Cybersecurity and industry 4.0: the European guidelines

Cybersecurity and industry 4.0: the European guidelines

Industry 4.0 is becoming a reality. It will greatly benefit jobs and manufacturing, but will also pose new challenges. For instance, the new technologies of the fourth industrial revolution will be more vulnerable to cyber attacks. Therefore, investing in cybersecurity will be crucial. The EU Agency for Cybersecurity (ENISA) has issued some guidelines to encourage companies undertake this process.


The fourth industrial revolution is becoming a reality. Thanks to new intelligent and interconnected technologies, machines are able to communicate with each other and with operators also remotely, thus allowing remote control and maintenance. Most industrial operations, from design to production, to the supply chain, will soon be completely automated.

On one hand, the fourth industrial revolution is greatly benefiting the productivity of companies and those working in factories. On the other, it also poses risks, in particular concerning cybersecurity. Data clearly indicates that introducing new and interconnected digital technologies, for example the great variety of IoT applications, increases exposure to cyber attacks.


Cybersecurity: attacks increase, but so do investments

The year 2018 was bad for cybersecurity, with a dramatic increase in attacks recorded worldwide. This trend was confirmed also in Italy. The 2019 Clusit Report reports a 37% increase in serious attacks compared to 2017, and an increase of 78% in the period 2014-2018.

So far, the main aims of cyber attacks targeting companies have been scams (83%) and extortion (78%), followed by espionage intrusion (46%) and interruption of service (36%). In the near future, attacks will evolve to exploit the vulnerabilities of new technologies. Attacks on production systems, on connected vehicles, and on critical infrastructures such as electricity, water and telecommunications networks, will increase.

For the industry 4.0, cybersecurity is of fundamental importance. Therefore, Italian companies are preparing for the challenge. Many are investing in information security and privacy solutions, an area that grew by 9% in the last year. 63% of large Italian companies increased their budget in cybersecurity compared to the previous year, while 52% have already drafted a multi-year investment plan. Among these investments, the main item of expenditure is alignment to the GDPR.

The main aims and targets of cyber attacks (SOURCE: Information Security & Privacy Observatory of the School of Management of the Politecnico of Milan)

Cybersecurity and the industry 4.0: the European guidelines

For companies transitioning towards industry 4.0, the main problems stem from IoT technologies. The Information Security & Privacy Observatory of the Politecnico of Milan researched the main cyber threat factors. First, is the lack of a security by design logic (according to 73% of companies). Second, the lack of users’ awareness regarding possible problems related to these devices (58%). Third comes the absence of technological and safety standards (53%). The main security challenges that Industry 4.0 will have to face mainly concern the lack of awareness of security problems caused by the function Operations (56%), the growing interconnection between industrial plants and IT infrastructure (55%), industrial plant obsolescence (40%) and lack of figures possessing adequate skills (37%).

ENISA, the European Union Agency for Network and Information Security, has been addressing these aspects for some time. In November 2018, it published new guidelines for IT security in the IoT sector, with a particular focus on smart manufacturing and Industry 4.0. The publication aims to promoting the cybersecurity culture in Industry 4.0 and towards all companies that plan to adopt IoT solutions for their industrial operations.

In May 2019, ENISA published a second report, which identifies the main challenges that Industry 4.0 and the IoT sector must face to step up IT security.


Cybersecurity and the new skills required by industry 4.0

In the fourth industrial revolution, the new industrial model will require new skills. This also applies to the cybersecurity sector.
The industry 4.0 is introducing new technologies in traditional environments. Therefore, those who are working with networks and IT systems today, tomorrow will find themselves managing more complex systems that will require new skills. According to ENISA, the main new cybersecurity skills required will be:

  • operational security skills and ability to monitor, prevent and detect anomalies caused by security breaches;
  • knowledge of the new security protocols used by Industry 4.0 and Industry IoT solutions;
  • mastering the security features of the components of new machines and related services;
  • security of supply chain information systems.


Companies often focus on technological innovation first, and then on training their employees. Thus, they introduce new machines and systems without considering how users will adapt to them, or whether they are capable of using them correctly. Instead, a correct cybersecurity culture should make technological innovation proceed together with all aspects relating to human factors, including training and updating of new professional figures.

ENISA openly recommends companies to invest in a culture of cybersecurity. For instance, they should provide specific training plans for their employees, both internal and external, and collaborate with universities or other companies that have experience in the field.


