A lock in a dark environment. The lock is surrounded by blue PCB-like lines.
empowering communication

Industrial Communciation with security

The increasing convergence of information technology (IT) and operational technology (OT) is imposing growing demands on IT security in the manufacturing landscape. Ronald Heinze, Editor-in-Chief of VDE Verlag, interviewed Thomas Rauch, Chief Technology Officer (CTO) at Hilscher, to discuss the challenges and solutions for a secure industrial communication infrastructure in the digital age.

Author: Ronald Heinze
 

“The traditionally separate worlds of IT and OT are increasingly merging,” emphasizes T. Rauch. This integration is essential because both areas need to communicate more closely to ensure effective production processes. Today, continuous connectivity extends from the production level to private or public clouds and includes various digital services.

However, digital transformation also brings new risks: Technological advancements give rise to new attack vectors that were previously unimaginable. This development requires continuous optimization of security measures for field devices and enhancing resilience in supply chains. The growing interconnectedness and the demand for further digitization increase the scope of potential cyberattacks.

According to T. Rauch, the threat landscape has evolved from isolated hacker attacks to a global scenario involving state-sponsored cyber operations and trade wars. “This means that production can be deliberately disrupted or even brought to a halt,” the CTO stresses. The development poses a serious threat, not only affecting production systems but also endangering lives by directly impacting the functional safety of those systems. According to the Hilscher manager, the German Federal Office for Information Security (BSI) reports that there are 70 new vulnerabilities for attack vectors every day.

 

Thomas Rauch

Technological Responses to Global Security Challenges

“Today’s technological possibilities bring security challenges to new dimensions,” emphasizes T. Rauch. “For example, quantum computing will be able to break even the complex security mechanisms we currently rely on.” Artificial intelligence also plays a role. “New EU regulations, such as the recently passed Cyber Resilience Act (CRA), require companies to allocate intensive resources to address this issue, and that across the entire supply chain,” adds the manager. The question is: How can we address these challenges without panicking?

To meet these complex challenges, companies must adopt advanced technological solutions that take into consideration even developments in post-quantum cryptography, aiming to stay ahead in the ever-evolving race against emerging threats.

Hilscher is at the forefront of this effort: “As an expert in industrial communication, we bring our expertise to bear,” says T. Rauch, who has been with the company for two years. The “one-stop-shopping” concept allows the company, headquartered in Hattersheim, Germany, to offer a coordinated combination of software and hardware solutions specifically designed to protect against novel attack vectors. “This allows us to respond comprehensively to all new challenges,” adds the CTO, who is responsible for the technology development of the netX chips, protocol stacks and Industrial IoT at Hilscher’s headquarter in Hattersheim near Frankfurt as well as the devlopment sites in Berlin and Varna, Bulgaria. “We have the master key against new attack vectors.” He continues, “In the future, it will no longer be possible to ensure a high level of security using only software.”

“We incorporate into our solutions the expertise of the open source community and the Real-Time Ethernet and fieldbus organizations, of which we are active members. Being directly involved in these organizations also gives us a perfect understanding of emerging requirements,” continues Rauch. He cites CIP Security from ODVA, PROFINET Security from PROFIBUS & PROFINET International, and OPC UA Security as examples. The deployment location of the communication solution is also crucial, and the entire security lifecycle must be considered.

Meeting Current and Future Requirements

“The netX 90 chip generation that is already in use and well-established in the industry meets all current security requirements,” asserts the CTO. “Advanced security mechanisms are integrated into the chip.” These network processors are specifically designed to meet the security standards of IEC 62443 and the Cyber Resilience Act, providing a solid foundation for making communication within industrial IoT secure.

“Our netX 90, for example, includes secure boot mechanisms. Firmware can be signed on the application side, ensuring that no malicious software can be loaded,” explains the 42-year-old manager. The security issue is becoming more and more important in all product areas. Hilscher aims to ensure that all future security standards are met, including new security mechanisms for various communication protocols.

Hilscher takes it a step further with the new netX 900 generation. These secure gigabit communication processors integrate security mechanisms at various levels while offering high performance with low power consumption. The security management processing includes features such as Secure Debug, unique ID, key management, certificate management, lifecycle management, and a crypto engine. 

“Security on the fly is integrated even in the data path, and done so effectively without compromising data transfer speed,” affirms T. Rauch. “The netX 900 features its own security processor with crypto engines.” He highlights that the new generation of communication controllers represents a highly optimized and coordinated combination of hardware and software.

“We have also integrated all secure boot mechanisms for the stacks,” he emphasizes. “When we develop communication controllers, we consider all requirements in detail. Attack vectors can already be embedded in the ROM code.” He continues, “As a comprehensive communication expert, we have everything under control and can address vulnerabilities at the most effective level.” These integrated technologies enhance security according to current standards, meet the requirements of IEC 62443, and even take into account secure data disposal during decommissioning. The user organization’s security standards are integrated.

The development of secure communication controllers like the netX 900, which offer secure boot and firmware signing capabilities, represents an important step in protecting industrial communication devices from unauthorized access. The first samples of the netX 900 family will be available at SPS 2024. Hilscher also places great importance on resilient supply chains: “We source the semiconductor chips we use, featuring 22-nanometer technology, from TSMC. These will soon be manufactured in Dresden and Japan. This ensures long-term supply chain security.”

