Are there hidden costs of untrusted technology in 5G private networks?

In some European metropolitan areas, you can already see a 5G symbol on your mobile phone display. Nevertheless, most networks are still in the planning phase and mobile network operators (MNOs for short) have not yet made a final decision on which equipment provider they will purchase the network technology from. This applies even more to private corporate networks, so-called campus networks, despite the decision being potentially significant for the security of the factory of the future.

In many European countries, there are currently discussions about the economic possibilities in connection with the new mobile communications standard 5G. This concerns possible leaps in productivity, but also the security gaps and dependencies associated with greater networking that would arise if these new mobile networks were built with Chinese technology, for example. As a result of these discussions, some states have excluded untrusted network equipment suppliers from building domestic 5G networks or set the regulatory hurdles so high that the result is tantamount to a ban.  The question which is slowly moving up the agenda is: is it necessary to also regulate private networks with respect to the technology they use? From the perspective of an economist this should only be the case if using untrusted technology has a detrimental effect on customers, suppliers or employees for which they are not compensated. Economist call that negative externalities.

Network equipment providers for 5G networks are expected to have a high level of trustworthiness in order to participate in an infrastructure that controls large parts of a factory of the future. It is particularly difficult for Chinese suppliers to establish this credibility. They are often seen as untrustworthy, operating from a country without sufficient rule of law, which exercises strict state control over their business conduct and management. Moreover, Western intelligence agencies, cybersecurity firms and the media regularly report that China is the country of origin for numerous attempts at industrial espionage.

If companies with such origins are nevertheless involved in the deployment of 5G networks in Europe, this will come at a significant cost. Only part of these costs are incurred by the company operating the network and choosing the network providers. A large part of the costs must be borne by other parts of society, which in absence of further regulation have no influence on the choice of network provider.

Even when the factory of the future decides which providers to procure 5G network technology from, they do not take all costs into account – either because they are hidden costs that will be incurred later (life-cycle costs) or because they are borne by others than the MNOs (external costs). Of course, many security-related costs will also occur if 5G networks are built exclusively with trusted technology. However, these costs will be lower because a trusted provider is a cooperating partner in securing the network from external influences.

If non-trusted providers are a part of a private 5G network, additional efforts will have to be made

  • to test and verify the software updates provided.
  • to share information with other private network operators, government agencies responsible for network security, and with suppliers and customers of the cyber factory of the future. New information sharing and analysis centers need to be established among industry participants.
  • to build additional sensors into the network to monitor network traffic and detect unintended data flows to third parties.
  • To develop and integrate new AI tools into network management as an early warning system for covert data exfiltration.
  • to devote resources to enforce regulatory policies and compliance to compensate for the lack of trust in the network.
  • to cover damages caused by cyber-attacks by spending (more) money on cyber insurance to deal with the financial consequences.

If a 5G network contains untrusted technology, more of the burden to protect data or machines controlled over the network falls on the operator, but potentially also on other parts of their value chain. The latter will have to spend more resources on classic cybersecurity tools or will have to leave the value chain that makes the cyber-factory of the future and thus will not be able to realize potential productivity gains.

European 5G technology providers will have a hard time competing with companies that do not need to make a profit in order to stay in the 5G business – for example because they are backed by a state for strategic reasons. To internalize the external costs and to guarantee a level playing field, it should be considered to not only regulate nationwide networks, but to include private 5G campus networks. The goal is to either exclude non-trusted technology or to require operators of campus networks to invest in the necessary additional protection when using non-trusted technology.

Authors: Johannes Rieckmann and Tim Stuchtey, BIGS

A more detailed description and estimate of the hidden costs of untrusted vendors in 5G networks can be found in the policy paper and the country studies for Germany, France, Italy and Portugal. The virtual presentation of the policy paper takes place on the 16th of March at 2pm (CET).

The Misuse of the Use-Cases of CyberFactory#1

A Misuse-Case (MUC), which is derived from a Use-Case (UC)*, describes the steps and scenarios, which a user/actor performs in order to accomplish a malicious act against a system or business process. They are still UCs in the sense that they define the steps that a user performs to achieve a goal, even if the goal is not a positive or a desired one from the perspective of the business process or system designers.

A MUC covers for example:

  • Safety hazards, irrespective of originating from security vulnerabilities or inherent to the novel technologies developed in the project,
  • Security attacks by outsiders,
  • Workers attacks,
  • Insider threats will also be considered in the MUCs, giving the required attention to economical, psychological and societal aspects.

