资源描述
INDUSTRY 4.0 CYBERSECURITY: CHALLENGES security aspects of new protocols used by Industry 4.0 solutions; skills to utilize security functionalities of the components and services (which may seem overly complicated to users if not adequately explained);methods of secure integration with legacy systems;information systems security over complex supply chains.Moreover, large manufacturing companies often are lagging in training employees who work with OT equipment and instead employ security solutions for Industry 4.0 systems without first ensuring take-up by employees. In addition, nowadays there are a limited number of state-of-the-art cybersecurity trainings dedicated to IT/OT convergence and Industry 4.0 systems and in any case, such trainings in most cases do not cover all essential aspects of these areas, are often very expensive and not always tailored to specific industry needs.RECOMMENDATION: PROMOTE CROSS-FUNCTIONAL KNOWLEDGE ON IT AND OT SECURITY Raising awareness on basic industrial control security as well as on the secure way for transitioning to Industry 4.0 and Smart manufacturing is of paramount importance. To address the lack of IoT and Industry 4.0 security talent, it is essential is to cultivate such knowledge both within and across organisational boundaries. Persons in charge of security within Industry 4.0 organizations should invest in state-of-the-art dedicated cybersecurity trainings that cover all necessary aspects specific to IT/OT convergence and Smart manufacturing. Lastly, trainings and courses at schools and universities (considering localisation to reach a wider audience) will further promote a better understanding of Industry 4.0 security among younger generations and thus in the long-term will contribute to raising awareness. The emergence of Industry 4.0 introduces new technologies into traditional OT environments and thus people familiar with OT that work in such environments need to adapt.4INDUSTRY 4.0 CYBERSECURITY: CHALLENGES & RECOMMENDATIONSMay 2019To promote cross-functional knowledge on IT and OT security, ENISA recommends:Encourage cross-functional security and safety knowledge exchange between IT and OT experts respectively. Launch security education and training in industries transitioning to Industry 4.0, including knowledge of state-of-the-art, best practices, methodologies and tools for secure convergence of IT and OT systems.Establish tailor made training courses focused on Industry 4.0 security to increase effectiveness of the training and assist OT and IT security experts to address relevant cybersecurity issues more efficiently.Develop competency profiles to provide IoT and Industry 4.0 specific awareness and education training for all staff.Introduce programs at schools and universities to address the lack of security and safety knowledge across the industry and to empower the next generation of IT and OT security expertsanise cyber-culture and cyber-hygiene induction courses for OT personnel and conversely safety-culture and safety-hygiene courses for IT personnel, also involving all staff. Introduce to OT people the notion of security and to IT people the notion of safety, with special mentions to cases where the two notions may align or not. CHALLENGE: INCOMPLETE ORGANISATIONAL POLICIES AND RELUCTANCE TO FUND SECURITYIndustry 4.0 operators, which are at various stages of Industry 4.0 adoption, often do not have appropriate governance structures in place for secure implementation of new technologies and secure maintenance of the existing ones. Defined security programs are rarely in place and in general comprehensive programs that consider security and safety in tandem are lacking. It is also often noted that security related roles and responsibilities of employees are not clearly defined and there is minimal planning to consider safety engineers within the cybersecurity ecosystem. This results in companies lack of resilience and vulnerability to potential security breaches.This is because to date cybersecurity was traditionally not perceived as a Board-level topic, since its impact on increasing revenue or optimizing cost remains generally unclear. This results in the fact that the majority of technological transformations mostly focus on increased functionality and business value rather than cybersecurity, i.e. hindering the potential negative impact of associated risks. A typical example of this is the ongoing migration of manufacturing companies towards Cloud. In general, companies decide to opt for Cloud solutions to benefit from cost efficiency and ubiquitous access to information. During this migration, security should be considered as a high priority issue and accordingly it should play an equally important role in decision-making as cost efficiency especially when manufacturing companies choose public clouds and thus increase the risk of exposing their data and operations, while at the same time improving their resilience.Furthermore, it