A paradigm shift: cybersecurity as a business opportunity

Investing in cyber security costs money. In addition, the return of these investments is often not tangible, at least in the short term. However, in its guidelines ENISA invites to shift the perspective and view cybersecurity investments as a business opportunity. In fact, cyber security makes companies safer. It allows them to defend their tangible and intangible assets, and their reputation. Above all, it helps generating greater trust in clients: in other words, to be more competitive on the market. In this sense, cybersecurity will play an increasingly major role in the future.

Obviously, when it comes to investing, incentives and tax breaks are also important. Italy’s National Industry 4.0 Plan(“Impresa 4.0”), provides for various measures to support companies in this transition.


Industry 4.0, cybersecurity and liability: an open problem

For most emerging technologies, liability – i.e., the identification of who is responsible in the event of an accident or a cyberattack – remains an open problem. This is true, for instance, with self-driving cars. Who should be held accountable in case of accidents? The driver, the car manufacturer, or those who designed the systems for autonomous driving? The same question concerns the entire chain of Industry 4.0, and in general all complex ecosystems resulting from the adoption of new technologies.

The supply chain of Industry 4.0 consists of many components. Being designed and manufactured by different suppliers in different countries, they are therefore subject to different laws and administrative regulations. This also applies to suppliers of software incorporated into the chain. In the event of an IT incident, how to attribute accountabilityconstitutes a problem. Indeed, a major one.

In order to better identify the chain of responsibilities of the main actors of Industry 4.0, ENISA provides some recommendations.

  • Increasing the awareness of end users and consumers about their liability rights.
  • Adjusting supply and procurement contracts between stakeholders to clarify specific liabilities and cybersecurity requirements.
  • Being transparent, and clearly specifying the legal obligations of Industry 4.0 operators with regard to liability.
  • Addressing liability issues in the context of European and national legislation, especially if there are gaps in existing legislation.
  • Consider the possibility of adopting a cyberinsurance policy against cyberattacks.

Industry 4.0 and cybersecurity: common security standards needed

ENISA also highlights the lack of common safety standards in Industry 4.0. Not only legislation is still far behind in this area, but above all, regulations contradict each other. As a consequence, this fragmentation of standards negatively affects the manufacturing sector. Large industries, with plants spread all over the world, cannot in fact implement one single policy to guarantee their safety. This means that different plants belonging to the same company cannot collaborate and share safety skills and solutions, as they are subject to different standards.

Overcoming the current fragmentation of technical standards for cybersecurity in Industry 4.0 must be a priority. To this end, ENISA suggests harmonizing the efforts of individual countries within a common European and international framework, with the introduction of new specific reference standards for security in Industry 4.0, as has already been done for drones.

The European Union is funding many research projects to suggest guidelines for the near future. They will also identify existing gaps and trace roadmaps for the definition of common standards.


How to make a technology safe

The key word to guarantee cyber security of Industry 4.0, from a technological point of view, is interoperability. It is the ability of a software to cooperate and exchange information with other softwares safely and efficiently.

Because software protocols often belong to different owners, interoperability is often put at risk and sometimes completely lacking. This poses a major problem for a complex ecosystem such as Industry 4.0, which uses devices and platforms provided by different manufacturers. The lack of interoperability means operations cannot be carried out without interruptions, putting safety at risk. Therefore, it is essential to address the problem of proprietary protocols and adopt common frameworks to improve the functionality and safety of Industry 4.0.


Deep Blue: committed to cybersecurity for industry 4.0

For some years now, Deep Blue has been transferring the experience acquired in the fields of human factors and safety in complex systems, such as aviation and maritime transport, to the areas of Industry 4.0 and cybersecurity. In recent years, we have offered our expertise and knowledge to leading players in Italy and Europe, collaborating and providing services, among others, to Tetra Pak, Sacmi, Leonardo, ENAV, ENAC, EUROCONTROL, IATA, the European Space Agency, the UN World Food Program.

Our research projects include Hermeneut, which explored the economic problems associated with cybersecurity. Hermeneut paid particular attention to the role of human factors in cybersecurity, often referred to as one of the main causes of cyber attacks. Hermeneut has allowed us to develop a new tool designed for companies: a methodology to assess and quantify the risks and costs associated with cybersecurity, to easily identify the best defence strategy.

In June 2019, Hermeneut held a workshop on cybersecurity for the Industry 4.0 supply chain. Specifically, the workshop discussed the cascading effects of a hypothetical cyber attack on the material and intangible assets of a company in the Industry 4.0 supply chain. In particular, Hermeneut assessed the costs generated by a cyber attack, and highlighted the cascading effects on the supply chain ecosystem, in order to identify weak points and possible mitigation actions. At its closure, Hermeneut produced a set of white papers recommending best practices on cybersecurity in different business sectors.

We can help your company better your organizational cyber-defense:


Get in touch with us