CyberCompare

Secure processing of machine data ─ practical tips for an effective concept

Secure processing of machine data ─ practical tips for an effective concept

Today, data everywhere is highly valuable. Companies use data as an important resource in, for example, the context of optimizing production processes in networked industrial systems. Data also constitute a lucrative business model for cybercriminals, and the threat situation is constantly growing. Holistic security concepts are urgently needed in Industry 4.0 environments where big data technology and cross-company communication are involved.

Digitized production processes generate massive volumes of data. These must be collected, evaluated, and utilized with secure methods that do not provide attackers with a gateway.

Machine data are an important basis for planning

The optimization of production results is based on a solid database

Machine data is highly important for planning efficient production processes. It provides the operator with information about when and with what loads machines are running productively, as well as when they are not running productively. They also confirm production results achieved with existing utilization. Machine data can be used to perform overall equipment efficiency calculations and, based on these, to plan adjustments to increase production.  

Avoiding failures through intelligent maintenance concepts

The availability of a plant is safeguarded by a predictive maintenance concept that prevents a plant shutdown in a worst-case scenario. This maintenance concept also helps in the avoidance of costs for unplanned on-site maintenance. Diagnostic data that machines provide to operators and manufacturers is maintenance-relevant information. An important measure for maintenance concepts is the effective protection of remote maintenance access. 

Inventory ─ gaining clarity on infrastructure inventory

As part of a holistic IT protection concept, machine data provides valuable information about the systems and components that are part of a production plant’s infrastructure.

This provides transparency over the status quo of your inventory, which may have undergone various changes during long system running times, while your documentation may not have. Up-to-date inventory is the basis for determining the scope and type of protective measures. The transparency gained supports planning for efficient resource use. 

Develop a strong concept for your business case. Define the specific need for machine data and determine what you want to collect and process this data for; doing so will result in an appropriate method for both a transportation route and processing of machine data. 

 

Machine data and their value

Machine data is divided into process data and product data:

Process data

Sensors provide control data that are necessary in the production process for the operation of a machine, as well as data that are generated during operation. They provide information about status in a running process and they support process monitoring.

Product data

Product data result during the production process. They map the production process in terms of quantity and quality (for example, piece counts, temperature, etc.).

Intelligent data selection, and the drawing of the “right” conclusions from data analysis are a valuable basis for decision making. Even data from older existing machines can provide useful information about condition via proprietary control interfaces and automation protocols, thus providing a valid basis for investment decisions.

To whom do machine data belong?

This question is relevant when it comes to warranty services, for example. If a machine is operated outside the load limits defined by the manufacturer and this can be proven by machine data flowing back to the manufacturer, this will affect warranty claims.

Operators also have a legitimate interest in not disclosing confidential production data that provides information about individual production strategies and results to the outside world, especially since machine manufacturers can potentially supply market competitors as well.

Rights of use for machine data are not regulated by law as intellectual property ─ as with copyright law, for example. You must therefore regulate use rights with manufacturers according to your needs, and you must ensure security during data transfer!

Security in data-processing technologies

Large amounts of data can be processed and stored locally with edge computing. Here, the level of data security corresponds to that of production control.

Cloud computing requires special protection for data traffic, and not every external service provider offers a sufficient level by default, especially for critical data. Special additional measures may be required here.

The method that best suits your company, or the combination of technologies you require, is defined individually.

Practical options for security

An overview of data flows, interfaces, and channels

For effective security in machine-data processing, one must know where data streams flow and what transmission channels and interfaces exist.

Network segmentation and access safeguarding 

Malicious code that has entered the network via a vulnerability cannot spread in segmented networks. Unsegmented production networks allow simultaneous communication with all controllers, but this means that they are much less secure.

Define security standards for external service providers (e.g., for maintenance access) in order to rule out the possibility of cyber-attacks finding their way into your network.

Only one way ─ always from the inside to the outside

When it comes to communication, you should opt for a push principle, where machines ask servers for updates; one should never choose a pull principle, where a server can contact the machine and initiate updates without authorization. In this way, you avoid gateways for unauthorized access.

OPC-UA and open-source alternatives

OPC-UA defines an open, documented interface and multiple open implementations for communicating with a machine. The communication process is secured with encryption and signature verification.

Alternatives to OPC-UA are open source solutions, such as PLC4X, which offers flexible and secure ways of obtaining data, especially for older existing systems.

Secure your machine data processing with an appropriate mix of effective measures!

This article was written in cooperation with our partner “sichere-industrie.de”:

Are OT and IoT security issues for your company? As an independent entity with a portfolio of proven security providers, CyberCompare can provide you with comparative offers at no charge and with no obligation. Reach out to us or use our diagnostic to learn more about your cyber risk profile.

Please remember: this article is based our knowledge at the time it was written – but we learn more every day. Do you think important points are missing or do you see the topic from a different perspective? We would be happy to discuss current developments in greater detail with you and your company’s other experts and welcome your feedback and thoughts.

And one more thing: the fact that an article mentions (or does not mention) a provider does not represent a recommendation from CyberCompare. Recommendations always depend on the customer’s individual situation.