TOKYO – When it comes to sensor data and automation technologies, Japanese companies are old hands. They know how to install and use them effectively to improve productivity -- especially on the factory floor.
Unfortunately, all that knowhow that doesn’t necessarily translate to the Industrial Internet of Things (IIoT).
Germany still holds that title. Many Japanese companies are listening to what German companies like Infineon Technologies have to say about “Industry 4.0.”
Infineon Tuesday held a press briefing on IIoT security in Tokyo. Yasuaki Mori, President of Infineon Technologies Japan, stressed, “I don’t think Japan is behind in IIoT. Japanese companies are very knowledgeable of their own ‘use cases.’”
Mori is afraid, however, that Japan might be missing the whole point of IIoT. He reported that many Japanese corporations – who prefer to stick to their own knitting – aren’t seizing the opportunity to transform their business by connecting with others on IIoT. In short, Japanese might know the mechanics, but they actually don’t get what IIoT is really for.
Steve Hanna, Infineon’s senior principal and security expert based in the United States, came to Tokyo as a main speaker at the IIoT briefing. Hanna described, extensively, what he sees as the real value IIoT. “For me, the most exciting thing about IIoT is that it creates new business models.”
Take the example of Kaeser Compressors, he said.
Kaeser is a German company manufacturer of compressed air and vacuum products. Kaeser customers who used to buy from Kaeser machines to compress air no longer need to do so. Instead, they can get from Kaeser compressed air per cubic meter, doing away with the big initial investment in equipment. Instead, they get a small monthly bill.
This transformation is similar to the choice between “buying a car or taking a taxi,” explained Hanna. “Many manufacturers are looking at IoT – just to do that so that they can shift their business from selling things to selling services.”
Equally valuable is the “predictive maintenance” enabled by IIoT, Hanna said. He cited VR Group, a state-owned railway company in Finland. “As you know, it is extremely cold in Finland. When it’s too cold, sometimes the doors [of a train] wouldn’t close.” This makes maintenance a critical business for the Finnish company.
Previously, VR Group regularly changed door parts and components -- regardless their condition. But by installing sensors into the doors, the company has begun getting “early warning signs for failure,” Hanna said. Sensors can detect when doors start to close a little slower, a sign of impending trouble. IIoT has given VR Group greater reliability at lower cost, he explained.
In many cases, corporations are convinced to use IIoT because it can make their processes more efficient.
But the unresolved reality is that even though IIoT is an excellent time-saver, most business are unprepared to handle a cyberattack on their IIoT systems.
If Infineon is serious about talking the Japanese into IIoT, the promise of efficiency alone wouldn't do the job. The Germany company must demonstrate an expert knowledge of hack attacks, and strut its stuff in IIoT hardware security solutions.
IIoT hacks are only growing
Hanna admitted the growing number of IIoT hacks in recent years.
Examples include Stuxnet, a malicious computer worm that targets industrial computer systems. It caused substantial damage to Iran’s nuclear program.
Another hack attack struck an unnamed steel mill in Germany. This was revealed, after the fact, by the German Federal Office for Information Security just before Christmas 2015. Hackers reportedly disrupted control systems at the mill to such a degree that a blast furnace could not be properly shut down, resulting in "massive” damage.
Last December, after a power cut hit part of the Ukrainian capital, Kiev, researchers investigating the incident determined it was a cyber-attack.
The Mirai cyberattack took place on October 21, 2016, and involved multiple distributed denial of service attacks targeting systems operated by Domain Name Systems (DNS) provider Dyn. As a result, major Internet platforms and services were unavailable to large swathes of users in Europe and North America. The attack reportedly cost Dyn an 8% drop in business.
Last June, the NotPetya ransomware bug hit companies in the U.S. and Europe. One of the hardest hit was Copenhagen-based shipping giant A.P. Moller-Maersk, which moves about a fifth of the world's freight. Operations at Maersk terminals in four different countries were affected, causing weeks of delay and disruption. Maersk saw “$200 million to $300 million earnings hit,” Hanna explained.
Lessons learned from all these attacks point to one imperative: “All the layers [of IIoT infrastructure] must be protected,” as Hanna put it.
Citing the Ukrainian power-grid hack, Hanna explained that first, by using email, hackers got into the business PC, which gave hackers access to a password. With that, hackers eventually gained remote access into the operational network and managed to infect a workstation, eventually disabling circuit-breakers.
The vulnerability of IIoT security can put the “reliability, profit and safety of your business at risk,” Hanna noted. The critical factors in IIoT defense are authentication, secure communication, crypto-key establishment, boot-process protection, platform integrity verification, stored data protection and secure software/hardware updates.
Hardware security chips
Throughout his presentation, Hanna stressed the significance of hardware security chips.
Notably, Hanna’s background in security – prior to joining Infineon – was decidedly concentrated on software. Hanna worked as principal investigator for the Internet Security Research Group at Sun Microsystems Laboratories for the first 20 years of his career. At Sun, Hanna’s team was instrumental in creating a PKI library that could automatically handle the limited trust between companies. They integrated this library into Java, where it remains to this day.
After Sun, Hanna joined Juniper Networks as a distinguished engineer in the office of the security CTO.
Twenty — or even 15 — years ago, semiconductor companies might not have been seen as the natural habitat for security technologies. But in the era of IoT and IIoT, it’s no longer unusual to find renowned security experts at chip companies.
Asked why he decided to work for a hardware company, Hanna explained, “It’s because I now know that we are not going to solve security problems with software alone.”
Take a look at the Heartbleed bug, he noted.
The Heartbleed bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows the theft of information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs).
Heartbleed was introduced into the software in 2012 and publicly disclosed on April 7, 2014. Even though an upgraded version of OpenSSL was released on the same day Heartbleed was publicly disclosed, popular websites continued to suffer. Hanna said, “We thought we stopped it, but last year, 40 more bugs were discovered and this year alone another 40 bugs emerged.” Hanna said, “We now know that we’ll never get the bug out.”
In his opinion, Heartbleed proves why software can’t be trusted to protect important keys. Many security experts “have now seen cracks in the armor,” Hanna said. “And that’s why I work for Infineon, hoping to learn more about hardware.”
Of course, there are rival security chip companies, such as NXP Semiconductors and STMicroelectronics, equally knowledgeable about how to design effective security chips. Asked how Infineon differs, Hanna said, “We have a family of security chips that are matched to different levels of performance requirements and security needs.” Depending on where security is needed, “Infineon has different chip solutions.”
— Junko Yoshida, Chief International Correspondent, EE Times