Digital data and its efficient exchange will define the production process in the future. The degree of networking is increasing and is the benchmark for productivity in factories. When everything communicates decentrally with everything else, the need for secure communication increases. This includes aspects of machine safety as well as the requirements of operational safety (security).

The world of automation is merging with the world of IT. The new protection goals include, for example, the protection of production data, product and plagiarism protection, know-how protection, access and integrity protection as well as remote maintenance.

© Mushroom

The term safety initially refers to the functional safety of machines or, to put it another way, the protection of people and the environment from threats that can emanate from machines. Safety requires that residual risks emanating from a machine or system do not exceed acceptable values. One option is to immediately interrupt the power supply and bring the machine to a hard stop if the worst comes to the worst. This is traditionally achieved by means of special safety wiring and components such as safety relays. As this approach is very hardware-related and therefore static, it is not very suitable for intelligent manufacturing processes in which the layout of the systems has to be changed repeatedly. Such a 'hard' shutdown is usually associated with additional disadvantages - be it a loss of productivity, longer downtimes due to more complex procedures for restarting or a restriction in the machine's operating and maintenance concept.

Dynamic safety concepts, which are based on a holistic view of changing automation processes and functional safety requirements, offer an alternative. This also changes the view of safety as such; it is seen less as a hardware property and more as a cross-device function. With this approach, processes can be operated in a safely controlled manner without having to be interrupted immediately every time an error occurs.

However, the dynamic approach can only be implemented efficiently if functional safety is taken into account from the outset when planning automation projects. Otherwise, the sequence of individual production steps or an entire process may have to be changed retrospectively, which does not allow for optimal solutions and also incurs considerable costs.

Security becomes a 'moving target'

In the past, when the functional safety of a machine was approved in accordance with the requirements of the CE Directive, plant operators no longer had to worry about safety as long as no significant changes were made to the machine. This is now changing. Intelligent production requires systems with a modular design so that several product variants can be manufactured on one machine, for example. In other words, operators are gaining flexibility in the production process while at the same time increasing standardization at the functional level.

This places new demands on functional safety, which must still be guaranteed even if the machine itself or its module arrangement has been modified. Previously, this was not the case: the machine was approved once and remained as it was. In the smart factory, however, modular systems should be able to be reconfigured quickly and flexibly or rearranged within their network. The validation of a safety solution must then be able to deal with this (late) flexibilization. This is because all combinations that were not considered as part of the CE marking cannot simply be set up by the operator. This is because the simple transferability does not apply: CE module ₁ + CE module ₂ = CE _complete machine!

The highest degree of standardization can be achieved if the division limits of the various modules can be designed identically - regardless of whether it is a module for the mechanical, electrical, control or visualization function. However, existing technological solutions have not yet been able to meet expectations. Different sets of rules for modularization are also the result of the 'classic' safety architecture. The advantages of modularization are often nullified by a rigid - and possibly hard-wired - safety concept. And electronic safety controllers almost always have a replica of hardware-based safety in the form of fixed safety circuits - even if these controllers are offered in a freely programmable interconnection logic.

The basic element of modern control architectures, on the other hand, is the extensive abandonment of system-dependent sets of rules. The user should be completely free to optimize according to his degree of modularization. If the barrier of different approaches to the functions of automation and machine safety can be removed, the user has gained a significant degree of freedom.

One automation system that incorporates the idea of modularization and flexibilization as one of its basic functions is the PSS 4000 from Pilz. For the first time, it has been possible to manage all process variables - including those of the safety functions - completely symbolically and without any hardware reference in the system. This is demonstrated by the fact that all variables are available system-wide and, thanks to the multi-master architecture, automatically to all controllers in the distributed automation system.

Furthermore, open communication systems with a large number of relationships are increasingly being used today. As a result, production systems that used to work offline, so to speak, due to networking via fieldbuses or proprietary, i.e. manufacturer-specific systems, are now connected to the IT world and the Internet. If no measures are taken, the machines and systems can become the target of cyber attacks much more easily. The degree of networking also increases the complexity and administration effort of the systems. This also increases the risk of unauthorized or unnoticed access.

