KANBrief 2/17
Industry 4.0 stands for the networking of human beings, machines and installations. Owing to the interaction between these communication partners, it is not sufficient for functional safety (such as the halting of a machine when a light barrier is penetrated) to be considered in order for human beings to be protected. Information security (such as the protection of a robot's programming against manipulation over the network) is equally important.
The relationship between functional safety and information security is described in Application Rule VDE-AR-E 2802-10-1:2017-04 "Relation between functional safety and information security on the example of industrial automation – Part 1: Basic principles". Distinction between the two is important in order for conflicts in goals during risk assessment to be identified.
Harm to human beings and the environment caused by intervention by third parties, for example in the form of cyber attacks, was considered improbable by experts at the CEN "Functional safety & cybersecurity" workshop. As was seen in recent events, hackers primarily attack targets presenting a financial incentive. However, this would not rule out human beings and the environment being harmed unintentionally. Nor can it be ruled out, against a background of terror threats, that human beings and the environment are in fact a primary target.
Legal issues
Implementation of Industry 4.0 depends substantially upon its acceptance by users. Users expect the products they use and the networked processes in which they are embedded to be safe. In the event of unauthorized third-party access, it is of interest to the user who is liable. Unauthorized intervention continues to raise fundamental criminal and liability aspects, however (cf. Rockstroh/Kunkel, IT-Sicherheit in Produktionsumgebungen, MMR 2/2017; Bräutigam/Klindt: Industrie 4.0, das Internet der Dinge und das Recht, NJW 2015, 1137). Since technical standards give rise to the presumption of conformity and are to describe current technical good practice, they may be particularly relevant in this context. KAN therefore also considers questions relating to administrative law significant:
CENELEC Guide 32:2014-07 “Guidelines for Safety Related Risk Assessment and Risk Reduction for Low Voltage Equipment” (pdf), published in July 2014, is currently being revised. The guide calls for issues of information security to be considered in standards under the Low-voltage Directive. In February 2017, ISO/TC 199, Safety of machinery, adopted a new preliminary work item under the title "Guidance and consideration of related security aspects". A guide is to be produced in the form of Technical Report ISO/TR 22100-4 describing the relationship between ISO 12100, Safety of machinery, and the aspects of information security relevant to machines.
Closer cooperation between engineers and computer scientists
A wide range of standardization activities in the sphere of functional safety and information security are taking place at CEN/CENELEC and ISO/IEC – as yet, however, quite separately from each other. Not only must product safety experts consider information security; computer scientists must also become more aware of aspects of functional safety in the future.
The standards organizations should work together on intermeshing the spheres of safety and security, the approaches to which traditionally have been quite separate, more closely. This is essential if the aspects relevant to occupational safety and health are to be considered sufficiently early and effectively. Legal aspects must also be regulated without delay and transparently in order for the adoption of Industry 4.0 to be a success.
Sebastian Korfmacher korfmacher@kan.de
Corrado Mattiuzzo mattiuzzo@kan.de