligence (AI) on industrial security. It will be published at next Hannover Fair in April 2019. Of course, AI can help to recognize attackers and identify their actions – but unfortunately, the bad guys can also use AI, for instance to create tailored weapons to cheat the protection software that you might be using, but they can buy in the same markets as you do. AI in general and the relationship between AI and industrial security has been the leading topic on the 12th Digital Summit of the German Federal Government, that I was invited to attend this week. It is a big emerging security challenge.
The future of the manufacturing industry
There’s no doubt that security is a complicated question for the manufacturing industry.
Big and small businesses alike need to confront the revolutionary impact IoT will have on our shop floors and assembly lines.
It’s going to be a challenge, which is why I’m proud to be part of a group that is working for a solution.
In securing our factories, we’re also securing the future of our industry.