The terms “Fourth Industrial Revolution”, “Smart Factory”, “Industry 4.0” and “Digital Industrial Revolution” refer to the same trend, the implementation of data exchange and processing technologies of the internet to operational technologies inside factories. As in every other industrial revolution, companies that implement these new procedures and devices in their production lines will be steps ahead their competition by increasing productivity, reducing costs and even creating new products. We all have read about “Industry 4.0” the buzzword, but I would argue that, unlike many other “smart” trends, this one has basis on the reality. The changes I am going to explore on these posts are related to the industrial control systems, which are currently evolving and, thus, the sector is finding new opportunities and risks that must be taken into account.
Industrial Control Systems are a set of devices (sensors, actuators, controllers and more) deployed so they receive data from a manufacturing process, analyze it and act according with a predefined behavior. The flow of data is constant and its control often has a heavy economic and safety impact, therefore, they require high availability and reliability. These needs have been answered by specialized vendors that offered a set of devices and protocols which they tested and patched regularly. And it worked for decades. I am not talking only about the relation between vendors and customers, but also about the products themselves: while IT deployment has to be replaced every 5 years, ICS can last decades without major changes. This lifespan is crucial when we think about critical SCADA controlled infrastructure like nuclear plants or power lines.
However, times are changing and new technology means a diversity of options. Maybe some processes are simple enough that they do not need the reliability offered by a big vendor. New generation sensors, actuators and controllers can cost less than a coffee (e.g. ESP8266 is a chip made by Espressif with a simple processor and able of conecting via Wifi). This combination of cheap devices and open and free software and protocols has allowed companies to deploy systems at any step of the manufacturing process they desire. The new context has allowed the emergence of new deployment patterns like IoT, Fog Computing or Edge Computing. Definitions vary and they are often an extension or special scenario of another one. For short, they all have in common the deployment of multiple sensors which are connected to a set of controllers that will process the information and send their response to the actuators. Those controllers could be inside the factory or remotely (usually as part of the Cloud), and devices that communicate with remote objects are called “edge devices”. If this seems simple, one could always add machine learning, big data or almost anything else. Even if something is not suitable for a certain factory, it could fit the needs of many others.
This automatization does not imply that the human ingenuity has disappeared: the disposal of the distributed solution requires a great amount of foresight by the multiple engineers. Furthermore, the installation has to be audited and improved on a regular basis so the risks can be identified and patched.
During the degree, I have had the opportunity of doing my working practices inside a company whose aim was to obtain a competitive advantage by adopting the most avant-garde trends of the Industry. There, I learnt that every step towards this new industrial paradigm comes with risks and challenges. Let’s imagine a sensor fails. Who do we detect the issue? Do we have an alternative sensor for that measurement? Might the operator of the machine be in danger? Previous design and heuristics can be applied (with a twist) during the approach to this new context. Sometimes, the cheapness of the gadgets could help making a process more secure as the same work could be managed by several devices, creating redundancy and peer reviewing.
Whether those new devices and paradigms are going to be adopted by the organization or not has to do with its constraints. We cannot let the power lines of a city being controlled by a set of 5 dollar sensors, the task is too critical to rely on them. What is more, probably, regulation will not allow many of them to be deployed because their limitations will impede them to comply with the tight requirements (look the recommended requirements of the German Federal Office for Information Security). In that case, vendors can guarantee that they comply with the current legislation. Nevertheless, vendors have taken some of the ideas of these new devices into account and newer OT has discarded proprietary protocols in favour of open internet protocols. Sometimes, the vendors are participating along their counterparts on the development of new ones. Let’s take as an example the Linux Foundation projects Cloud Foundry and LF Edge. Both of them are supported by tens of vendors and big techs Thanks to those standards, the communication between devices is easier than ever and, increasingly, also with computational resources outside the plant.
But, since internet protocols have been implemented, there is yet a notable risk that was not as relevant before: previous factories used to be self sufficient except for raw materials and electricity. Never before the availability of a digital service had been the backbone of a manufacturer. Setting up a server at the cloud means that you rely on your data going through and/or coming from that connexion. What happens when you lost the connection for a few seconds? And for a day? How do we encrypt the data so no one beside us can interpret it? Let this be an example of the new layer of risks that have been added to the industrial control systems that legacy systems might not be prepared to deal with cyberattacks designed years after their deployment.
ICS are getting more and more integrated with Internet technologies. As advantageous as this trend can be, the truth is that is has increased the number of risks, with cybersecurity being the most critical concern for big auditors as PWC explains in their point of view about cybersecurity for ICS, claiming that «cyber-attacks continue to escalate in frequency, severity and impact year after year».
In the next post, I will go-in depth on the improvement of the Industrial Control Systems (under the label of Industry 4.0) as a point of debate in a postindustrial Europe and why both governments and companies are pushing for an early adoption and regulation.
 Sri Mallur, «Demystifying Cyber Security in Industrial Control Systems», ISACA Journal Volume 4 (2017): 3. https://www.isaca.org/Journal/archives/2017/Volume-4/Documents/Demystifying-Cyber-Security-in-Industrial-Control-Systems_joa_Eng_0717.pdf
 «ESP8266, la alternativa a Arduino con Wifi», Luis Llamas, accessed October 29, 2019, https://www.luisllamas.es/esp8266/
 «Requirements for Network-Connected Industrial Components», Federal Office for Information Security, accessed October 29, 2019, https://www.allianz-fuer-cybersicherheit.de/ACS/DE/_/downloads/BSI-CS_067E.pdf?__blob=publicationFile&v=3
 Samir Malaviya, «SCADA Cybersecurity Framework «, ISACA Journal Volume 1 (2014). https://www.isaca.org/Journal/archives/2014/Volume-1/Documents/SCADA-Cybersecurity-Framework_joa_Eng_0114.pdf
 «The Foundry». Cloud Foundry, accessed October 29, 2019, https://www.cloudfoundry.org/thefoundry/
 «Members». LF Edge, accessed October 29, 2019, https://www.lfedge.org/members/
 «Industrial Control Systems (ICS) Security Market by Solution (Firewall, Antimalware/Antivirus, IAM, Encryption, Whitelisting, Security Configuration Management, DDoS, and IDS/IPS), Service, Security Type, Vertical, and Region – Global Forecast to 2023». Markets and Markets, accessed October 29, 2019, https://www.marketsandmarkets.com/Market-Reports/industrial-control-systems-security-ics-market-1273.html
 Siddharth Vishwanath. «PwC PoV on Industrial Control Systems Cyber Security», PwC India, accessed October 29, 2019, https://www.pwc.in/consulting/cyber-security/industrial-control-systems/pwc-pov.html