Data Networks: In IoT we trust

The Industrial Internet of Things, or Industry 4.0, not only connects machines and computers but also vendors, suppliers, and customers.

Transmission and exchange of confidential data requires secure links and virtual data spaces. The Industrial Data Space initiative aims at achieving just that.

The Industrial Data Space (IDS) initiative was launched by Fraunhofer-Gesellschaft in late 2014 with the backing of industry partners and government agencies.

Its purpose is to establish a reference architecture for a virtual data space using standards and common governance models to facilitate the secure exchange and easy linkage of data in business ecosystems and to promote its use on a European and international scale.

We have a compelling opportunity for Germany to take the lead in the digital transformation of industry by creating a de facto standard.
_{Reimund Neugebauer, President of Fraunhofer Gesellschaft}

The three elements that need to be upheld to provide information and industrial system asset security are confidentiality, integrity, and availability, often referred to as CIA:

Confidentiality is the principle that information is not made available or disclosed to unauthorized individuals, entities, or processes. Confidentiality in business includes encryption and access control technologies.

Integrity ensures that improper information modification or destruction is guarded against. Data integrity, a subset, ensures that unauthorized parties cannot alter data and take control of the system without detection.

Availability is the property of timely, on-demand, and reliable access to, and the use of, information by an authorized user. Availability controls usually involve redundancy and engineering change control. Sometimes security activities are included.

Standards for industrial security

The Industrial Internet Consortium (IIC) published a comprehensive document, Industrial Internet of Things Volume G4: Security Framework, to initiate the creation of a broad industry consensus on how to secure Industrial Internet of Things (IIoT) systems. These connect and integrate industrial control systems with enterprise systems, business processes, and analytics. They also enable large advances in optimizing decision-making, operations, and collaborations in numerous increasingly autonomous control systems. One section of the book gives an overview of existing standards:

• The IEC publishes the IEC 62443 series of standards for industrial automation and control systems security. The series is comprised of four sections: General, Policies & Procedures, System, and Component.
• The National Institute of Standards and Technology (NIST) has published NIST SP 800-82 Revision 2. This offers guidance on improving security in industrial control systems (ICSs), including supervisory control and data acquisition (SCADA) systems, distributed control systems (DCSs), and other control system configurations such as programmable logic controllers (PLCs). Performance, safety, and reliability requirements are also considered in the 2015 update.
• NERC CIP Standards, published by the North American Electric Reliability Corporation, aim at improving the security and reliability of the electricity industry by defining auditable requirements for critical infrastructure protection (CIP).
• The IEEE Standard for Intelligent Electronic Devices Cyber Security Capabilities (IEEE Std 1686-2013) defines functions and features to be provided in intelligent electronic devices (IEDs). The document addresses access, operation, configuration, firmware revision, and data retrieval of an IED.

The IDS Business Layer connects data owners with defined business partners

Virtual data rooms

Historically, the term data room comes from its purpose with regard to due diligence audits for mergers and acquisitions (M&A). Originally, during an M&A, companies created actual, tightly secured rooms on neutral ground, such as within a law firm’s premises. Today, virtual data rooms have become the norm but are now located in the cloud, where they securely house all relevant and related content to be audited.

Virtual data rooms require a journal documenting all procedures within the data room:

• who is authorized to read files
• who has access to named files, when, and for how long
• what files are being accessed
• what is being done with them

There are several applications that target virtual data room security. A highly secure, platform-independent file exchange package is available from Dracoon as an on-premises or cloud version. With Europrise, ISO27001, and ULD certifcation, Dracoon complies with the highest security standards. Proprietary TripleCrypt encryption, comprehensive role administration, and white-label branding has helped to attract more than 400,000 users. The application is used by several large original equipment manufacturers (OEMs): Deutsche Telekom, Bechtle, Hutchison, and British Telecom.

Endian claims its 4i Edge products are unique in that they provide a comprehensive security layer with a simplicity that is rare within the IoT industry. The appliances provide secure remote network access through technology alliances with third parties, such as Cyren, Panda Security, and Cloud4Wi, to offer cutting-edge technology.

The Industrial data space concept has met with considerable interest in many workshops and forums held in connection with Germany’s G20 presidency.
_{Boris Otto, Head of research for the IDS initiative and director of the Fraunhofer Institute for Software and Systems Engineering (ISS)}

The Private Data Room from ITWatch protects applications, content, and printing hardware from malware inflitration and from unauthorized access by unwanted external and prohibited internal sources, including general systems administrators.

IDS in practice: How to create a really smart factory

Steel producer Thyssenkrupp Steel Europe has provided the first use case for IDS with an information system for truck logistics. The aim is to optimize the loading and unloading times of trucks and adapt them flexibly according to transport routes and traffic disruptions. The company handles around 20,000 trucks per month so, with just 30 minutes available to load and unload each truck, any delay in arrival can quickly throw the entire schedule into disarray.

