The networking of computer systems does not stop in front of the industrial systems. The traditional embedded systems are becoming Cyber-Physical Systems. Cyber-Physical systems are systems with software and electronics, which are linked by sensors and actuators with the outside world through the Internet. With the aid of sensors, these systems process data from the physical world and make them available to the virtual outside world, which in turn can have an outcome through the actuators directly to procedures in the physical world. The “internet of things” is formed. This provides the technological basis for the "Industry 4.0" - a future project launched by the German government in 2011. Nowadays, internationally the term "Industry 4.0" is synonymous with the networking of industrial plants.
With the increment of networking and the exchange of information between the systems, however, the standards of security and availability also increases. The recent standardized hardware and software components that have been developed for the simplest possible integration and universal communication, are frequently vulnerable to attacks and manipulations.
A renowned example is the “Stuxnet” virus. The malware was identified in 2010 and it was developed specifically for the Siemens SPS Simatic S7. Thereby, it was attacked in the control of frequency converters, which led to perturbations in Iran's nuclear facilities.
Nowadays, Embedded Systems are used for a variety of tasks and are generally needed to measure, regulate and control all types of devices and systems. Originally developed as autonomous systems, many facilities are not sufficiently protected from attacks. How can we protect the industrial facilities with your networked control units from enemy attacks, sabotage and espionage? The topic of Industrial IT Security is exactly related to this issue.
The Standard IEC 62443 family offers an integrated approach to the protection of Embedded Systems in industrial facilities
The Standard IEC 62443 can be seen as an industry-specific reaction by international bodies to this new threat and is specifically addressed to the safety of industrial environments of management and control.
The standard family entails four groups:
IEC 62443 adopts an integrated approach, since both the CSMS Management System as well as the control system for industrial environments and its components are addressed. Among other things, IEC 62443 accomplishes the following seven areas of work - the "Foundational Requirements”:
These fields are prepared structurally for example, in IEC 62443-3-3 the Security Requirements for an Industrial Automation and Control System (IACS). The requirements for the IACS are getting higher with an increase in the Security Level (SL). The LS designates the strength of an attacker on a scale with four levels. These designate the categorised application which begin with an expected attacker:
According to the stage in the lifecycle, the Security Level can be distinguished among:
There are noticeable the parallels to the concepts of functional safety. One will find here related concepts like, for instance, the access protection of unsafe components to secure data. Though, the similarities are not simply technical in nature. The development processes flows as well similarly in both standards. From an economic standpoint, a certificate in accordance with IEC 62443 to any liability claims for damages is recommended for the future in order to be able to protect yourself from the attacks.
In summary it can be mentioned that the IEC 62443 helps to accomplish a global tactic to the IT security of management and control systems that comprises both the management of IT security and the safety of systems and components. The protection in the entire life cycle of the automation solution is influenced more by additional actions under the security management, like the physical protection, the management of users and their rights or the consistent operating a Patch Management. Some issues that are associated with the SL-concept are still unclear.
On the whole, though, a manufacturer as well as system integrators and operators will benefit from the developments. It is realistic to anticipate that the need for security in Embedded Systems concepts will continue to increment. Nevertheless, it remains to be seen whether the concepts of IEC 62443 will succeed in the longer run and attain the amplitude in the industry, since a high dynamics of technology often cannot withstand so well with the paper inactivity.