Figure 1: Misuse-Case Task Approach

To be able to document the right MUCs, the project team first worked on selecting the appropriate approach. In the specific case of CyberFactory#1 (CF#1) it was decided that a two-phased approach was the preferred approach: first there was a collecting of generic and independent risks, which were then consolidated into MUCs.

Within CF#1 the risk assessment considered the following aspects

  • Impact Level (categorized in high, medium, low)
  • Probability Level (categorized in high, medium, low)
  • Risk Source, Risk Source Type and Risk Location
  • Attack Vector
  • Vulnerability
  • Target Asset and Target Asset Type
  • Threat Agent and Threat Agent Type
  • If applicable: References (CVE, etc.)
  • Risk Result (Impact Detail), Outcome and Impact Nature

Example risk “Lack of OT capacity in current IT cybersecurity products (mainly SIEM)”

  • High
  • Medium
  • SIEM & other IT based cybersecurity products | Legacy Infrastructure | FoF
  • Technical security attacks against OT solutions
  • Lack of OT interoperability for existing IT based SIEMs and existing cybersecurity products
  • OT Systems | FoF
  • Hackers & hacking software | Hacker
  • N/A
  • Stop of production | loss of safety

After the first stage, a total of 153 risks have been determined. Here are the statistics of those risks by their level and source type:

Figure 2: Risks by Risk Level

Figure 3: Risks by Source Type

As per the selected methodology and the risks, one (or more) misuse-cases were selected and defined further for each use-case within Cyberfactory#1 project. In particular, these risks were connected to the use-cases and their implementation with no risk mitigation available yet. The risks are assessed and listed based of the source type although there are many risks related with the new use cases, legacy infrastructure has also quite number of new risks that will be addressed within the project.

What’s next?

As the project team progresses through the main work packages and tasks, we always have the misuse-cases in mind in order to test, implement, perform our designs and projects while preventing them as a by-product in the scope of a security-by-design approach.

Author: Murat Lostar, CEO & Founder, Lostar Inc.

*To learn more about our use-cases, see our article on it here

The Use-Cases of CyberFactory#1

The key problem addressed by CyberFactory#1 is the need to conciliate the optimization of the supply and manufacturing chain of the Factory of the Future (analyzed by means of Use-Cases) with the need for security, safety and resilience against cyber and cyber-physical threats (analyzed by means of Misuse-Cases).

Therefore, in order to study this key problem, ten pilots have been developed from Aerospace, Automotive, Machinery and Electronic Industries around several use-cases (UC). These UC were then described and matched with Key Capabilities defined by CyberFactory#1 project proposal plan (technical value chain items):

UC1. Airbus Defense & Space (Spain):

At Airbus three sub-use cases are defined for the deployment of Industrial Internet of Things (IIoT) for flexible management and optimization of manufacturing as well assembly lines within the Aerospace Industry.

  • UC1.1 Description – Roboshave (Tablada Site): Connectivity of the Roboshave station to the IIoT to improve traceability, supervision and maintenance of the processes.
  • UC1.2 Description – Autoclave (CBC Site): Real-time monitoring and quality process automation across the IIoT for the process of composite parts curing and forming within Autoclaves area.
  • UC1.3 Description – Gap Gun (San Pablo Sur Site): Automation of the data acquisition using a Gap Gun device (smart tool for gaps and steps measuring) with a centralized data storage and the possibility for further data analysis.
<br>

<br>

<br>

UC2. S21Sec (Spain):

This UC addresses Human/Machine collaboration in manufacturing for quality control.

  • UC Description: The evolution of TRIMEK’s METROLAB solution, which focuses on quality control laboratory services towards a Zero Defect, through its integration with fully automated processes within the auxiliary automotive industry (controlling environmental variables and interconnecting the shop-floor). This means an overall enhancement of Metrolab Scenario (incorporation of several cybersecurity tools/services, including of Cobots)

<br>

<br>

UC3. Bittium (Finland):

This UC is concerned with a cyber-secure networked supply chain and information architecture.

  • UC Description: The goal is to create a consistent and secure information architecture and develop processes as well as information tools, which are able to support digital partnered manufacturing and deliveries, in order to achieve supply chain optimization.

UC4. High Metal (Finland):

This UC will develop a highly automated food production line of the future (in this particular case for cheese making).

  • UC Description: The High Metal UC introduces a new integrated platform-based concept for cheese manufacturing that enables: better flexibility for product quality changes, scalability for production increases, shorter installation as well as production start-up time and better efficiency and easier maintenance compared to traditional dairy production lines.

UC5. IDEPA (Portugal):

This UC will digitalize a textile production line (legacy machines) for the automotive industry.

