NAMUR and BSI unite the goal of secure IT structures in the process industry
NAMUR (Interchangeability Automatisierungstechnik der Prozessindustrie) and BSI (Federal Office for Security in Information Technology) unite the goal of secure IT structures in the process industry. Therefore, close cooperation was decided and institutionalized in autumn 2018. What is the current state of cooperation? CHE Manager spoke to Felix Hanisch, CEO of NAMUR and Head of Industrial Automation at Bayer. The interview was conducted by Volker Oestreich.
CHE Manager: Mr. Hanisch, with increasing networking, new threat scenarios are emerging for the chemical industry as well. What about cyber security in the industry ?
Felix Hanisch : For the chemical and pharmaceutical industry, safety has long come first in everything we do. It is about the safety of our products, processes and equipment, the safety and protection of our employees, customers and partners and the environment. Security has many facets, and IT security is another that has become increasingly important to us in the process industry in recent years. Today, IT security is an integral part of our security management.
It was against this background that we were especially pleased at NAMUR last year, when the BSI became a member of NAMUR at our main meeting in 2018. At the same time, we have committed ourselves to promoting BSI’s cyber security alliance in the process industry and actively supporting its goals.
What can NAMUR contribute to this cooperation?
F. Hanisch : NAMUR can score points with its own competence: for many years, our working group 4.18 “Automation Security” under the leadership of Erwin Kruschitz and with the participation of the BSI already deals with the special aspects of IT security in automation technology , In 2015, the working group formulated NORUR recommendation NE 153 “Automation Security Agenda 2020” technological requirements for future automation solutions.
Here, the demand was clear: IT security must be an integral part of all future components and must not be draufgeselt the operator “on top”. Against this background, it is regrettable that we still have to discuss with suppliers, in particular plant modules or package units, about IT security along the entire lifecycle. Here there is still a thinking of “bought as seen”. Once the module is at the operator, he has to take care of it. Questions of software versioning and hardware compatibility in the future are gladly left to the customer.
The particularly close link between plant security and IT security is taken up with the NAMUR worksheet 163.
What exactly does this mean?
F. Hanisch : The NA 163 is about the “IT risk assessment of PCT safety devices”: IEC 61511 requires IT risk assessments for PCT safety devices. NA 163 explains to what extent, by whom and how often such a risk assessment is to be performed. Based on a checklist, this risk assessment can be carried out by a PLT engineer with basic knowledge in IT and network technology.
Immediately prior to publication, NA 169 “Automation Security Management in the Process Industry” sets out concrete steps to set up systematic security management with reference to established standards such as IEC 61442, the ISO b27000 family and VDI 2182. And as the threat situation changes constantly and rapidly, we have created a format with NAMUR “AK practice”, in which working groups can express themselves more quickly on current developments. Here, the AK 4.18 has published documents on patch management, hardening or architecture of IT systems.
What are currently important topics concerning the cooperation between NAMUR and BSI?
F. Hanisch : With the present draft bill for the IT Security Act 2.0, not only the powers of the BSI are significantly expanded, but also the requirements for and membership in the KRITIS areas. Both are good reasons – in addition to the intensive professional exchange already experienced – why NAMUR and BSI will continue to work together against hacks in the future. There is plenty to do: the rapid exchange of events in the process industry, which protects the individual company concerned, but still provides timely information to all, the analysis of new attack vectors and the development and communication of countermeasures.