搜索
INDUSTRY4.0CYBERSECURITY:CHALLENGES&RECOMMENDATIONSTHEEUAGENCYFORCYBERSECURITYENISALISTSHIGH-LEVELRECOMMENDATIONSTODIFFERENTSTAKEHOLDERGROUPSINORDERTOPROMOTEINDUSTRY4.0CYBERSECURITYANDFACILITATEWIDERTAKE-UPOFRELEVANTINNOVATIONSINASECUREMANNER.2INDUSTRY4.0CYBERSECURITY:CHALLENGES&RECOMMENDATIONSMay20191.INTRODUCTIONTheENISAstudyonGoodPracticesforSecurityofIoTinthecontextofSmartManufacturing1focusesonaddressingthesecurityandprivacychallengesrelatedtotheevolutionofindustrialsystemsandservicesprecipitatedbytheintroductionofIoTinnovations.ThemainobjectivesaretocollectgoodpracticestoensuresecurityofIoTinthecontextofIndustry4.0/SmartManufacturing,whilemappingtherelevantsecurityandprivacychallenges,threats,risksandattackscenarios.Buildingonthiswork,thisdocumentprovidestheresultsofagapanalysisconductedinordertoidentifymainchallengestotheadoptionofthesecuritymeasuresandsecurityofIndustry4.0andIndustrialIoT.Moreover,ENISAlistshigh-levelrecommendationstodifferentstakeholdergroupsinordertopromoteIndustry4.0cybersecurityandfacilitatewidertake-upofrelevantinnovationsinasecuremanner.Theadoptionofthehigh-levelrecommendationsproposedbyENISAaimsatcontributingtotheenhancementofIndustry4.0cybersecurityacrosstheEuropeanUnionandatlayingthefoundationsoftherelevantforthcomingwork,aswellasatservingasabasisforfuturedevelopments.Inthisshortpaper,ENISAfollowsaholisticandcomprehensiveapproachtotheissuesrelatedtocybersecurityinIndustry4.0,wherebychallengesandrecommendationsareassociatedwithoneofthefollowingcategories:People,Processes,andTechnologies.ThisensuresconsistencywiththerelevantENISAstudy1.Additionally,recommendationsarealsocategorisedintermsthetargetaudiencegroupstowhichtheyareaddressed(theiconsforthe5stakeholdergroupsidentifiedbelowmaybeusedasaguidance,i.e.thepresenceofaniconnexttoarecommendationindicatesthataparticularsetofrecommendationsisaimedatthecorrespondingstakeholdergroup).1SeeENISAstudyonGoodPracticesforSecurityofIoTinthecontextofSmartManufacturing:(OTandITsecurity)Industry4.0operators(solutionproviders&manufacturers)RegulatorsStandardisationcommunityAcademiaandR&Dbodies3INDUSTRY4.0CYBERSECURITY:CHALLENGES&RECOMMENDATIONSMay20192.PEOPLECHALLENGE:NEEDTOFOSTERANDALIGNIT/OTSECURITYEXPERTISEANDAWARENESSLackofsufficientinformationsecurityexpertiseandawarenessisamajorbarrierthathinderstheadoptionofIndustry4.0securitymeasures.PeopleinvolvedindeploymentsofnewsolutionsusuallyhaveonlyknowledgeofeitherITorOTsecurity,whileIndustry4.0andSmartManufacturingrequireexpertiseoverseveralareas,e.g.networksecurity,embeddedsystems,OTandITsecuritytonameafew.Itisbecomingincreasinglydifficulttofindqualifiedspecialistswhoarewellawareofsecurityissues.TheemergenceofIndustry4.0introducesnewtechnologiesintotraditionalOTenvironmentsandthuspeoplefamiliarwithOTthatworkinsuchenvironmentsneedtoadapt.ThesepeoplehaveknowledgeonhowtooperatesuchenvironmentsforyearsandarenowadaysfacedwithadaptingthewaytheyworkandembracenewIndustry4.0capabilities.Beingunfamiliarwithsuchtechnologies,employeeslacknewcompetencesthatareessentialforsecureutilizationofIndustry4.0solutionswithintheSmartManufacturingsystems.Suchnewcompetenceswouldinclude,amongothers:operationalsecurityknowledgeandskillsrequiredtomonitor,prevent,anddetectanomaliesduetosecurityviolations;securityaspectsofnewprotocolsusedbyIndustry4.0solutions;skillstoutilizesecurityfunctionalitiesofthecomponentsandservices(whichmayseemoverlycomplicatedtousersifnotadequatelyexplained);methodsofsecureintegrationwithlegacysystems;informationsystemssecurityovercomplexsupplychains.Moreover,largemanufacturingcompaniesoftenarelaggingintrainingemployeeswhoworkwithOTequipmentandinsteademploysecuritysolutionsforIndustry4.0systemswithoutfirstensuringtake-upbyemployees.Inaddition,nowadaystherearealimitednumberofstate-of-the-artcybersecuritytrainingsdedicatedtoIT/OTconvergenceandIndustry4.0systemsandinanycase,suchtrainingsinmostcasesdonotcoverallessentialaspectsoftheseareas,areoftenveryexpensiveandnotalwaystailoredtospecificindustryneeds.RECOMMENDATION:PROMOTECROSS-FUNCTIONALKNOWLEDGEONITANDOTSECURITYRaisingawarenessonbasicindustrialcontrolsecurityaswellasonthesecurewayfortransitioningtoIndustry4.0andSmartmanufacturingisofparamountimportance.ToaddressthelackofIoTandIndustry4.0securitytalent,itisessentialistocultivatesuchknowledgebothwithinandacrossorganisationalboundaries.PersonsinchargeofsecuritywithinIndustry4.0organizationsshouldinvestinstate-of-the-artdedicatedcybersecuritytrainingsthatcoverallnecessaryaspectsspecifictoIT/OTconvergenceandSmartmanufacturing.Lastly,trainingsandcoursesatschoolsanduniversities(consideringlocalisationtoreachawideraudience)willfurtherpromoteabetterunderstandingofIndustry4.0securityamongyoungergenerationsandthusinth