Doing Secure Digital Business

Industry 4.0

Industry 4.0 – Securely Networked

Secure Digital Business
© Photo iStockphoto, shutterstock, Thomas Ernsting

Cloud Computing, Industry 4.0, Smart Data, the Internet of Things and Services – the digital transformation of the economy is already underway. But being able to leverage the economic potentials of this development means not only maintaining full control over data, but also having access to secure and reliable communication systems.

The digital transformation of production represents enormous opportunities, especially for Germany as one of the world's most important industrialized nations, and the corporate sector is aware of the fact. Industry 4.0 applications such as sensor technology solutions, cyber-physical systems and exchanging planning data with suppliers and customers are already establishing themselves. By 2020 German business plans to invest €40 billion per year in digital production applications, according to a study by consulting firm PricewaterhouseCoopers. Two thirds of the companies surveyed are already actively working on the digitalization and networking of their value creation chains.

However, this also means rising demands on security. Today modern production facilities are already networked with one another. In the course of developments related to Industry 4.0, production networks are increasingly becoming corporate networks or even networks including external companies. This generates new opportunities for attacking industrial facilities. In addition to viruses and trojan horses, custom-tailored malware is an additional threat to production systems linked via the Internet. Such attacks can steal system parameters, take over control of machines, manipulate control units and interrupt processes.

The fact that such concerns are already relevant and not just dark visions of the future was demonstrated all too dramatically by the computer worm Stuxnet, which was developed specifically to attack industrial facilities. And the security report of the German Federal Office for Information Security (BSI) also contains examples of just how dangerous attacks on production facilities can be. Thus for example hackers succeeded in gaining control of a blast furnace in a steel plant. The result: It was no longer possible to shut down the blast furnace and the entire plant was damaged.

Project Examples

IT-Sicherheitslabor
© Photo Fraunhofer IOSB

IT security lab 

Sophisticated network technologies and effective inspection methods are needed in order to detect and reliably close security gaps. The Fraunhofer Institute of Optronics, System Technologies and Image Exploitation (IOSB) in Karlsruhe offers a secure test environment for the simulation of potential attacks on production networks in an IT security lab specially equipped with production and automation technologies. This makes it possible to investigate the consequences, then to develop appropriate strategies and derive suitable defensive measures.

Furthermore, researchers can also evaluate the security functions of conventional communications standards and protocols for industrial automation systems. The IT security lab has its own model factory with real automation components that control a simulated production facility complete with conveyor belts, electric motors, robots and lifting equipment. All network levels of a production facility are present with the typical components including firewalls, circuits and wireless components. The researchers at the IOSB have their own private cloud which lets them flexibly set up various configurations and deploy the model factory for a wide variety of scenarios.

SPS-basierte Industriesteuerungssysteme
© Photo Fraunhofer AISEC

Architektur DEMIA

Security Solutions for Industrial Automation

Fraunhofer scientists are already working on concrete solutions for making Industry 4.0 more secure. For example, experts from the Fraunhofer Institute for Applied and Integrated Security (AISEC) in Munich are working together with their colleagues at Infineon Technologies on a concept that protects PLC-based industrial control systems (programmable logic control) from unauthorized access and manipulation. The solution consists of anchors of trust, Infineon's OPTIGA™ Trust product family security chips and auxiliary software. The chips only grant components or machines access to the system when they can be uniquely identified and can be verified as trustworthy. Counterfeit replacement parts and prohibited repair tools are identified and rejected. The solution also protects against manipulation by malware, incorrect software updates and data theft. The chips encrypt and protect sensitive data, protecting PLC programming and thus valuable intellectual property and process knowledge from theft.

Modular System for Industrial IT Security

Researchers at the Fraunhofer Institute for Secure Information Technology (SIT) in Darmstadt created the hardware-based solution "Trusted Production Platform as a Service" to improve protection of industrial facilities and IT components. The solution makes it possible to secure and monitor industrial IT networks, production data and processes on a modular basis. The security of industrial IT networks is ensured by the "Trusted Core Network" (TCN). The TCN is based on a peer-to-peer infrastructure capable of verifying the identity and state of network nodes. If a given node deviates from the defined target status, the system issues an alarm and excludes manipulated network nodes from communication. The TCN uses the standardized Trusted Platform Module TPM as its anchor of trust, making it possible to reliably check device status and identity. A TPM module containing information on permitted software and other relevant parts of the configuration is located on each device. Using this data, routers can check all the devices in their vicinity. The Trusted Production Platform also has a digital rights management function (Industrial Rights Management, IRM) to protect valuable production data. This also makes it possible to encrypt production information as soon as it is generated. Rights management handles all the important parameters of the order and makes sure that data decoding and production only take place on the intended machines.

