There is a reason Industry 4.0 is changing the ICS cyber security problem. The very nature of Industry 4.0 is to increase access and accessibility of control of the devices in the factory. This means increased access to the data to expand transparency, reduce network planning, lower CapEx, reduce OpEx, improve bandwidth, and optimize machine interworking. Increasing access and accessibility of control means that the cyber security risk assessment of the factory system is changing. ICS cyber security solutions need to adapt to address the changing risk, and traditional countermeasures applied to the system, such as firewalls and placing a device behind a locked door, are counterintuitive to the goals of Industry 4.0. This means devices will need to be security hardened to enable increased functionality in a secure method. Identity and integrity will be at the core of every device in the field to enable trusted data and secure operation.
There are many different standards in the industrial market that provide guidance on implementing security in industrial control systems. For example, NIST provides security guidance with U.S. governance. IEC 62443 is a security standard in draft form for the international market with governance in Europe. These are two of the most predominant standards, providing useful guidelines for implementing security and assessing one’s security posture for industrial control systems; however, they do not provide guidance on how to accelerate the adoption of Industry 4.0. IEC 62443 is currently absent any guidelines for implementing security below the PLC and an ISA99 working group has recently been established to address cyber security at the bottom layers of the factory within the IEC 62443 framework. Today, to meet an acceptable security posture of a system, countermeasures must be applied to devices that do not reach a sufficient level of security. These countermeasures typically rely on methods such as firewalls to limit access and section off or isolate vulnerable devices. In the future, devices will need to reach higher security levels to enable the transition to Industry 4.0.