Cyber attacks on industrial plants are one of the real dangers of an increasingly networked industrial society. Regulators and the compliance departments of industrial product owners are responding by introducing IT security management processes for systems in manufacturing and logistics. Linux is recommended for connected embedded products due to its transparency and modularity.
Security compliance requirements and standards such as IEC 62443 have a lasting effect on the requirements for the design, development, qualification and maintenance of industrial products. On the other hand, this results in new opportunities for differentiation from competitors.
Case studies in this presentation show how new systems under development are equipped with a safety architecture and corresponding functions from the outset. The list of technical possibilities often conflicts with the costs: not every connected software system requires the maximum possible security for protection goals and attack vectors. Graduated, economical security concepts are therefore necessary, but monitoring and evaluating the software and updating it over its life cycle is always necessary.
Using actual case studies from recent years, the presentation will show which requirements manufacturers of connected systems should be prepared for and how Linux-based software systems can be modernized and upgraded for the new processes of IT security management with reasonable effort.
Highlights:
- Interface to security consulting according to 62443
- Requirement analysis for standard and customer requirements
- Architectural requirements for system design
- Refinement of requirements at embedded Linux/OS level
- Use of building blocks from the processor or board manufacturer
- Implementation of the requirements (in target software and tooling)
- Testing at unit level and at integration level (CI if applicable)
- Transfer to production and key exchange
- Implementation of integration requirements
- Definition and implementation of maintenance and CVE monitoring
- Relevance analysis and evaluation (device use cases)
- Lessons-learned from development projects