All these security mechanisms are based on technologies for establishing device identities as well as for guaranteeing device integrity. The next generation of hardware components for securing identity and integrity will hit the market next year as the Trusted Platform Module (TPM) 2.0. In combination with the "TPM Development Tools", the SIT "TPM Software Stack 2.0" represents one of the first implementations of the associated software and middleware and thus forms an integrated framework for development of innovative solutions.

SENS - Security-Enhanced Networks
© Photo Fraunhofer AISEC

Security for networks of the future – SENS (Security-Enhanced Networks)

The corporate networks of the future will also require new security solutions, since more and more companies are using Software Defined Networking (SDN) to flexibly manage their computer networks. This makes it possible to centrally control routers, switches and firewall components, saving both time and money. The disadvantage: This makes the centrally positioned controller level an attractive target for hacker attacks. Experts at AISEC developed the visualization software "SENS" in order to be able to check the security of SDN networks. The program analyzes the communication between controllers and applications in real-time.

OrchSec Sicherheit durch SDN - Software-Defined Networking
© Photo Fraunhofer SIT

OrchSec – Security by SDN - Software-Defined Networking

In order to makes modern networks even more secure, the SIT created the SDN-based security solution "OrchSec", which is capable of automatically detecting and defending against network attacks. The solution uses the advantages of SDN by putting a special protection and orchestration layer over the layer containing the network hardware and user data (Data Plane) and the control layer of the SDN controller (Control Plane). The at SIT experts have already realized a successful prototype of the solution. Among other things the system detects and defends against "ARP spoofing", in which hackers attempt to take over third-party addresses and then divert and intercept data traffic, as well as various types of Denial of Service (DoS) attacks, which attempt to overload network components. In addition a programming interface makes it possible to extend "OrchSec" with any desired number of other security and management functions.

Industrial Data Space
© Photo Fraunhofer

Industrial Data Space – Maintaining control over data

"In an increasingly digitalized world, data security and control over data are of existential importance to companies," says Fraunhofer President Professor Reimund Neugebauer. This is why Fraunhofer intends to join forces with business and the German federal government to create an internationally open and nevertheless secure data space, the Industrial Data Space. "Companies need this kind of protected space in which they can share and exchange data with one another according to rules they define themselves without losing control over their information in the process," explains Professor Boris Otto, who coordinates the project involving twelve Fraunhofer Institutes. Based on a federal data management concept, the Industrial Data Space will enable secure exchange of data along the entire "Data Supply Chain" as well as the simple combination of internal data with public information, for example data on weather, traffic or geo-data. Another focal point is protection of trust, realized through certification of participants, data sources and data services.

In a future digital economy, data will be just as important as capital, manpower or raw materials. Data make the development of innovative products, services, processes and forms of work organization possible. Thus for example information on health insurance carriers, patients and vendors of pharmaceutical products can help bring more effective and more individual medications and treatment concepts to the market. Here however the companies and patients involved have to remain in control of their data at all times. "The Industrial Data Space helps leverage these innovation potentials and provides fundamental services for trust-based data handling, for example the anonymization of information, integration services and the implementation of expiration dates for the use of the data in question," Otto explains.

Fraunhofer is working together closely in the project with the political and business sectors. The German Federal Ministry of Education and Research (BMBF) is supporting a research project on the Industrial Data Space with a sum of approximately five million Euros. In addition the Fraunhofer-Gesellschaft, 16 business enterprises and the ZVEI have founded a non-profit association for the Industrial Data Space in Berlin. Its task is to connect science and business for the sake of sustainable solutions, to participate in designing the architecture of the Industrial Data Space, and to be a central body for cooperation with related initiatives.