is worth highlighting that ensuring security of a system or solution, both in the context of Industry 4.0 vendors and operators, requires funding and commitment from top-level management. However, as there is no clearly discernible link to generate profits from investing in cybersecurity, it is often the case that due consideration to cybersecurity is given when a security breach directly leads to financial losses. Striking the proper balance between the costs and the need for security remains an open challenge. Industry 4.0 operators, which are at various stages of Industry 4.0 adoption, often do not have appropriate governance structures in place for secure implementation of new technologies and secure maintenance of the existing ones. 5INDUSTRY 4.0 CYBERSECURITY: CHALLENGES & RECOMMENDATIONSMay 2019RECOMMENDATION: FOSTER ECONOMIC AND ADMINISTRATIVE INCENTIVES FOR INDUSTRY 4.0 SECURITYIt is clear that lack of security has the potential to significantly affect business continuity. Industry 4.0 is no exception given the criticality of related operations and the associated impact on safety as well. In this respect, best practices for business continuity can serve as a driver for investing in cybersecurity solutions and accordingly for supporting the unobstructed operation of Industry 4.0 processes. Investments in cybersecurity should not be driven only by fear of losing money. It is equally if not more important, for industries and organisations to not look at cybersecurity only as a cost, but to also start seeing it as an important business opportunity. Cybersecurity can be an important competitive advantage for businesses, since it leads to having secure, reliable and trustworthy products and services. Accordingly, cybersecurity is an enabler of business opportunities, not a hindering factor and certainly not another item on a checklist.Nonetheless, economic and administrative stimuli are also required to incentivize investments in Industry 4.0 security, given that maturity and mentality of organisations and businesses needs to grow further when it comes to identifying the role and importance of security. To foster economic and administrative incentives for Industry 4.0 security, ENISA recommends: Establish administrative structures for top-level management to discuss and exchange views with cybersecurity experts and CISOs.Launch funding schemes for SMEs and other bodies to support their transition to a secure Industry 4.0 ecosystem, including financial support for cooperative actions.Incentivize innovation and R&D activities for securing IT and OT environments, components and systems.Ensure a homogeneous and stable legal environment for Industry 4.0 cybersecurity to allow companies to plan long-term, sustainable business strategies including the aspect of security. Consider the development of certification schemes for Industry 4.0 security (taking into account the inherent particularities when defining the target of evaluation), since they promote harmonisation of the market, increase consumer trust and open up new business opportunities.Promote Public Private Partnerships (PPPs) focused on Industry 4.0 cybersecurity to benefit from multi-stakeholder dialogues and much needed synergies.Investments in cybersecurity should not be driven only by fear of losing money. It is equally if not more important, for industries and organisations to not look at cybersecurity only as a cost, but to also start seeing it as an important business opportunity. 6INDUSTRY 4.0 CYBERSECURITY: CHALLENGES & RECOMMENDATIONSMay 20193. PROCESSESCHALLENGE: LIABILITY OVER INDUSTRY 4.0 PRODUCTS LIFECYCLE IS POORLY DEFINEDLiability for Industry 4.0 cybersecurity is an open issue (a gap also identified for most of emerging technologies) as accountability for Industry 4.0 cybersecurity incidents remains unclear. There is a large number of stakeholders involved in the supply chain and in the use lifecycle of Industry 4.0, therefore apportioning liability in the aftermath of a security incident becomes challenging as currently, only general provisions of liability are applicable. The major difficulty in finding a clear solution for liability stems for the inherent complexity of the ecosystem. The majority of Industrial IoT devices are usually built from a large number of components manufactured by multiple vendors, in disperse locations (possibly subject to different administrative and legal constraints) and including vendors of the software embedded in the devices. The complexity of the supply chain further exacerbates relevant concerns. Apportioning liability thus remains an open challenge.In the context of cybersecurity, an Industry 4.0 device manufacturer is broadly expected to implement functionalities in its product that would enable a proper level of security. In a similar fashion, the role of Industry 4.0 operators would see them using these available security features and perform all security upgrades provided by the manufacturer. In