Cybersecurity in industry plants with IIoT

Whenever an IIoT solution is implemented in an industrial facility, it contains sensitive data that require a special degree of protection. Furthermore, the connectivity to the Internet needs permanent attention and care. Technology is developing very fast and every system must continuously follow the evolution of cybersecurity – in an industry plant as well as elsewhere.

Reliable information security management comprises not only data encryption, it also requires an overall approach including:

• Compliance to legislation and standards: Relevant legal guidelines and recommended norms should be fulfilled (e.g. ISO 27001, ISO 27017, GDPR, etc.).
• Data security: It is self-evident that an IIoT solution will contain sensitive data. These need to be treated with care according to strict processes.
• Server locations: Whenever the technology of cloud-computing is used, data will be stored on servers hosted by the provider. Due to local jurisdiction, the location of the servers indicates a higher or lower level of cybersecurity. European locations offer the highest standards thanks to the data privacy law.
• Organizational processes: Cybersecurity is not possible without employing organizational processes that define which data should be treated by whom, in which ways and at what moment.
• Transparency: Trustworthy providers of digital solutions have a clear and transparent support system which shows to the customer the status of his inquiry at any moment.
• Application features: all the requirements of the ISO 27001 and ISO 27017 were implemented by Endress+Hauser. A grand-total of 121 measures cover the whole operations of the company. They are continuously monitored and updated whenever necessary.

All those points need to be considered, implemented and regularly checked when providing an IIoT technology. Existing audit and standardization frameworks, laws and best practices can be a practical support during the implementation.

Endress+Hauser has proved that its IIoT ecosystem Netilion meets high standards in information security by submitting it the assessment of third-party certification bodies. From the first day onwards, criteria relating to Information Security Management received the utmost attention and serve as a helpful guideline for implementing digital services and ensuring good cybersecurity in industry.

• Compliance to legislation and standards: In establishing a professional information security management using IIoT technologies, Endress+Hauser was granted the following certifications for the management of Netilion:
• ISO 27001 Information Security Management
• ISO 27017 Code of practice for information security for cloud services
• ISO 9001 Quality Management System
• Data security: Customer data stored and processed in the Netilion ecosystem are always treated with utmost care. Users have the right to enter, access, update and delete their data. All measures fulfill the requirements of the GDPR.
• Server locations: The servers on which the Netilion ecosystem is based are located in Frankfurt and Dublin. From a cybersecurity point of view, servers located in the European Union are regarded as very secure.
• Organizational processes: Endress+Hauser has set up processes for reacting quickly in cases of data security emergencies, all compliant to GDPR. The affected parties will be informed immediately and counteractions will be taken.
• Transparency: Endress+Hauser has implemented a transparent support process which informs the customer in a clear way how his inquiry is treated.
• Application features: The user interface of the Netilion IIoT ecosystem has all necessary features, including, but not limited to, a state-of-the-art password guideline, automated password management, timed logout and export functions.

There are a number of criteria that are considered essential for a professional information security management and which are covered by the Netilion ecosystem:

• Encryption of sensitive information: The IIoT ecosystem Netilion from Endress+Hauser provides professional protection of information:
• Passwords are encrypted with ‘bcrypt + salt + pepper’.
• User identification works with OAuth2 enabled tokenized procedures.
• Communication is https encrypted.
• Transfer of process data via gateways: When considering cybersecurity in industry plants, one point that requires utmost attention is the gateway, as it is the point of access. The Netilion enabled gateways utilize one-way communication: field data are passed by the gateway and sent to the cloud, but communication in the the other direction is prohibited. This architecture is designed to protect the field against manipulation.
• Certification: A third-party certification body confirmed that the IIoT ecosystem Netilion fulfills the requirements of ISO 27017. The international standard contains requirements for cloud platforms. Compliance with the requirements of ISO 27017 ensures that customers can trust the Netilion ecosystem to provide a secure harbor for their data. And Endress+Hauser Digital Solutions, the company that develops the IIoT ecosystem Netilion, was granted ISO 27001 certification for information security.