Data security for the I4.0 revolution

3 mins read

Written by Barry Arnott, founder and CTO of D-Sig.

The fourth industrial revolution offers a host of potential gains for manufacturers. Powered by 5G telecommunications networks, with their faster processing speeds, greater bandwidth and lower latency than ever before, the digital revolution promises to unleash the full potential of automation, creating networks of connected plant and machinery that can communicate in real time, supporting machine learning and artificial intelligence to drive data-led decision making on the shop floor.

Research carried out by nexGworx as part of the DCMS 5G Testbed and Trials programme suggested that 5G networks could boost UK PLC’s productivity by between £2.6bn and £6.3bn per year. There is a lot to be excited about so where’s the catch?

According to IBM, the second most-likely industry to come under cyber-attack is manufacturing; with attacks on control systems, theft of intellectual property and the gathering of sensitive process data just three reasons ‘bad actors’ may target a company. The same survey highlighted that data breaches cost businesses £3m per incident, taking 8-9 months to detect and contain, so the cost of failing to plan for such eventualities is clear.

With more machines connected to each other and transfer of data across private, public and hybrid networks, comes more network entry points and, crucially, more potential targets for industrial cyber-attacks.

So, what can manufacturers do to protect their businesses while reaping the productivity and innovation benefits of this brave, new world?

The answer lies in the use of cryptography to protect data.

These mathematical algorithms are designed to secure data and withstand cyber-attacks; protecting the confidentiality of data, providing assurance in its trustworthiness, and allowing access on a ‘need to know’ basis.

While cryptographic algorithms are coded to run on a variety of hardware devices, including general computers, ideally, they need to run within special-purpose cryptographic hardware. Organisations such as the National Institute of Standards and Technology (NIST) make recommendations as to which algorithms to use and their usable lifespan. The current set has been around for 20 years but a new set of quantum-secure algorithms is currently being defined, and is expected to be standardised in 2024.

There are two types of cryptographic algorithms that are key to designing a comprehensives IP data protection scheme. These are encryption and digital signatures:

Encryption - these work by scrambling data in order to make it difficult for an attacker to determine the actual information. They make use of a shared encryption key, secret information known as a ‘secret key’, to which only the entities that need access to the data have a copy. Typically, these secret keys are not shared manually but generated ‘on the fly’ using a ‘key agreement’ algorithm, enabling both the sender and recipient to remotely agree the encryption key

Digital Signatures - these build on encryption to demonstrate whether or not the data source is trustworthy and whether it has been tampered with. Digital signatures are generated using a different secret key (an entity’s private key) and can be verified by another entity that has knowledge of the corresponding public (partner) key.

So, how do you go about designing a cryptographic system to protect manufacturing IP?

IP needs to be protected from the moment it is created until it is no longer relevant. As a starting point, manufacturers need to think about what data needs to be protected, who or what needs access to that data, and how long the data should be protected for. Who data needs protecting from is not always obvious. For example, some seemingly unexciting data may be extremely valuable to competitors, such as in a steel works producing different types and grades of steel. Here, quality and volume data may be very interesting to a competitor.

After deciding what data needs to be protected, companies then need to consider where it can be legitimately used and who (or what) should have access to it. Should there be an audit trail identifying who (or what) has accessed the data and when? How should that data be destroyed when it's no long relevant?

Scaling up and the role of Digital Certificates

Typically, there are hundreds of IP data items that need to be protected while remaining accessible by different people and systems. This can seem like a logistical nightmare but the use of different types of digital certificates can make it much more manageable.

Essentially, digital certificates are just data objects that are digitally signed by a trusted authority (a Certification Authority). The certificates contain different information depending on their purpose but, in all cases, they provide trust that certain operations can be safely executed. For example, certificates can provide a flexible way of managing which entities have access to data and what type of access they have.

Whatever data security solution you choose, the system has to be flexible enough to allow for the fact that the IP data under protection may change over time. Designing and implementing a data protection system fit for the quantum computing age is a challenge but not one that is unachievable.

Deciding what to protect and who or what has access to that data is the first step, after which companies can develop a wider security solution, bespoke to their needs. Getting it right is key to giving manufacturers the confidence to explore the full potential of Industry 4.0, protecting IP data from its creation to its eventual disposal.