Industry 4.0 is an extremely interesting topic that once achieved will enable flexible production and re-configurable plants. During the Security Symposium 2016 all keynotes and presentations have an agreement that the current industrial automation pyramid will transform into mesh-network (see Figure 1). This network will enable to reconfigure the installed plant services into new and novel ones. This obviously will speed up the product innovation and production cycle and increase the utilisation of manufacturing/production plants.
I enjoyed the keynotes and would like to highlight the vision presented by Mr. Roland Bent, CTO Phoenix Contact, where the future manufacturing devices will be “just a box with an operating system” (see Figure 2) that executes “manufacturing apps”. This vision implies the high agility in application deployment, execution environment with strong built-in safety and security assurance.
There is a common understanding that the current integration concepts for device within the industrial automation pyramid is done with the (implicit) slogan “system components, please be nice to each other”. A sweet matryoshka perfectly demonstrates the existence of different layers starting from CPU, devices, going through real-time operating systems, and finally applications and integrated device (see Figure 3).
Industry 4.0 will need a different concept, especially where new plant services will emerge via reconfiguration and software updates: you need a kick-ass matryoshka ninjas team (see Figure 4). For example, a simple RTOS will not be sufficient, you will need a real-time safe and secure hypervisor that also enables secure update.
In Industry 4.0 every piece of a device or system has to contribute its piece of security and enforce its piece of security policy. Only having security by design, i.e. security that is built in right the spine of the devices and systems, Industry 4.0 will be able to meet the expectation.
This conference has also shown that the way to achieve security assurance for Industry 4.0 is via certification but it is not yet clear that standards are needed. For network security IEC 62443, which is still in development, is the main candidate. For business security 27k standards have been mentioned. For devices different approaches based on Common Criteria (also known as ISO/IEC 15408) have been presented. Thus, it seems that Common Criteria is so far a common base for many security topics.