Since April 2015, the German Federal Ministry of Economic Affairs and Energy (BMWi) and the Ministry of Education and Research (BMBF) have jointly lead the Plattform Industrie 4.0 stakeholder-group. This group brings together industry associations, industrial companies, labor unions, government offices and other representatives of German society. Its aim is to ensure that this country is well positioned to overcome the challenges of industrial digitalization to be on the winning side of the fourth industrial revolution. Membership of the Plattform Industrie 4.0 group is by invitation only. Fujitsu is a member, and I represent the company within the group. We have been asked to contribute to the working group that is investigating security in networked systems.
There has been much fanfare about the Internet of Things and the emergence of Industry 4.0. The focus has generally been on the wealth of data generated by multiple networked objects, and the opportunities this presents for increasing the efficiency of business processes and for creating potentially disruptive new business models. Less frequently discussed is how there will have to be a fundamental shift in how data flows both inside and outside a business and a corresponding increase in authentication measures to make Industry 4.0 a reality. Experts regard weak security, particularly within small and medium sized enterprises, as a major obstacle to the fast and widespread adoption of industrial digitization.
Currently, in what is known as Industry 3.0, people, data processes and machines interact within an organization through traditional, defined channels. Products themselves play a passive role and there is only limited data exchanged with external organizations. In fact, the focus is predominantly on establishing a secure perimeter to protect internal company networks from external threats.
In Industry 4.0, the secure exchange of information between a company and external organizations is essential as players interconnect in complex, trust-based networks. And communication won’t be limited to the interaction between individuals, software processes and machines – many other entities will start to interact, such as replaceable machine components, and digital images of machines, components or products.
Establishing identities is therefore a crucial starting point for all Industry 4.0 communications. Where, in Industry 3.0, trust has been an important foundation for doing business, it is absolutely essential in Industry 4.0. This is particularly true as legal communications will be executed, for instance as part of a procurement or logistics process. Also, in contract negotiations, it will be important to confirm not just identity, but also relevant information such as credit ratings to be able to perform some transactions. The same applies in the machine-to-machine space, where information from certain sensors must only be transmitted to specific machines.
Manufacturers, integrators and asset owners need to establish identities for processes such as authenticating spare parts or components, conducting remote maintenance, quality assurance, product inventory and traceability to name but a few.
This does of course require different levels of identity depending on the tasks in hand. A simple identity might be sufficient to ensure that only a specific product class is deployed, and in this case many things might have the same identity. If it is important to determine, for example, exactly which machine performed a certain task at a specific time, then a unique identity is required. And, if protection against forgery, theft and/or misuse is required, a secure identity should be chosen. It is also worth noting that the secure identities and unique identities also differ in terms of their authentication and that time can influence an identity, for example when it is designed to provide access to a resource for a limited time only.
While the ability to establish secure communication that extends beyond a company’s own network and into its value chain is crucial to the success of Industry 4.0, there currently is no suitable model to deliver this. We as an industry need to find a way to deliver the appropriate level of robustness, independence and technical standards. Certification authorities must also figure out how to prevent a single compromised authority from becoming an issue for all interlinked entities. It is possible that the methods currently being deployed by mobile communications providers to manage identity and roaming could form the basis of a new identity concept.
Far to go
It is clear that we as an industry have a long way to go. Currently, secure identities are generally not an integral part of a company’s systems, rather they tend to be supplemental, in the form of dongles, or software / hardware tokens. We also seldom coordinate authority between operations and technology functions within organizations – generally, these disciplines are kept entirely separate.
When it comes to secure identities, those we use are predominantly at the user level, for example to access remote maintenance, for licensing mechanisms and in the office domain for encrypting e-mail. Small and medium-sized enterprises in particular have a great deal of catching up to do with regard to security in general and secure identities in particular. Many companies do not have a security infrastructure in place and most lack the organizational processes – such as a public key infrastructure (PKI) – required to implement a secure identity management system.
As we have seen in the analysis of Industry 4.0 deployments so far (see: The current status of Industry 4.0 in Germany – the perhaps painful truth? ), the transition presents significant opportunities for those companies that take the leap to embrace the possibilities of digital transformations. Conversely, those that wait too long to transition could lose out to more ambitious rivals. For those companies large and small who are serious about embracing the possibilities of digitization, we believe that this is the time for them to start to reexamine their security strategies, and to start planning for an identity-based future.
To read the full paper published by the Plattform Industrie 4.0 working group 3, that my colleague Thomas Walloschke and I participated in, please click one of the below links to download a free copy. We are proud to have been able to represent Fujitsu and to collaborate with this team of distinguished security experts.