Security affects us all

Industrial security not only includes the protection of data, but at the same time also guarantees the integrity of safety functions and measures, as the experts at Pilz explain.

If a production worker starts up a plant, even though they are not authorised to do so, this is already considered a security incident. This manipulation, even if unintentional, endangers the safety of other employees. This makes it even more important to consider safety holistically – because it also plays a key role in questions of liability.

Compared with the more tangible topic of machinery safety, industrial security still appears to be more of an abstract concept. Many people primarily associate it with external cyber attacks, but security is relevant down to the smallest machine in a production facility. Security encompasses safety, ensuring its integrity and thus the protection of human and machinery. With new legislation, security measures will become obligatory, for example in the European Machinery Regulation from 2025. But even today companies are already working to ensure the safety of personnel, machinery and data.

Assuming responsibility

If management fails to implement general organisational measures and instructions when structuring work, it can be held liable for this. Problems such as near-accidents or the occurrence of new risks at the workplace must result in suitable measures. Regular checks identify any need for action in good time.

Consider as an example an employee who opens a safety gate and thus brings the machine to a stop. The manufacturing process is interrupted, resulting in economic losses. The employee didn’t actually have authorisation to open the safety gate, but due to a lack of work instructions they were unaware of this, and access to the plant was not clearly regulated. In this case, the task was delegated to an unqualified person and there were no work instructions or they were incomplete. The company management is thus liable for the consequences.

An all-round safe workplace

Employee protection goes hand in hand with liability protection: the operator of the plant or machinery is responsible for the protection of its employees and must take appropriate measures.

If a machine is protected by a safety gate, for example, but access is not regulated, a cleaner or similar could enter the machine’s danger zone and be injured. In this example, the safety device is not sufficient. In the course of a hazard assessment, potential hazard sources would have been identified early on: Is access to the machine sufficiently protected? What qualification must the employees have on the machine and for which work steps are they then authorised?

Prevent manipulation

A third area that is becoming increasingly relevant is data protection. Security is often associated with this as stated previously and there is great concern that an attacker could manage to access a company’s OT network. This can happen, for example, if a USB stick with malware has been intentionally or unintentionally used on a machine. If there is no segmentation within production, hackers can thus not only cripple this one machine, but manufacturing as a whole.

This is the ‘worst case’, and this situation is also sensitive with a view to data protection. Data and expertise must be protected against external attacks as well as from danger originating within the company.

All three scenarios described are not only relevant for reasons relating to liability, they also have a major influence on a company’s productivity. So what can companies do to play it safe? Security precautions must be regularly scrutinised and adapted to the current conditions. A holistic risk analysis indicates possible weaknesses and includes both safety and industrial security. Based on this analysis, appropriate measures can be taken and the machinery retrofitted, if necessary.

Clearly regulate access

For the examples mentioned, comprehensive identity and access management, meaning the regulation of accesses and entrances, could be an adequate solution. If an access permission system such as the PITreader from Pilz is used, only authorised people are issued an RFID key with their individual permissions for plant and machinery on which they carry out work. They only achieve the desired access after they authorise themselves on the machine by inserting their key into the PITreader.

Authorisations can be issued and managed centrally. If there is however a safety incident or manipulation, the system can be used to track who last worked on the machine.

Lock out attackers

If machines are to be protected against unauthorised access and manipulation, an industrial firewall such as SecurityBridge from Pilz also offers protection. It monitors the data communication within an industrial automation network. To protect the data flow of a production facility, switchable and activatable products can also be an appropriate measure. The activatable USB2.0 host interface of the Pilz operation element PIToeUSB controls the manipulation-proof import of programs, export of data and connection of a keyboard or mouse. If the operation element is combined with the access permission system PITreader, the activation is only performed with the corresponding authorisation.

These measures can be easily integrated or retro­fitted into an industrial application. Industrial access management thus contributes to greater industrial security and ensures the integrity of the machinery safety. At the same time, the company management can rely on this holistic safety concept and thus assumes responsibility for the company and for its employees.