  • UC Description: The goal is to increase efficiency (and also security, safety and resilience) focusing on the development of a new generation of ERP tools, considering Security Awareness and providing Data & Knowledge as a service. This should be achieved along with IDEPA business transformation (connectivity of legacy machines).

UC6. VESTEL (Turkey):

This UC is concerned with the optimization of material handling in PCB assembly lines.

  • UC Description: The objective is to pass from conventional material handling managed by operators and without data gathered from machines (no traceability) to a new situation oriented to the integration of machines in the electronic board assembly line with ERP system, warehouse and carrier robots in order to achieve optimization of the production and improving the traceability, and also considering cybersecurity aspects.

<br>

<br>

UC7. Bombardier Transporter (Germany):

This UC aims to optimize the material supply for the rail vehicle production.

  • UC Description: The main objective of this UC is the optimization of material supply for railway vehicle production by building an automatic supply system from the warehouse directly to the workstations, in order to have a safe and automated provision of the material within its various physical levels (many different customer projects are carried out in parallel at the Bautzen Plant in Germany).

<br>

UC8. InSystems (Germany):

This UC addresses the optimization of an autonomous transport robot fleet (ProANT).

  • UC Description: This UC is focused on the collection of data from normal operations of a transport robot fleet that can be used for detecting individual patterns via ML and predictive systems. This information can be also used for logistics optimization, and in a dynamical way for adaptation to continuous changes.

<br>

What is the general purpose of the use cases with the project of CyberFactory#1?

These use cases are contributing to the creation of the Factory of the Future (FoF) concept, which is the key goal of the Cyberfactory#1 project. The main objectives addressed by the different use cases developments, that may help to create this FoF concept, can be summarized as the following ones:

  • Automation of E2E processes across M2B & B2M communications.
  • Real time (or near real time) situational awareness and factory systems monitoring.
  • Enhanced visibility and traceability of the activity within the Factory.
  • Optimization and secure communications for Supply Chain (Distributed Manufacturing).
  • Advanced data analytics and Machine Learning for processes improvement.
  • Connectivity and integration of the Factory systems (Factory as a System of Systems).
  • Communications security and global security management.

Author: José Antonio Rivero Martinez, Automation for Industrial Means, Industrial Means Dpt. – Manufacturing Engineering, Airbus Defence and Space

PS: If you are interested in more depth in one or more of the UC(s), we are happy to get you in touch with the relevant UC owner(s). Please use for all inquiries the following email address: info@cyberfactory-1.org.

 

New Business Models for the Creation of Value in the Factory of the Future

One of the main objectives of CyberFactory#1 is to devise innovative ways of delivering value to the several industry sectors involved in the project through the enhancement of optimization and resilience of the production environments. The project has recently delivered a set of new business models featuring value proposition that go beyond traditional approaches, based on the intelligent product servitization (i.e. transforming product sales into services provision), the knowledge extraction from data and the focus on intellectual property (i.e. enhancing the exploitation and protection of the industrial intellectual property).

Innovative business models for eight industry sectors

The project maps eight paradigmatic sectors and actors in the Factory of the Future (FoF) value chain, divided into two main value chain stages: users (i.e. industrial sectors which represent the end users of the new technologies and approaches developed in CyberFactory#1 – Figure 1) and suppliers (i.e. industrial sectors which provide enabling technologies to be applied in the end user activities – Figure 2).


Figure 1 – CyberFactory#1 FOF Value Chain – Users

Figure 2 – CyberFactory#1 FOF Value Chain – Suppliers

For each one of these sectors, the CyberFactory#1 developed a business model. The work, coordinated by each leading industry partner in the project, started with a rigorous analysis of the internal and external environments (including competition and market player analysis) and consolidated into a business model canvas. The business model canvas was then extended to a full-fledged business model. During this process the Cyberfactory#1 partners provided their input.

The business models were presented at the ICTurkey event in Istanbul (July 5th 2019) by the project coordinator, further raising the interest in the project of potential external partners, in particular concerning the application and exploitation of the project technologies.

Data, as a base for services

The “factory of the future” paradigm envisions a production environment in which massive amounts of data flow bottom-up from the shop floor to the highest levels of the management. This data yields a great value since it contains useful information that can be used to increase efficiency and performance as well as to enhance decision-making. However, this amount of data flow needs to be secure from unintended use and has to be trustable.

The new business models focus on the exploitation of data to extract valuable information and insights in order to make it an integral part of the transformation of products into services. Thereby they are providing increased value to industrial organizations and their customers. The exploitation of data lakes is at the core of the CyberFactory#1 business models.