A tray of embedded modules with a netX chip onboard in a production machine. A red gleam is seen in the background. A small golden needle for testing comes from the top pointing at the tray.

Regulatory Requirements and Market Changes

Due to increasing risks, regulatory requirements are essential. After a three-year grace period, the recently enacted Cyber Resilience Act (CRA) of the European Union will come into effect, with some aspects, such as mandatory reporting by manufacturers of security incidents, being enforced much earlier. It will become a necessary requirement to receive the CE label. Distributors of affected products are required to meet the CRA requirements.

The adoption of the CRA and the associated regulatory requirements, such as the obligation to provide security patches for at least five years, will significantly impact the global market. Reporting obligations include notifying relevant authorities of issues within 24 hours. The penalties for non-compliance with these obligations are similar to those for violations of the General Data Protection Regulation (GDPR). T. Rauch is convinced that the high requirements for industrial communication will lead to portfolio and market consolidation.

“At Hilscher, as an enabler of industrial communication, we can meet these high security requirements,” T. Rauch asserts confidently. This applies to Hilscher’s entire portfolio, from communication controllers to IoT with its netFIELD edge computing and edge management solutions. “We also see a significant shift in the IoT industry, as manufacturers of semi-developed Linux applications or operators of self-built solutions will need to meet CRA criteria.” In his opinion, it is not economically viable for many providers to ensure that their solutions will meet the growing IT security requirements on an ongoing basis, as this would mean a significant allocation of resources and a big investment.

You might also be interested in
A lock in a dark environment. The lock is surrounded by blue PCB-like lines.

Develop secure devices and systems with our netX communication controllers and our secure protocol firmware. You are thus ideally equipped to meet the requirements of standards such as IEC 62443 or the Cyber Resilience Act.

A photo collage showcasing various Hilscher products

From turn-key products to highly integrated solutions and complementary software, Hilscher is your partner for industrial communication. Get an overview of how we can help you take the networking of your machines to a whole new level!

Roadmap to CRA Compliance

“We see these regulations not only as a challenge but also as an opportunity to position ourselves as pioneers in security,” the manager is pleased to say. “We understand the risks facing our customers and can respond accordingly.” By adapting to these standards early and creating a dedicated security expert team, Hilscher can even guide its customers through the complex certification process and offer a comprehensive security portfolio. This includes establishing the IEC 62443 security standard—both on the process and product sides. The NIS 2 directive is also affected. Hilscher possesses the necessary expertise.

Hilscher has a clear plan to have processes and products certified to IEC 62443 by TÜV Rheinland in time for the implementation of the CRA. The company will start with Maturity Level 2, which describes a certain level of process maturity. To achieve a certain level of maturity, all process-related requirements must always be adhered to when developing or integrating a product. “The final report for process certification is expected by SPS 2024,” T. Rauch explains.

Technical requirements for systems (IEC 62443-3-3) and products (IEC 62443-4-2) are evaluated according to the standard by four security levels (SL). The different levels indicate the level of resilience to various attacker classes. “We will classify our products accordingly,” he continues. “Product certification will begin afterwards, which will be completed in two stages by SPS 2026.” The communication expert also employs a professional consulting firm to ensure its success.

Another topic is the current NIS 2 directive. NIS is about keeping attackers at bay and being prepared for security incidents. The new aspect of NIS 2 is its expanded scope: the directive extends cybersecurity to many medium-sized companies. The deadline for NIS 2 is October 18, 2024. “NIS 2 can be well addressed with information security according to the ISO 27001 standard,” T. Rauch notes. “We recommend applying both the IEC 62443 and ISO 27001 standards. We are also working on ISO 27001 certification, which we aim to complete by 2025.”

Conclusion

A holistic security strategy that encompasses both the physical and digital levels is indispensable in industrial communication. As industrial production becomes increasingly digital and interconnected, this requires close coordination between IT and OT, the development of robust security solutions, and proactive adaptation to changing regulatory requirements. With its integrative approach and extensive expertise in industrial communications, Hilscher is uniquely qualified to not only understand, but also to actively shape the security requirements of the modern manufacturing landscape.

This text was originally published by etz elektrotechnik & automation.

Related links
A man in a dark blue business suit and a white blue shirt smiles into the camera. He has short dark hair.
About the author: Ronald Heinze

Ronald Heinze is known in the automation industry as one of the best connected and informed editors. He is Publishing Director and Editor-in-Chief of VDE VERLAG GmbH, a German media company for trade journals such as Digital Factory Journal or etz.

Connect with him on LinkedIn

"etz" written in large blue letters on white background.

The trade journal etz elektrotechnik & automation from VDE Verlag provides you with the latest news from the areas of companies and industries, as well as the latest product reports and technical articles from the areas of production and machine automation, process and energy automation, drive and switching technology and components & peripherals.

A photo of the male and female customer support phone operator with different internationality
Customer Center / Sales: Hilscher North America, Inc.

You've got questions? We've got the answers!