资源描述
INDUSTRY 4.0CYBERSECURITY: CHALENGES security aspects of new protocols used by Industry 4.0solutions; skils to utilize security functionalities of the components and services (which may seem overly complicated to users if not adequatelyexplained); methods of secure integration with legacy systems; information systems security over complex suplychains. Moreover, large manufacturing companies often are laging in training employees who work with OT equipment and instead employ security solutions for Industry 4.0 systems without first ensuring take-up by employees. In adition, nowadays there are a limited number of state-of- the-art cybersecurity trainings dedicated to IT/OT convergence and Industry 4.0 systems and in any case, such trainings in most cases do not cover al essential aspects of these areas, are often very expensive and not always tailored to specific industryneeds. RECOMENDATION: PROMOTE CROS-FUNCTIONAL KNOWLEDGE ON IT AND OTSECURITY Raising awareness on basic industrial control security as wel as on the secure way for transitioning to Industry 4.0 and Smart manufacturing is of paramount importance. To address the lack of IoT and Industry 4.0 security talent, it is essential is to cultivate such knowledge both within and across organisational boundaries. Persons in charge of security within Industry 4.0 organizations should invest in state-of-the-art dedicated cybersecurity trainings that cover al necessary aspects specific to IT/OT convergence and Smartmanufacturing. Lastly, trainings and courses at schols and universities (considering localisation to reach a wider audience) wil further promote a beter understanding of Industry 4.0 security among younger generations and thus in the long-term wil contribute to raisingawareness. The emergence of Industry 4.0 introduces new technologies into traditional OTenvironments and thus people familiar with OT that work in such environments need to adapt. 2 报告来源于 ENISA,仅供学习、研究使用,请勿用于商业用途 To promote cross-functional knowledge on IT and OT security, ENISA recommends: Encourage cross-functional security and safety knowledge exchange betwen IT and OT expertsrespectively. Launch security education and training in industries transitioning to Industry 4.0, including knowledge of state-of-the-art, best practices, methodologies and tols for secure convergence of IT and OTsystems. Establish tailor made training courses focused on Industry 4.0 security to increase efectiveness of the training and assist OT and IT security experts to adress relevant cybersecurity issues moreefficiently. Develop competency profiles to provide IoT and Industry 4.0 specific awareness and education training for alstaf. Introduceprogramsatscholsanduniversitiestoadressthelackofsecurityandsafety knowledgeacrosstheindustryandtoempowerthenextgenerationofITandOTsecurity experts. Organise cyber-culture and cyber-hygiene induction courses for OT personel and conversely safety-culture and safety-hygiene courses for IT personel, also involving all staf. Introduce to OT people the notion of security and to IT people the notion of safety, with special mentions to cases where the two notions may align ornot. CHALLENGE: INCOMPLETE ORGANISATIONAL POLICIES AND RELUCTANCE TO FUNDSECURITY Industry 4.0 operators, which are at various stages of Industry 4.0 adoption, often do not have apropriate governance structures in place for secure implementation of new technologies and secure maintenance of the existing ones. Defined security programs are rarely in place and in general comprehensive programs that consider security and safety in tandem are lacking.Itis alsooftennotedthatsecurityrelatedrolesandresponsibilitiesofemployees are not clearly defined and there is minimal planing to consider safety enginers within the cybersecurity ecosystem. This results in companies lack of resilience and vulnerability to potential securitybreaches. This is because to date cybersecurity was traditionaly not perceived as a Board-level topic, since its impact on increasing revenue or optimizing cost remains generaly unclear. This results in the fact that the majority of technological transformations mostly focus on increased functionality and business value rather than cybersecurity, i.e. hindering the potential negative impact of associated risks. A typical example of this is the ongoing migration of manufacturing companies towards Cloud. In general, companies decide to opt for Cloud solutionsto benefit from cost eficiency and ubiquitous access to information. During this migration, security should be considered as a high priority issue and accordingly it should play an equaly important role in decision-making as cost eficiencyespecialy when manufacturing companies chose public clouds and thus increase the risk of exposing their data and operations, while at the same time improving theirresilience. Furthermore, it is worth highlighting that ensuring security of a system or solution, both in the context of Industry 4.0 