Open and networked system architectures and standard IT components are increasingly used in modern automation solutions, frequently with a direct or indirect link to the internet. This makes it is increasingly important for suppliers and operators of modern automation systems and components to deal with IT security measures.
Technical IT security measures are usually integrated in solutions to supplement actual automation technology components. This increases the complexity of automation systems and applications, which are becoming increasingly difficult to master. A further problem is the fact that these additional IT security components can introduce further IT security weak points to the overall system. Moreover, the differing lifespan of industrial automation components and standard IT components further increases the level of IT risks and threats.
To address this in the long term, a few fundamental process automation requirements are summarized in the NAMUR recommendation ‘153 Automation Security 2020 – Design, implementation and operating requirements for future industrial automation systems’. This document was created by NAMUR and the German Electrical and Electronic Manufacturers' Association (ZVEI), with participation of HIMA employees.
This NAMUR recommendation addresses a range of fundamental requirements that can only be met through intensive research and development. For this reason, new or expanded areas of activity for research and development – including in conventional IT – are also described in this context. Nevertheless, operators still expect manufacturers and integrators to check innovative security technology and concepts at an early stage to ascertain their applicability in automation engineering and to integrate these in their products. Naturally enough, the security level achieved in this respect and the resulting costs, complexity, availability and time response should also be considered.
This recommendation primarily addresses suppliers and operators of modern automation systems and components. This does not involve a complete compendium of IT security requirements, but rather a few sector-independent requirements for future automation solutions which are significant and fundamental in nature. In essence, these requirements say that IT security concepts and functions are an integral part of requirement profiles and, consequently, are also part of the integral range of functions of automation engineering components and solutions. It is therefore possible to reduce the complexity of automation solutions considerably in this manner.
The paper will be published at the start of the Leading Show for the Process Industries ACHEMA, which takes place June 15-19 in Frankfurt.