European companies can learn how to implement deep security from the factory floor to the cloud through the “Cyber Security Design Principles” policy paper. (Picture: Screenshot website Open Industry 4.0 Alliance)

The Open Industry 4.0 Alliance has published a strategic paper on “Cyber Security Design Principles” in industrial plants. The paper shows which ISO/IEC standards on cyber security are incorporated and which practices of other bodies and alliances the association relies on. 

Blackmail, sabotage and industrial espionage are the main motivations for attacks on companies and their infrastructure. In this context, cyber attacks on production facilities that trigger a production standstill go to the substance. The industry is in a dilemma: on the one hand, the digital transformation requires opening up production and IT systems; on the other hand, there is a lack of knowledge and practice to implement standards and routines to appropriately protect the assets that are now accessible via the Internet. A 2020 study by KPMG (german) shows that only a quarter of the 16,000 companies surveyed worldwide actively defend their industrial control systems. Moreover, 58 percent of companies said they lacked in-house security expertise. A strategy paper from the Open Industry 4.0 Alliance addresses the ISO/IEC standards on cyber security as well as measures that groups such as the Cloud Security Alliance, FIRST, MITRE or OWASP are taking in connection with cyber security.

“Since the release of Stuxnet in 2010 and the subsequent attacks on production facilities and component manufacturers in the recent past, it is clear that we will not be able to get by in the future without solidly securing industrial facilities.”
Matthias Schmidt, Open Industry 4.0 Alliance 

“In the Open Industry 4.0 Alliance, we are now providing members with a strategy on how they can implement the existing security standards. In doing so, we bring ISO/IEC standards, MITRE’s lists of common weaknesses, recommendations from the Cloud Security Alliance or OWASP on cloud and app security, and the FIRST Forum into a strategic framework,” explains Matthias Schmidt Co-Lead Technical Committee Cyber Security of the Open Industry 4.0 Alliance and Product Manager Industrial Security at ifm solutions.

Safety for the operational technology of industrial plants

“The Alliance defines four layers, two each on the factory floor and in the cloud,” explains Dr. Stephan Theis, Co-Lead Cyber Security Group of the Open Industry 4.0 Alliance and Managing Director of nekst one GmbH. “Cyber security takes place in all layers. A pure software application based on a container, for example, cannot contain or guarantee security functionalities of the layers below and above it. The Full Stack Secure Solution Architecture we have defined therefore encompasses all layers, starting with egde computing and connectivity on the factory floor and extending to the cloud with the Open Operator Cloud Platform and Common Cloud Central.”
“By means of this approach, Alliance members get a sound and solid basis to systematically implement and offer the ‘Security by Design’ principle in their products and solutions.”
Dr. Stephan Theis, Co-Lead Cyber Security Group of the Open Industry 4.0 Alliance
Where IT is already struggling to keep up with cybersecurity developments, companies seem overwhelmed with asset technology (OT; Operational Technology) and industrial control system (ICS; Industrial Control ICS) security. The Open Industry 4.0 Alliance whitepaper on “Industrial Cyber Security Design Principles” is divided into the following content:
  • Roles of stakeholders such as providers of apps, connectivity and other technology as well as manufacturers, system integrators and finally end users and service providers
  • Security by Design across all layers with the Full Stack Secure Solution Architecture
  • a table on the integrated standards and best practices of other cyber security organizations
  • and a structuring of the requirements for security compliance across the four layers of the Alliance from the edge to the cloud

The strategy paper can be downloaded from the pages of the Open Industry 4.0 Alliance.