vendors and operators, requires funding and comitment from top- level management. However, as there is no clearly discernible link to generate profits from investing in cybersecurity, it is often the case that due consideration to cybersecurity is given when a security breach directly leads to financial losses. Striking the proper balance between the costs and the ned for security remains an openchallenge. Industry 4.0 operators, which are at various stages of Industry 4.0 adoption, often do not have appropriate governance structures in place forsecure implementation of new technologies and secure maintenance of theexisting ones. 3 报告来源于 ENISA,仅供学习、研究使用,请勿用于商业用途 RECOMENDATION: FOSTER ECONOMIC AND ADMINISTRATIVE INCENTIVES FOR INDUSTRY 4.0SECURITY It is clear that lack of security has the potential to significantly afect business continuity. Industry 4.0 is no exception given the criticality of related operations and the associated impact on safety as wel. In this respect, best practices for business continuity can serve as a driver for investing in cybersecurity solutions and accordingly for suporting the unobstructed operation of Industry 4.0processes. Investments in cybersecurity should not be driven only by fear of losing money. It is equally if not more important, for industries and organisations to not lok at cybersecurity only as a cost, but to also start seeing it as an important business opportunity. Cybersecurity can be an important competitive advantage for businesses, since it leads to having secure, reliable and trustworthy products and services. Accordingly, cybersecurity is an enabler of business oportunities, not a hindering factor and certainly not another item on achecklist. Nonetheless, economic and administrative stimuli are also required to incentivize investments in Industry 4.0 security, given that maturity and mentality of organisations and businesses needstogrowfurtherwhenitcomestoidentifyingtheroleandimportanceofsecurity. To foster economic and administrative incentives for Industry 4.0 security, ENISA recommends: Establish administrative structures for top-level management to discuss and exchange views with cybersecurity experts andCISOs. LaunchfundingschemesforSMEsandotherbodiestosuporttheirtransitiontoasecure Industry 4.0 ecosystem, including financial suport for cooperative actions. Incentivize inovation and R&D activities for securing IT and OT environments, components andsystems. Ensure a homogeneous and stable legal environment for Industry 4.0 cybersecurity to allow companies to plan long-term, sustainable business strategies including the aspect of security. Consider the development of certification schemes for Industry 4.0 security (taking into account the inherent particularities when defining the target of evaluation), since they promote harmonisation of the market, increase consumer trust and open up new business opportunities. Promote Public Private Partnerships (PPs) focused on Industry 4.0 cybersecurity to benefit from multi-stakeholder dialogues and much nededsynergies. Investmentsin cybersecurity should not be driven only by fear of losingmoney. It isequally if notmore important, for industries and organisations to not lok at cybersecurity only as a cost, but to alsostart seeing itas animportant busines opportunity. 4 报告来源于 ENISA,仅供学习、研究使用,请勿用于商业用途 2.PROCESSES CHALLENGE: LIABILITY OVER INDUSTRY 4.0 PRODUCTS LIFECYCLE IS POORLYDEFINED Liability for Industry 4.0 cybersecurity is an open issue (a gap also identified for most of emerging technologies) as accountability for Industry 4.0 cybersecurity incidents remains unclear. There is a large number of stakeholders involved in the suply chain and in the use lifecycle of Industry 4.0, therefore aportioning liability in the aftermath of a security incident becomes chalenging as currently, only general provisions of liability areapplicable. The major dificulty in finding a clear solution for liability stems for the inherent complexity of the ecosystem. The majority of Industrial IoT devices are usualy built from a large number of components manufactured by multiple vendors, in disperse locations (possiblysubject to diferent administrative and legal constraints) and including vendors of the software embeded in the devices. The complexity of the suply chain further exacerbates relevant concerns. Aportioning liability thus remains an openchallenge. Inthecontextofcybersecurity,anIndustry4.0devicemanufacturerisbroadlyexpected toimplementfunctionalitiesinitsproductthatwouldenableaproperlevelofsecurity.Ina similarfashion,theroleofIndustry4.0operatorswouldseethemusingtheseavailable security features and perform al security upgrades provided by the manufacturer. In reality, the situation is more complicated. The long lifespan of Industry 4.0 solutions(especially in comparison to IT systems) and the financial comitments related to their long-term maintenance (e.g. software patching), both agravate the requirements on manufactures, users