Technology partner Komsa and Thyssenkrupp have developed an end-to-end combination of connected devices between the truck drivers and the weigh gates at the entrance to the loading bays. The aim is to automate rescheduling of truck arrivals based on reliable online data, by using real-time management of time slots and dynamically estimated arrival times Messaging using GS1 EDI XML allows instant and comprehensive status change notification.

Regispace for the Industry Data Space by Regify is a virtual data room for IIoT/Industry 4.0. It enables the secure exchange of data and provisioning of networked services for collaboration over value networks comprising customers, suppliers, and other business partners. It protects IoT and other data against unauthorized access and enables data owners to make data available to partners at a granular level or in an end-to-end secured process.

Scadafence’s passive solutions for smart manufacturers are designed to reduce operational risks such as downtime, product manipulation, and the theft of sensitive proprietary information. The company’s broad solution suite includes continuous real-time monitoring of the industrial environment as well as lightweight tools designed to automate the security assessment process. It is software-based and available either as a virtual appliance or as a network appliance.

Uniscon’s Sealed Cloud infrastructure provides overall data room protection and a detailed journal. It includes a number of patented services and solutions, some of which are available from partners such as Deutsche Telekom. The technology ensures that memory contents and all data transfers remain encrypted. Moreover, it keeps content and metadata protected during processing.

Industrial data space

The Industrial Data Space initiative is organized in two branches: a research project and a user association. The initiative’s launch in 2014 was therefore followed in January 2016 by the creation of the Industrial Data Space Association, a non-profit body representing users’ interests in the standardization of research results. The association has members from 74 companies based in 13 countries.The activities of IDS are conducted in close collaboration with Plattform Industrie 4.0, an alliance of bodies Virtual from politics, science, industry, and trade unions.

The IDS reference architecture has a structure of five layers:

• The Business Layer – specifies and categorizes the different stakeholders
• The Functional Layer – defines requirements and features
• The Process Layer – describes interactions between IDS components
• The Information Layer – defines the model’s static and dynamic aspects
• System Layer – contains logical software components, covering integration, configuration, and deployment.
• The next goal for IDS is to carve out relationships and compatibility with other reference architectures, such as the Industrial Internet Consortium in the US and the Japanese Industrial Value Chain Initiative.

Interview: Kurt Kammerer

How can users in manufacturing or automotive securely and effectively communicate with each other?

Data space platforms can be integrated in any workflow to allow users to communicate securely and verifiably on any digital channel, using any device. The wide spectrum from human-to-human interaction to machine-to-machine (M2M) data transactions must be supported across interconnected business networks which are common to automotive and manufacturing industries. Beside a comprehensive approach, a realistic price model is required otherwise a good overall architecture will soon come to an economical end.

What are the most important capabilities for secure IoT communications?

We focus on three aspects. On top, confidentiality is key. The market favors encryption solutions that are both secure and user-friendly. Second, easy accessibility for users is vitally important for adoption. The requirements range from simple access rights and identity management to affordable costs. Last but not least, quality counts. Quality of service must be ensured and governed by service level agreements across the IoT and business networks.

Unlike the Internet, which has a sophisticated governance ecosystem, the whole world of blockchain is the wild west.
_{Kurt Kammerer, CEO of Regify and founder of Regify Asia (ISST)}

How many instances of IoT platforms would a company need?

The abundance of IoT platforms with each vendor of machinery having its own [architecture] leads to situations where one factory may have to deal with several IoT platforms. The producer doesn’t want this. As the data owner, the producer wants control over his own data instead of feeding his production data into IoT platforms of vendors. As much as the producer wants the big picture in real time, he doesn’t want to engage in complex integrating projects that connect the IoT platforms. Therefore, networked communication is needed that connects whole ecosystems (supply/demand/production networks). One single account from the provider of choice will give global access across IoT or Industry 4.0 platforms. With Regispace (www.regispace.net), we’ve successfully implemented core IDS proposals in a number of industries.

Can you give us a few examples?

Several partners in Luxembourg and the UK operate Regify platforms for the health sector. These platforms ensure full control of data for the data owner, compliance regarding data privacy and security, and at the same time they enable networked communication across the entire health sector. Regify’s patented and distributed architecture connects users (from humans to machines) across instances of platforms, lets them transact while respecting access rights that each owner of data can grant or revoke at a granular level. Users simply register with their chosen provider to gain full access to other users across the data space providers.

How about standards for secure

data space? Standardization efforts such as IDS and other international approaches are important because they facilitate cooperation within an industry. To date, many users consider comprehensive architecture and data models as too theoretical for today’s challenges. Therefore, Regify solutions work on every digital channel and every device independently of which data partners want to exchange, standardized or unstandardized. Our European, and especially our Asian, customers are calling for this.

READ MORE ARTICLES