reality, the situation is more complicated. The long lifespan of Industry 4.0 solutions (especially in comparison to IT systems) and the financial commitments related to their long-term maintenance (e.g. software patching), both aggravate the requirements on manufactures, users and operators of such solutions. Shared ownership of connected, Industry 4.0 solutions, unclear or unspecified role assignments and lack of provisions in procurement contracts and service level agreements further complicate the issue of liability. RECOMMENDATION: CLARIFY LIABILITY AMONG INDUSTRY 4.0 ACTORSThe Industry 4.0 paradigm introduces emerging technologies and services in manufacturing and the industrial ecosystem in general. Given the cyber-physical nature of this paradigm, security and safety are tightly intertwined. Therefore, it is of particular importance to address liability concerns not only to protect end-users and consumers of such products and services, but also to stimulate corresponding investments through a comprehensive and stable legal framework. The European Commission has recently published a Staff Working Document that sets the scene for liability issues in emerging technologies such as IoT and Artificial Intelligence2. This will serve as a reference point for forthcoming work.The question of where liability may fall lies between the different and diverse stakeholders of the Industry 4.0 supply chain, such as developers, manufacturers, providers, vendors, aftermarket support operators, third party providers and the end users, to name a few. 2 See EC Staff Working Document on “Liability for emerging digital technologies”: ec.europa.eu/newsroom/dae/document.cfm?doc_id=51633, April 2018The major difficulty in finding a clear solution for liability stems for the inherent complexity of the ecosystem. 7INDUSTRY 4.0 CYBERSECURITY: CHALLENGES & RECOMMENDATIONSMay 2019To clarify liability among Industry 4.0 actors, ENISA recommends:Address liability issues in the context of European and national legislation and case law, especially where gaps in existing legislation are identified.Adjust procurement language to clarify liability among stakeholders in supply chains, e.g. specify Industry 4.0 cybersecurity requirements as part of SLAs (Service Level Agreements) and contracts during procurement. Assess the potential of cyber-insurance policies to transfer residual cyber risk and reduce the impact of cybersecurity incidents, for which an entity might be held liable.Raise awareness of end users and consumers on their rights concerning liability legislation.Specify in a clear manner the legal obligations of Industry 4.0 operators when it comes to liability.CHALLENGE: FRAGMENTATION OF INDUSTRY 4.0 SECURITY TECHNICAL STANDARDS The current landscape of standards and policy initiatives related to IoT and Industry 4.0 cybersecurity is quite large, covering security aspects at both a horizontal and vertical (application specific deployments, e.g. automotive, health, and consumer) manner. In the context of IoT, many high-level reference documents have been published, as well as baselines, good practices, checklists and general guidance3. Concerning connected industrial systems and manufacturing systems in particular, there are also useful sources that may serve as guidelines for relevant stakeholders4. However, when it comes to Industry 4.0 and Smart Manufacturing the situation is slightly different. Given the nascent nature of these areas, comprehensive initiatives to address security in a holistic manner are lagging behind. Nonetheless, it is important to refer to some notable examples that already exist (such as IEC 624435or the efforts under IUNO/Industrie 4.06to name a few). Accordingly, interested parties currently utilize documentation that is only partially applicable to the broad spectrum of Industry 4.0 and Smart Manufacturing.The fragmentation of Industry 4.0 security standards and initiatives is of particular importance for the manufacturing sector. Large manufacturing companies commonly have sites spread across the world. Accordingly, the lack of uniform standardization efforts at a global level results in a situation when sites that belong to one organization cannot collaborate and share security expertise and solutions with each other, as they are subject to different schemes. Moreover, secure collaboration across companies is also hindered. At the same time, it is promising that cross-mapping initiatives have started to evolve, e.g. ENISA Baseline Security Recommendations for IoT7, UK Government Code of Practice for Consumer IoT Security8, NIST Internal Report 82289. Whereas, such initiatives contribute to increasing homogeneity in the area of IoT security, further work to expand them in the Industry 4.0 ecosystem is desirable10.3 ENISA online tool for IoT and Smart Infrastructures Security maintains a continuously updated list of relevant efforts mapped against the ENISA IoT Security Baseline: https
展开阅读全文