and operators of such solutions. Shared ownership of conected, Industry 4.0 solutions, unclear or unspecified role assignments and lack of provisions in procurement contracts and service level agrements further complicate the issue ofliability. RECOMENDATION: CLARIFY LIABILITY AMONG INDUSTRY 4.0ACTORS The Industry 4.0 paradigm introduces emerging technologies and services in manufacturing and the industrial ecosystem in general. Given the cyber-physical nature of this paradigm, security and safety are tightly intertwined. Therefore, it is of particular importance to address liability concerns not only to protect end-users and consumers of such products and services, but also to stimulate coresponding investments through a comprehensive and stable legal framework. The European Comission has recently published a Staf Working Document that sets the scene for liability issues in emerging technologies such as IoT and Artificial Intelligence 2 . This wil serve as a reference point for forthcomingwork. The question of where liability may fal lies betwen the diferent and diverse stakeholders of the Industry 4.0 suply chain, such as developers, manufacturers, providers, vendors, aftermarketsuportoperators,thirdpartyprovidersandtheendusers,tonameafew. 2 Se EC Staf Working Document on “Liability for emerging digital technolgies”: ec.europa.eu/newsroom/dae/ document.cfm?doc_id=5163, April2018 The major difficulty in finding a clear solution for liability stems for the inherent complexity of the ecosystem. 5 报告来源于 ENISA,仅供学习、研究使用,请勿用于商业用途 To clarify liability among Industry 4.0 actors, ENISArecommends: AdressliabilityissuesinthecontextofEuropeanandnationallegislationandcaselaw, especialy where gaps in existing legislation areidentified. Adjust procurement language to clarify liability among stakeholders in suplychains, e.g. specify Industry 4.0 cybersecurity requirements as part of SLAs (Service Level Agrements) and contracts duringprocurement. Assess the potential of cyber-insurance policies to transfer residual cyber risk and reduce the impact of cybersecurity incidents, for which an entity might be heldliable. Raise awareness of end users and consumers on their rights concerning liability legislation. Specify in a clear maner the legal obligations of Industry 4.0 operators when it comes to liability. CHALLENGE: FRAGMENTATION OF INDUSTRY 4.0 SECURITY TECHNICALSTANDARDS The curent landscape of standards and policy initiatives related to IoT and Industry 4.0 cybersecurity is quite large, covering security aspects at both a horizontal and vertical (aplication specific deployments, e.g. automotive, health, and consumer) maner. In the context of IoT, many high-level reference documents have ben published, as wel as baselines, god practices, checklists and general guidance 3 . Concerning conected industrial systems and manufacturing systems in particular, there are also useful sources that may serve as guidelines for relevantstakeholders 4 . However, when it comes to Industry 4.0 and Smart Manufacturing the situation is slightly diferent. Given the nascent nature of these areas, comprehensive initiatives to address security in a holistic maner are laging behind. Nonetheless, it is important to refer to some notable examples that already exist (such as IEC 62443 5 or the eforts underIUNO/Industrie 4.0 6 to name a few). Accordingly, interested parties curently utilize documentation that is only partialy aplicable to the broad spectrum of Industry 4.0 and SmartManufacturing. The fragmentation of Industry 4.0 security standards and initiatives is of particular importance for the manufacturing sector. Large manufacturing companies comonly have sites spread across the world. Accordingly, the lack of uniform standardization efforts at a global level results in a situation when sites that belong to one organization canot colaborate and share security expertise and solutions with each other, as they are subject to differentschemes. Moreover, secure colaboration across companies is also hindered. At the same time, it is promising that cross-maping initiatives have started to evolve, e.g. ENISA BaselineSecurity Recommendations for IoT 7 , UK Government Code of Practice for Consumer IoT Security 8 , NIST Internal Report 828 9 . Whereas, such initiatives contribute to increasing homogeneity in the area of IoT security, further work to expand them in the Industry 4.0 ecosystem isdesirable 10 . 3ENISA online tol for IoT and Smart Infrastructures Security maintains a continuously updated list of relvant eforts maped against the ENISA IoT Security Baseline:htps:/ww.enisa.europa.eu/iot-tool 4Se Anex C of ENISA study on God Practices for Security of IoT in the context of Smart Manufacturing: ww.enisa.europa.eu/publications/god-practices-for-security-of-iot 5Se IEC 6243 family of standards at:htps:/ww.iec.ch/index.htm 6Se IUNO project homepage at:iuno-projekt.de/ 7Se ENISA “Baseline IoT Security Recomendations” study at: htps:
展开阅读全文