With the development of Industry 4.0, products, manufacturing equipment, and critical infrastructures of the future will all be connected. These interconnected systems require a protection system against growing and harmful internet threats. It is very likely that functional safety of the products will be impacted if their IT security can't be assured, and the situation may ultimately cause severe losses and damages.
In response to the trend, TUV NORD has taken the lead to bring up the concept of Security 4 Safety (S4S) and related services. By addressing the interdependence of IT security and functional safety and bundling resources from different business units, the company aims to provide complete solutions to mitigate the risks of overall system safety in the new connected world.
Combining Security and Safety to Enable Effective Risk Management
"Traditionally, functional safety and IT security are in two separate areas," Gerhard Rieger, Branch Manager of Functional Safety Division at TUV NORD Systems, said. "The former emphasizes on whether the functions of industrial equipment, automobiles, and consumers products are properly designed to ensure the physical safety of users, and the latter on the security protection of IT systems to avoid malicious cyberattacks and data leakage."
But now, in the new era of Industry 4.0, more and more industrial equipment and processes are connected to the Internet, so the importance of the two areas is increasingly combining together. Functional safety and IT security should be considered as a whole to truly ensure the overall system safety.
"Digitalization will be the central subject for the future Industry 4.0. Increased networking poses new and more comprehensive challenges for product safety," said he. "Important requirements such as the standardization of interfaces in production have not yet been conclusively met. Nevertheless, the process of digitalizing Industry 4.0 must be begun, continued and secured. Wherever machines or vehicles are automatically exchanging information, the identity of the end devices must be clearly determined, and all unauthorized influences (cyberattacks) from outside must be avoided, so that the security of the system can continue to be guaranteed."
Undoubtedly, companies will need to take the new design considerations into account. In addition to assuring security of new IT interfaces in existing products, the emergence of various new products, such as intelligent home devices, smart meters, IoT devices, will all be required to comply with new security specifications to expand their applications.
"The latest connected cars and self-driving cars of the future are the most obvious case to show how IT security affects functional safety. These cars are highly dependent on the information acquired from Internet to assist driving. Any cyberattacks will have adverse impact on their performances and functional safety, which may cause danger or even injuries. For other examples, such as power plants, or any kinds of production facilities, IT security should be further guaranteed to prevent from severe losses and damages caused by malfunctioning."
Therefore, for next-generation connected products, the guarantee of their functional safety depends on the assurance of IT security. This is the reason that TUV NORD aggressively promotes the concept of Security 4 Safety and related services.
Making Use of S4S (SECURITY 4 SAFETY) Tool to Comply with IEC 62443 Standard
Kevin Huang, Great China Functional Safety Product Manager, explained that in order to address the IT security requirements for industrial automation and control systems, IECEE has established IEC62443 international standard years ago. Its first and second versions were released in 2005 and 2013 respectively. Also, the testing and certification programs for networking security evaluation was developed in 2015.
The standard was originally derived from ISO 27001, and then reconstructed to focus on industrial automation and control system (IACS) area. Unlike ISO 27001, which is used to specify the management system for overall IT and server environments, IEC 62443 aims to improve the digital security of internal process and SCADA (supervisory control and data acquisition) environment for companies. Complying with the standard can provide higher networking security for company's production environment and process, so that they can be effectively protected from various cyberattacks.
"With the advent of Industry 4.0, the importance of IEC 62443 is increasingly higher. Though the implementation of the standard is still in early stage with very limited companies adopting, it will surely become an important trend in the future," Rieger stressed.
In order to help customers cope with the IT security challenges of automation and control systems, TUV NORD has developed an easy to use, customizable Safety for Security - S4S risk analysis tool, which can be run in various hard- or software environments to find out network weakness and then propose adequate measures.
According to Rieger, TUV IT, a subsidiary of TUV NORD Group, has the top-notch security testing technologies and facilities for IC chips. Multiple methods are used to check hardware weakness, including fault induction, SPA (Simple Power Analysis), DPA (Differential Power Analysis) and DFA (Differential Fault Analysis). Combining resources and solutions for IT security and functional safety of the Group, we are able to offer comprehensive solutions to help customers improve their overall system security and safety.
In order to prevent terror attacks, EU has issued directives requirements (2008/114/EC) to protect critical Infrastructure. In the future, member countries will publish responding regulations and standards to ensure the normal operations of society functions, as well as health, safety, security, and economic activities. Among them, functional safety and IT security of electronic/electrical and information systems will play an important role. As an export-oriented economy, Taiwan government and companies should be aware of this trend and take necessary actions as early as possible.
Taiwan Makers Should Respond to Seize the New Opportunities
Kevin Huang said, "TUV NORD has been offering ISMS IT security certification service for more than a decade in Taiwan. We have very strong position in the market with customers covering from government institutes to various corporate organizations. Building on this foundation, we will actively promote IEC 62443 standard certification service from 2017, with a specific focus on semiconductor industry."
"In light of the rapid growth of industrial and automobile markets, semiconductor companies in Taiwan won't be able to move into high-end market without complying with related standards. Take ADAS (Advanced Driving Assistance System) as an example, after implementing functional safety standard, IT security will also be incorporated in the next stage."
Therefore, the certification services of the latest ISO 26262 standard for automobile functional safety and IEC 62443 for IT security of industrial automation and control systems will be the market that TUV NORD aggressively targets at in the future. Moreover, compared with other competitors, TUV NORD has the unique advantage of offering complete combining services for both IT security and functional safety.
"We will conduct gap analysis for customers to help them analyze the gap between their existing processes to those of ISO 26262 or IEC 62443 standards in detail and then come up with an implementation plan accordingly. Additionally, we will also provide related management certification services for customers' products," Rieger pointed out.
"We already have practical experiences of helping customers to implement IEC 62443 in Europe. As the markets of Industry 4.0 and IoT emerge, IT security will be required from chip, device, to cloud and infrastructure. This will be a huge market, with applications covering a wide range of industries, such as medical, wind power, energy, automobile, and semiconductor."
"The convergence of technologies will create more novel products and applications. As a result, requirements for functional safety and IT security will be on the rise. I believe that these two technologies will have very strong developments in next five years, and the talents will be in short supply. For Taiwan companies, it is the best time for them to invest in S4S talents and capacities, in a bid to create new opportunities and customers, as well as to maintain their competitive edges."
Gerhard Rieger, Branch Manager of Functional Safety Division, and Kevin Huang, Great China Functional Safety Product Manager at TUV NORD Systems
DIGITIMES' editorial team was not involved in the creation or production of this content. Companies looking to contribute commercial news or press releases are welcome to contact us.