How to develop a connected and safe and secure factory

The strategies, technologies and best practices for developing connected automatic production systems, guaranteeing maximum safety and security of data, infrastructure and people.

Maurizio Cacciamani

The strong digitalisation of machines, combined with the increase in connectivity and the complexity of systems has greatly increased cyber-risks, from which it’s essential to defend yourself.

How to defend yourself from attacks

In 2023, attacks against companies in Italy (source Rapporto Clusit 2024) increased by 12%, causing in 89% of cases serious or very serious damage. With regards to the victims, the manufacturing sector is in second place with 13%, double the global sample; 64% of attackers, on the other hand, are associated with cybercrime, aiming exclusively for an economic return, and 36% with hacktivism.

Malware is used for 59% of the attacks and DDoS (Distributed Denial of Service, that is, crashing a system by flooding it with Internet traffic) for 27%. How to defend yourself against attacks? According to Sofia Scozzari (Hackmanac and Clusit), you need a composite strategy that involves an accurate risk analysis and to make necessary investments. Unfortunately, money is spent badly, with incorrect or wrongly used solutions.

Safety and security must go hand-in-hand

It’s necessary to bear in mind that there are vulnerable aspects with respect to safety in the event of an attack. We should mention that, on the theme of safety, the New Machinery Regulation was published last year, which will come into force in 3 years replacing the by now obsolete Machinery Directive of 2006 and which will impose far from banal obligations on companies. In recent years we have seen an exponential increase in attacks that the old Machinery Directive did not foresee in any way. The scenario is further complicated with companies’ required compliance with the new Artificial Intelligence regulation.

The regulations, explains Anna Italiano (Partner4Innovation), prescribe how to manage risks, that is, to assess, update and communicate attacks (to customers, suppliers and if applicable, also the authorities) with the aim of establishing a common high level of resilience against attacks. The new regulations involving entire production sectors, including the supply chain, aim to guarantee operational continuity, providing new rules of governance with the involvement of the BOD for approval of the measures taken, and oblige organisations to engage in training at all company levels.

Attention to “non-4.0” machines

In the modern factory, to guarantee the safety of operators, it’s no longer conceivable to install segregative solutions, but to use new technologies like 3D safety cameras where robots and AGVs operate. It’s not enough to use safe products, but it’s necessary to also design safe environments (here the new regulations help) with the support of consultants right from the start of the projects. It’s also essential to be able to have services available at a global level that take into account local (including legislative) needs.

With regards to security, Marco Catizone (SICK) observes that besides complying with the regulations (NISS2), it’s necessary to use components such as sensors designed from scratch with security as the primary objective: sensors are increasingly connected not only to OT but now also to IT, so they need to be resilient against attacks. The retrofit of “non-4.0” machines require often costly and potentially risky interventions if due precautions are not taken: for example, new sensors should not be connected to the existing automation but to a parallel structure that processes the data, allowing for the creation of risk-free OT-IT links.

Risk analysis

Also for cybersecurity, like for safety, it’s necessary to understand your system’s risks before taking any mitigating action. Those, however, who come from an OT background, not having any experience in IT, tend to buy devices without knowing their system’s risks. Marco Cosatto (Pilz) advises setting and configuring single components, evaluating if there are entry points which are poorly mitigated or mitigated beyond real needs or completely ignored (e.g., wi-fi). It’s a mistake to assume that the Internet provider completely covers a company’s security needs or not to take into consideration local risks (forgotten USB drives or unprotected mobile phone wi-fi).

The best mitigating actions can only be established with a risk assessment of a machine. In all events, safety management requires taking into consideration dangers regarding cybersecurity precisely because it is required by the machinery regulation. One of the most easily attacked links is the supply chain: now, as required by the regulations, it must guarantee the producer the same level of security while using different technical solutions. If small suppliers want to work with larger companies, they will have to guarantee their security even though they are reluctant to implement security measures for reasons of cost: this will generally lead to achieving higher levels of security also on the part of those that are not required by the regulations (NISS2) to implement cybersecurity systems also at organizational level.

“0” risk doesn’t exist

In the last few years, the traffic of enterprises has increasingly and irreversibly shifted onto the internet (smart working, access to machines from remote, data on cloud) so that it’s practically impossible to guarantee perimeter security control. Since the IT and OT networks are tending to converge, it’s complicated, despite their segmentation, to guarantee the security of the factory. It’s necessary, therefore, to choose networks with up-to-date architectures, shifting security controls to within the operators’ network. Tim Enterprise, explains Michele Vecchione, is investing in this direction not only from a technology point of view but also in terms of professional services and skills. 5G ensures more physical safety (that is, the safety of employees) but also cybersecurity with technical measures (cryptography), and more stringent certification rules (the Cyber Resilience Act awaiting approval).

The new Nis2 is not a technical directive, but a managerial one

The factory today is connected for transactions with banks, suppliers, and maintenance and logistics providers: in the end, all must have the same resilience and, for this, a company must necessarily organize itself with new procedures and also new professional figures. In the event of an assessment, Nis 2 (coming into force on 17 October) provides for sanctions of up to 2% of turnover, with a maximum ceiling of 10 million euros. Given the costs, companies should seek access to funding and benefits for cybersecurity, which need to be studied and developed not on the single enterprise, but on the ecosystem.

Taking skills and spending capacity into account

There is much diversity in the manufacturing sector: some, pushed by the regulator, are becoming aware of cybersecurity; some have installed protection solutions; others, instead, have not yet taken the problem seriously. The first step is having a good segregated IT with good management practices. The next step is to choose solutions conceived specifically for the OT network which must guarantee the continuity of production, eliminating disturbing elements. The approach must be gradual and risk-based, which takes into account the company’s skills and spending capacity.

The training of employees should not be forgotten, given that, in the OT context (especially among operators) the awareness of risks is low and any activity in this area leads to immediate results. OT networks are often hit in a mundane way but causing very serious damage, also by very old-type malware that move around undisturbed, due to obsolete operating systems or the impossibility of updating machine controls.

Specific software, suggests Fabio Sammartino (Kaspersky Italia), can significantly reduce the effects of these attacks. Infections from the internet are increasing and those by e-mail falling, while the risk of ransomware (the final part of a chain of attack) is stable, with an increase in attacks which, however can be “blocked” in advance.