Data exploitation is the key to more profitable business models based on service provision, which relies on continuous flow of value to customers instead of discrete product sale transactions (i.e. sales of distinct items). The continuous flow of value is provided through the “as-a-service” paradigm, meaning that high value services can be provided in a continuous way. Intelligence “as-a-service” can be provided through on-demand knowledge discovery from data, as well as Artificial Intelligence as-a-service (for example, provision of on-demand insight reports regarding production optimization). Management applications such as Enterprise-Resource-Planning (ERPs) and security platforms can benefit from the enhanced data value exploitation and themselves can also be provided “as-a-service” (for example, manufacturing management-as-a-service).

Lower adoption costs, greater flexibility, higher value

Servitization supports new revenue streams as it also empowers per-mile or plafond billing, flat rates or “per call” billing. This lowers the adoption costs, decreases risks both for producers and consumers and grants higher flexibility as well as scalability. This means that organizations become more capable and efficient of reacting to changes in markets.

Enhanced security also empowers service-based paradigms, as they rely on more frequent exchanges of data flows between value chain actors. Ensuring security and trust between actors makes the value chain more resilient and capable of delivering value even in the advent of internal or external cyberattacks, as well as protecting intellectual property and business-crucial information. This is especially important to enhance the protection against counterfeiting goods, to strengthen brand and to protect IP-driven competitive advantages.

Higher flexibility also opens the door for customization services (“mass customization”), allowing both industrial suppliers and users to lower production costs while being able to satisfy ever-changing customer requirements. Intelligent servitization based on data exploitation, higher flexibility, enhanced security and trust leverage the value creation in the next-generation industrial organizations, specifically in key sectors of the European industry.

Bringing benefits to European Industry

By focusing on core sectors of the European Industry, the CyberFactory#1 project also aims to build a community of manufacturing companies which can partner up with the project consortium and get involved.  This is an excellent way of strengthening ties, sharing knowledge and raise awareness regarding the benefits of the several developments, including being part of enhanced value chains and considering new approaches to market and value creation.

Authors: João Mourinho, Innovation Manager, Sistrade Software Consulting & Américo Nascimento, Research/Consultant, Sistrade Software Consulting

 

The Project DNA of CyberFactory#1

Achieving efficient and resilient Factories of the Future (FoF)

This is the aim of CyberFactory#1 in its three-year project duration. The project is the outcome of a user-driven investigation on security implications concerning the digital transformation of aerospace manufacturing lines. This investigation was carried out in 2017-2018 in scope of an eponym multifunctional working group within Airbus, including manufacturing and security professionals from Airbus Commercial Aircraft and Airbus Defence and Space divisions. The project idea was drafted by mid-2017 and a proposal was brought to the ITEA cluster for extension to broader industrial sectors facing similar digital transition challenges such as the rail systems, automotive, machine manufacturing or textile industry.

A consortium of a total of 31 partners from France, Canada, Finland, Germany, Portugal, Spain and Turkey was established, involving a balanced set of industrial pilots, technology providers and research organizations. It came to the definition of a large set of use-cases and misuse cases targeted to the convergence of industrial process optimization and manufacturing system resilience challenges. The consortium managed by Airbus Cybersecurity came to the definition of a set of twelve key capabilities that are necessary in order to achieve efficient and resilient FoF. These capabilities belong to three capacities: 1) FoF modeling and simulation, 2) FoF monitoring, control and optimization, 3) FoF security and resilience. For each of these three capacities, a set of four capabilities address respectively technical, economical,  human and societal dimensions of digital transition.

This equal consideration for technological and non-technological aspects of digital transition makes our project original and most applicable in the operational environment compared to the many techno-centric projects which currently bloom in the area of the Industry 4.0 topic. The equal consideration to both optimization and resilience challenges as well ensures adequate cost/benefit rationale in the selection of organizational and technological set-ups for industrial transformation.

The project was kicked-off on 18th December 2018 with support from the Spanish funding Authority. Finland, Canada, Germany, Portugal and Turkey later confirmed their support, while the UK and France remain with self-funded participations at this stage. Close to one year from project start, CyberFactory#1 has already successfully delivered a set of ten detailed pilot use-cases and as many misuse-cases, covering topics such as remote asset monitoring, statistical process control, robot fleet optimization, real time inventory or predictive maintenance and threats such as rogue device insertion, industrial data spoofing, distributed denial of service or adversarial machine learning. Upcoming is the definition of generic secure and optimized architectures for Factories of the Future.

 

Author: Adrien Bécue, Project Coordinator, Head of Innovation and R&T, Airbus CyberSecurity