Digitalization is in full swing in mechanical and plant engineering. Machines are increasingly networked with each other and with digital services and are becoming part of the Industrial Internet of Things. Machines are no longer closed systems, but have interfaces that can be accessed externally and therefore worldwide. As a result, they offer the functionality expected by customers today, but at the same time open up the possibility of cyber attacks, ranging from spying on sensitive data to obtain secret product and production knowledge to manipulating and disrupting operations. In addition, security vulnerabilities can also impair functional safety, because: With networked systems, there is no longer any safety without security!

Security - often still neglected

While the safeguarding of functional safety is well established, attack security, i.e. protection against cyber attacks, is still often neglected today despite the IT security standardIEC 62443 for 'Industrial Automation and Control Systems' - if at all, attack security is only examined very late in the development process, for example through penetration tests. If security vulnerabilities are then identified, remedying them by (subsequently) integrating protective measures is very time-consuming and cost-intensive.
For secure (IT/OT) systems, security - as also required by IEC 62443 - must be implemented by design.
must be considered 'by design' over the entire life cycle, especially from the start of development through to continuous operation. However, manufacturers and integrators lack the necessary expertise for this, as the responsible product developers and designers often do not have sufficient security knowledge - and security experts are in short supply. According to the VDMA study'Industrial Security 2019', security incidents are already causing capital losses (50%), production downtime (31%) or quality losses (19%) at the companies surveyed. It is therefore not surprising that customers are increasingly demanding the fulfillment of security requirements in their purchasing conditions. Improving the level of knowledge of product developers and designers with regard to security by design can therefore become another decisive competitive advantage for the German mechanical and plant engineering industry.

Security as part of the entire product life cycle

A typical development process that has been supplemented in the individual phases with protective measures in the sense of security by design - starting with threat and risk analysis, through secure design, code reviews and hardening, to secure operation.

© Fraunhofer IEM

The principle of security by design essentially involves considering security throughout the entire development process. Security-enhancing measures are implemented in all phases of development in order to create a product that is as secure as possible.
Requirements for the product to be developed are recorded at the start of development. Even in this early phase, the consideration of security is an integral part of the development process in order to lay the foundation for a solid security concept. The first step is to identify the assets of the system that are worth protecting. Assets include hardware and software components as well as data and programs that represent a high business value.

In a second step, a threat analysis is used to systematically identify threats to the assets. The first step is to assess which of the three classic protection goals - confidentiality, integrity and availability - as well as the so-called 'Triple A' protection goals - authentication, authorization and accountability - must be met for the respective asset. Threats to the product and its assets are derived on the basis of the protection objectives.

The results of the threat analysis in turn provide important findings for carrying out a risk analysis. This forms an integral part of a cyber security management system based on IEC 62443 and enables the assessment of risks at design level in this phase. Risk is defined as the combination of possible threats, vulnerabilities and their effects. The risk is determined qualitatively. In accordance with IEC 62443, the risk analysis process is also used to define appropriate security levels. These range from no special protection (SL-0) to protection against deliberate breaches with simple means (SL-2) to protection against targeted attacks with high resource requirements (SL-4). However, a risk analysis not only provides information on the security classification of systems and their components, but also information on the necessary use of countermeasures that can be considered in the secure design.

The 'Defense in Depth' approach

An exemplary training setup for practical training. The demo setup contains typical automation components and is used as a practical example in the individual phases of the development process as part of the training.

© VDMA

In the second phase of development - the design - a concept is created based on the functional and security-related requirements, taking into account both the hardware and the software. An important principle in the creation of a secure design is 'Defense in Depth'. This involves integrating several protection mechanisms into the product with the aim of creating sufficient redundancy in the event that a protection mechanism fails or is bypassed by an attacker. This significantly increases the effort required to successfully attack a product.

One example of such a protection mechanism is the use of network segmentation in system design. The network is first separated into its essential areas (zones) and possible communication relationships and connections (conduits) are identified. On this basis, security levels and requirements can be assigned to the zones and conduits within the risk analysis. Zones with different security levels can then be separated from each other, for example by means of a corresponding network infrastructure such as firewalls. This approach enables the efficient use of security functions at precisely those points where they make the most sense. In line with the 'defense in depth' approach, this procedure also helps to deal with possible attacks, for example by slowing down or even preventing the simple spread of an attack.