Looming Deadline
For 35 years, PI has been driving digitalization forward, ensuring efficient, more environmentally friendly, and secure processes across all industries. However, the world has changed, especially in the recent past. In view of the diverse threat scenarios, even more robust systems and processes are needed that can withstand, for example, a cyber attack. This includes critical infrastructure such as power plants, drinking water supplies, building management systems at airports and hospitals, but of course every manufacturing plant and every facility is at risk. The EU has responded to this with the Cyber Resiliance Act (CRA). By the end of 2027, digital components may only be brought onto the market if they meet the requirements of the CRA. This applies to sensors, actuators, control systems and communication technologies, regardless of the technology they use. Even 4…20 mA sensors with HART or IO-Link devices must comply with this EU requirement.
Security Classes Already Implemented
PI has been dealing with the topic of security for more than 20 years and developed a comprehensive security concept very early on, parallel to the first PROFINET specifications. This includes the defense-in-depth approach or the security component test, which ensures that PROFINET components are resistant to network overload. This concept has of course always been adapted. However, these measures are no longer sufficient. PI is therefore working on a comprehensive security concept for PROFINET. Work on Security Class 1 (robustness), which includes sealing off the system from the outside, segmenting the production network, access protection and other measures (defense-in-depth concept), has already been implemented. PI is currently working on Security Class 2 (integrity and authenticity) and Security Class 3 (data confidentiality). The stated goal is to have an appropriate infrastructure in place by the end of 2027 so that users can continue to rely on the robustness and reliability of PI technologies. This is all the more important because technologies such as omlox, MTP, NOA, and SRCI are now also part of our portfolio.
Ad-Hoc Working Group
However, this work can only be carried out jointly. Therefore, an ad-hoc working group was set up in which users, manufacturers and the associations PI, ZVEI and NAMUR are developing a pilot system in which attack scenarios and defense mechanisms are tested. Stack manufacturers are also involved. The successfully completed Ethernet-APL project is being used as a blueprint for this approach. Here, it was possible to establish a technology across manufacturers that enables flexible and secure processes. A similar approach is now to be taken with the topic of security.
There is not much time left, but I am confident that together we will succeed in developing a good and practical solution. The last point is particularly important: regardless of how the protection concept is structured, security solutions must also be economically viable and easy to use.
Harald Müller, Endress+Hauser