How to develop a connected and safe and secure factory
The strategies, technologies and best practices for developing connected automatic production systems, guaranteeing maximum safety and security of data, infrastructure and people.
Maurizio Cacciamani
The strong digitalisation of machines, combined with the increase in connectivity and the complexity of systems has greatly increased cyber-risks, from which it’s essential to defend yourself.
How to defend yourself from attacks
In 2023, attacks against companies in Italy (source Rapporto Clusit 2024) increased by 12%, causing in 89% of cases serious or very serious damage. With regards to the victims, the manufacturing sector is in second place with 13%, double the global sample; 64% of attackers, on the other hand, are associated with cybercrime, aiming exclusively for an economic return, and 36% with hacktivism.
Malware is used for 59% of the attacks and DDoS (Distributed Denial of Service, that is, crashing a system by flooding it with Internet traffic) for 27%. How to defend yourself against attacks? According to Sofia Scozzari (Hackmanac and Clusit), you need a composite strategy that involves an accurate risk analysis and to make necessary investments. Unfortunately, money is spent badly, with incorrect or wrongly used solutions.
Safety and security must go hand-in-hand
It’s necessary to bear in mind that there are vulnerable aspects with respect to safety in the event of an attack. We should mention that, on the theme of safety, the New Machinery Regulation was published last year, which will come into force in 3 years replacing the by now obsolete Machinery Directive of 2006 and which will impose far from banal obligations on companies. In recent years we have seen an exponential increase in attacks that the old Machinery Directive did not foresee in any way. The scenario is further complicated with companies’ required compliance with the new Artificial Intelligence regulation.
The regulations, explains Anna Italiano (Partner4Innovation), prescribe how to manage risks, that is, to assess, update and communicate attacks (to customers, suppliers and if applicable, also the authorities) with the aim of establishing a common high level of resilience against attacks. The new regulations involving entire production sectors, including the supply chain, aim to guarantee operational continuity, providing new rules of governance with the involvement of the BOD for approval of the measures taken, and oblige organisations to engage in training at all company levels.
Attention to “non-4.0” machines
In the modern factory, to guarantee the safety of operators, it’s no longer conceivable to install segregative solutions, but to use new technologies like 3D safety cameras where robots and AGVs operate. It’s not enough to use safe products, but it’s necessary to also design safe environments (here the new regulations help) with the support of consultants right from the start of the projects. It’s also essential to be able to have services available at a global level that take into account local (including legislative) needs.
With regards to security, Marco Catizone (SICK) observes that besides complying with the regulations (NISS2), it’s necessary to use components such as sensors designed from scratch with security as the primary objective: sensors are increasingly connected not only to OT but now also to IT, so they need to be resilient against attacks. The retrofit of “non-4.0” machines require often costly and potentially risky interventions if due precautions are not taken: for example, new sensors should not be connected to the existing automation but to a parallel structure that processes the data, allowing for the creation of risk-free OT-IT links.
Risk analysis
Also for cybersecurity, like for safety, it’s necessary to understand your system’s risks before taking any mitigating action. Those, however, who come from an OT background, not having any experience in IT, tend to buy devices without knowing their system’s risks. Marco Cosatto (Pilz) advises setting and configuring single components, evaluating if there are entry points which are poorly mitigated or mitigated beyond real needs or completely ignored (e.g., wi-fi). It’s a mistake to assume that the Internet provider completely covers a company’s security needs or not to take into consideration local risks (forgotten USB drives or unprotected mobile phone wi-fi).
The best mitigating actions can only be established with a risk assessment of a machine. In all events, safety management requires taking into consideration dangers regarding cybersecurity precisely because it is required by the machinery regulation. One of the most easily attacked links is the supply chain: now, as required by the regulations, it must guarantee the producer the same level of security while using different technical solutions. If small suppliers want to work with larger companies, they will have to guarantee their security even though they are reluctant to implement security measures for reasons of cost: this will generally lead to achieving higher levels of security also on the part of those that are not required by the regulations (NISS2) to implement cybersecurity systems also at organizational level.
“0” risk doesn’t exist
In the last few years, the traffic of enterprises has increasingly and irreversibly shifted onto the internet (smart working, access to machines from remote, data on cloud) so that it’s practically impossible to guarantee perimeter security control. Since the IT and OT networks are tending to converge, it’s complicated, despite their segmentation, to guarantee the security of the factory. It’s necessary, therefore, to choose networks with up-to-date architectures, shifting security controls to within the operators’ network. Tim Enterprise, explains Michele Vecchione, is investing in this direction not only from a technology point of view but also in terms of professional services and skills. 5G ensures more physical safety (that is, the safety of employees) but also cybersecurity with technical measures (cryptography), and more stringent certification rules (the Cyber Resilience Act awaiting approval).
The new Nis2 is not a technical directive, but a managerial one
The factory today is connected for transactions with banks, suppliers, and maintenance and logistics providers: in the end, all must have the same resilience and, for this, a company must necessarily organize itself with new procedures and also new professional figures. In the event of an assessment, Nis 2 (coming into force on 17 October) provides for sanctions of up to 2% of turnover, with a maximum ceiling of 10 million euros. Given the costs, companies should seek access to funding and benefits for cybersecurity, which need to be studied and developed not on the single enterprise, but on the ecosystem.
Taking skills and spending capacity into account
There is much diversity in the manufacturing sector: some, pushed by the regulator, are becoming aware of cybersecurity; some have installed protection solutions; others, instead, have not yet taken the problem seriously. The first step is having a good segregated IT with good management practices. The next step is to choose solutions conceived specifically for the OT network which must guarantee the continuity of production, eliminating disturbing elements. The approach must be gradual and risk-based, which takes into account the company’s skills and spending capacity.
The training of employees should not be forgotten, given that, in the OT context (especially among operators) the awareness of risks is low and any activity in this area leads to immediate results. OT networks are often hit in a mundane way but causing very serious damage, also by very old-type malware that move around undisturbed, due to obsolete operating systems or the impossibility of updating machine controls.
Specific software, suggests Fabio Sammartino (Kaspersky Italia), can significantly reduce the effects of these attacks. Infections from the internet are increasing and those by e-mail falling, while the risk of ransomware (the final part of a chain of attack) is stable, with an increase in attacks which, however can be “blocked” in advance.
The new Transition 5.0 plan
The new Transition 5.0 plan was the focus of the debate at the 360SummIT Forum in which, among others, representatives of Confindustria, category associations, representatives of the Ministry of Finance and financial bodies took part
This is a delicate and topical question given the complicated process of the related legislative decree and the laborious preparation of the relevant implementing decrees necessary for the approval of projects and for obtaining relative funding. We should point out that Transition 5.0 rewards digitalisation and the containment of consumption, incentivizing Italian enterprises to invest in innovative software and hardware technologies. From production to logistics, these technologies can, in fact, play a crucial role in optimising operations and reducing environmental impact. The various contributions to the forum explained the difference between Transition 4.0 and Transition 5.0.; the characteristics and benefits of the new plan which is well-structured and well-covered financially; what to do to access funding; the tax credits available; the certifications to be submitted; how controls will be carried out. For further details, reference should be made to the article written by Milena Bernardi titled “Green light for the transition 5.0 plan”, ItaliaImballaggio, May 2024.
Source: Drawn from the round table coordinated by Franco Canna (Innovation Post) “Finanziare l’innovazione al servizio della transizione digitale e green: le novità del piano Transizione 5.0” (Financing innovation at the service of the digital and green transition: new elements in the Transition 5.0 plan) held at the Industry4.0 360SummIT Forum.