Processes will become increasingly dynamic in the future, the need for controlled intervention in the process and the demands on productivity will increase and therefore also gradually change safety technology.

© Mushroom

Alongside safety, security is becoming an essential cornerstone of the production process. In contrast to functional safety, however, security mechanisms must constantly adapt to the threat situation. This can be done, for example, by installing updates on a case-by-case basis, as viruses, worms, Trojans etc. are constantly evolving and gaps in security can ultimately affect production with all its functional elements.

In order to be able to react flexibly to the respective threat scenario, the protection of safety applications must therefore be supported by a comprehensive security strategy consisting of several layers: At the core are the automation components. This is followed by the network via which these components can communicate with other components or an ERP system (Enterprise Resource Planning), for example. The top layer is the factory, which is shielded from the outside by a special firewall concept and thus becomes a so-called demilitarized zone.

Confidentiality versus availability

With system-wide valid process data, the mechatronic division limits of individual function modules can be adopted for the control tasks as well as for the safety tasks.

© Mushroom

The requirements that the IT world and the world of automation place on security differ significantly. While the confidentiality of information has the highest priority in the office environment, the availability of data is the top priority in the production sector, as this is an essential prerequisite for smooth production processes. Work is currently underway on an international standard (IEC 62443) to standardize the two security worlds. However, as the dangers associated with a machine do not normally change in functional safety - unlike the threats from the cyber world - safety and security will remain two separate topics in the future, but they must be closely linked.

So how can safety applications be protected against threats from the cyber world? To give you the answer right away: Only by combining various measures and security guidelines that are consistently adhered to by all parties involved. In terms of networking, the recipe for success is 'defense in depth'. The 'Zones and Conduits' security model, which is already defined in the IEC 62443 standard, is a central element that has been used in the construction of castles since the Middle Ages.

Another measure for the protection of safety applications is to arm the safety systems against cyber attacks. In terms of safety, the corresponding communication data is already transmitted several times and checked using various methods, so that attempts at manipulation can be detected by the safe end devices much sooner than with other communication methods. But that alone is not enough. This is why Pilz, for example, will in future also be developing its products from a security perspective in a TÜV-certified process in accordance with IEC 62443-4-1. Aspects such as threat scenarios, strengths and weaknesses of protocols or encryption methods will be taken into account from the outset.

The first step is a component for the Ethernet-based network system Safetynet p, which acts as a firewall and, unlike generic firewalls that require complex configuration, can be put into operation using application-specific presettings based on the plug & play principle. This network component also supports a procedure for the automatic authentication of machines, which will increasingly communicate directly with each other in the course of intelligent production processes and, unlike personnel, cannot enter a password to prove their identity and authorizations.

Technical measures alone are not enough

However, the best security measures are of no use if they are not practiced or - even worse - deliberately circumvented due to a lack of understanding and knowledge. Technical measures alone are therefore not enough - they must be accompanied by organizational measures and training.

In summary, it can be said that The boundaries between security and control functions are becoming increasingly permeable. If sub-functions are to be optimally integrated, the two disciplines cannot simply be added at a later date. The challenge ultimately lies in integrating the functions into the overall system. For implementation, many processes and experiences from the safety world can be transferred directly to the security world. The safety sector is already characterized by a high level of investment security and legal certainty. This is also due to the order provided by norms and standards. For example, things such as a Safety Integrity Level (SIL) are clearly defined worldwide and can be divided into hazard classes and risk assessments in a uniform manner. In the future, further indicators will be required for the interplay between safety and security in the interests of standardization. However, it will be increasingly important to consider the needs of the user from the outset when developing solutions and to limit complexity. Because: simplicity is (operator) safety.

Author:
Harald Wessels is Senior Manager Product Management at Pilz.