For manufacturers, Industry 4.0 offers a goldmine of opportunities, including greater flexibility and productivity, lower resource and energy consumption, and mass production of one-off products. The key to it all is fully integrated, self-organizing factories and production networks. But there are security risks. Networking machines and entire production lines and connecting them to the world via the Internet is also a goldmine of opportunity for data saboteurs, cyber-criminals and product pirates – as was demonstrated last year when hackers accessed an internal network at a German steel mill and took control of a blast furnace, causing massive damage. The legal issues raised by Industry 4.0 are just as far-reaching, if perhaps not quite as spectacular. Who owns all the vital data that’s generated in the course of cooperative projects? Who’s liable if a smart factory makes a bad decision?
Convergence of production security and IT security
IT vulnerabilities can undermine a company’s competitive position. And there’s much more at stake than just theft of trade secrets. Thanks to the convergence of the cyber and physical worlds, the possibilities for enterprise cyber-attacks are now literally limitless. Until recently, instances of industrial plants being compromised by cyber-attacks were confined largely to the USA and Iran and tended to have political undertones. But the steel mill case happened in Germany. So the threat of cyber-attacks – whether motivated by political or commercial interests – is a global threat. The German Electrical and Electronic Manufacturers’ Association (ZVEI) even goes so far as to describe cyber-security as being of strategic importance for Germany’s international competitiveness in the industrial sector. The ZVEI bases its assessment on a June 2014 study entitled "Net Losses: Estimating the Global Cost of Cybercrime" published by the Center for Strategic and International Studies. The study indicates that, in percentage terms, Germany’s economic loss from cybercrime is the highest of any country in the world. It puts the loss to the entire German economy for 2013 at 1.6 percent of GDP. That’s about €44 billion – in just one year. The study further estimates that the annual global cost of cyber-criminality is around US$400 billion.
Prevention is better than cure: security by design
Given that prevention is better than cure, where should industrial IT security start? Endpoint security specialists like Symantec’s Olaf Mischkovsky recommend a combination of device-level encryption and authentication components. But even more important than this, the Fraunhofer Institute for Secure Information Technology tells us, is "Security by Design" – factoring IT security into intelligent production plants right at the design phase. Then again, it’s not just our cyber-physical systems of networked machines that are seemingly still easy prey for hackers. There’s also the human element. To return to the steel mill example, the hackers in that case were able to take control of the blast furnace because they used spoofed e-mails to harvest login information from mill employees. That is why, as Germany’s ZVEI argues, the human factor is a key part of any cyber-security strategy worth having.
Liability: Machines too smart to fail?
No less important – yet still largely unanswered – are a number of new legal questions raised by the digital transformation of industry. For one thing, we need to revisit the idea of liability. What happens if a business operator ends up leaving entrepreneurial decisions to a machine? Would that mean that the machine is then acting on behalf of the business operator? Who would be liable if the machine makes a mistake? These sorts of legal questions need to be resolved if businesses are to proceed with confidence. And that, according to Dr. Alexander Duisberg, a partner at the Munich law firm of Bird & Bird LLP, will require creativity and legal willpower. It is likely that "joint, data-intensive production processes will increasingly lead to joint and several liability to injured third parties." In plain English: if the process is digitally integrated, then everyone involved is likely to be liable.
HANNOVER MESSE presents many opportunities for you to discuss the IT security aspects of Industry 4.0 with industry peers and government policymakers.