Increasing digitisation in the smart factory is accompanied by new challenges when dealing with safety. Thomas Pilz, Managing Partner at Pilz, is interviewed about current developments and the changing understanding of safety and industrial security.
Mr Pilz, is industrial security now equally as important as safety?
Thomas Pilz: Without industrial security, safety would no longer be possible. In the past the two fields were considered separate entities, but now industrial security encompasses safety and ensures its integrity. This rethinking can be clearly seen in the ongoing revision of the Machinery Directive, as in the new version security is understood to be part of the safety chain. And I wholeheartedly agree with this.
But there is still a fundamental difference in the understanding of the two terms, safety and security, right?
Exactly. When it comes to safety, one assumes that a person is injured due to a mechanical movement, but there is no malicious intent behind their actions and they are at worst grossly negligent. With security this is totally different, as malicious intent is assumed: A criminal wants to damage the machine.
What are the implications for risk assessment?
First we must assume that the risk to security is always present and that we must always be on guard. Safety is positioned opposite to this, where possible risks can be detected and rectified through regular checks. This naturally also affects the risk assessment. We at Pilz are convinced that a holistic approach is necessary, as the terms safety and security – as previously stated – are interwoven. Our experts have been trained on this and point out possible risks and vulnerabilities as well as appropriate measures in discussions with customers.
You already mentioned that the standards are changing with regard to security. What do you think is the situation when it comes to awareness: Do you find that operators are doing enough to protect their plants?
Awareness is changing, particularly with the increase in hacker attacks since 2017. After all, every profitable company can become the target of this type of attack. With the implementation of Industrie 4.0 and the Internet of Things with permanently networked machines, the threat level is critical if no measures have been taken. But we have noticed that there is much uncertainty when it comes to dealing with security. That is why our holistic approach to safety and security is so important to us and we would like to improve our customers’ and partners’ awareness of this topic. Taking action early on means being protected against manipulation or attacks, thereby ensuring not only the safety of humans and machinery but also the productivity.
What challenges come along with security? Is it enough to always supply machines with the latest updates?
That is an interesting question because it seems obvious that part of cyber security would be keeping software up to date. In reality, however, this is not always necessary, or can even lead to a limitation of productivity. Before an operator performs updates on their older machine – and thus brings manufacturing to a standstill – it is worthwhile to ask whether the machine should be networked with other machines or whether it can work as a “stand-alone”. If the latter is the case, the latest software state is not absolutely necessary. If networking is required, regular updates increase the safety and security. Highly granular segmentation of the OT network and the use of firewalls such as our SecurityBridge also offer additional protection. This application firewall protects industrial automation networks against manipulation and enables protected connections, e.g. in a cloud.
WiHow can older machines be made safe and secure?
Retrofitting is generally relatively simple: SecurityBridge, for example, can be quickly set up by an electrician or qualified IT personnel thanks to the auto-configuration. Another important topic is the control of access permissions so that only authorised persons have access to a process. With the devices from the PITmode range, safe operating modes and access permissions can be implemented with high flexibility and in accordance with our customers’ respective specifications. Meaning safety and security in one system.