Strengthening Automation Software Security in Industry 4.0

Security by design

Connectivity and automation help the industrial and automation environment to be more energy-efficient, safe and functional.

But it also increases risk. Networks of connected smart, automated devices, all exchanging critical data, provide numerous attack vectors that can be exploited by hackers, along with increased consequences for simple human errors.

Hardening the security of remote monitoring and control platform solutions requires a proactive and tactical approach to both risk management and security, with protections built upfront into the product development process. This approach to reducing cybersecurity risks is known as security by design. It is utilized by Carlo Gavazzi, a multinational electronics group, to secure its innovative and reliable industrial and building automation solutions. It’s a strategy that enhances trust across the entire life cycle of the solution for all stakeholders.

Securing Industry 4.0

Carlo Gavazzi, founded in 1931 and headquartered in Switzerland, is a global company that creates and manufactures electronic control components for the building and industrial automation markets. Their products, including sensors, solid-state relays, electronic motor controllers, safety devices, monitoring and fieldbus systems,) are marketed across the Americas, Europe and Asia Pacific through a network of 23 company-owned sales organizations and over 65 independent national distributors.

The company continues to add hardware and platform integration solutions to its offerings, providing additional and enhanced automation functionalities that can help make business processes more efficient.

Carlo Gavazzi’s Universal Web Platform (UWP 3.0) monitors and controls connected devices to achieve energy and people efficiency goals. UWP 3.0 interacts with local devices and remote systems, with an embedded automation server that allows data to be exchanged locally or remotely via standard internet protocols, so robust cybersecurity protections must be embedded directly into its design.

“Cybersecurity is always a moving target; it evolves along with technology, ” said Alessio Costantini, international product manager for Carlo Gavazzi Controls. “It’s a particular issue for automation as a vulnerability can create risks for the whole installation.”

“But our biggest challenge is to make the industry aware of cybersecurity risks. Just to make a comparison, people working in offices have a better knowledge about cybersecurity issues than people working in, for example, building automation,” Costantini added. “This is definitely a problem because if you don’t know that you could have some kind of an issue, you cannot prevent it. The good news is that this is changing quickly.”

Building trust

Carlo Gavazzi’s comprehensive range of products incorporate stringent security protections. The company had already implemented the security by design approach, focusing on a security management system specific for industrial and building automation. They came to UL Solutions for an independent review of their connected solutions’ security. Through previous product safety certification work with UL Solutions, Carlo Gavazzi recognized UL Solutions as the leader to help them with cybersecurity as well.

UL Solutions’ list of IoT security solutions includes UL Solutions’ IoT Security Rating, UL Solutions’ Supplier Cyber Trust Level, services for ISA/IEC 62443 and UL 2900 Series of Standards, and security by design training, advisory and testing services. All offerings address secure product development, cybersecurity in smart ecosystems and supply chain risk management.

The UL Solutions security solution

UL Solutions provided Carlo Gavazzi with a customized workshop on industry standards, including ISA/IEC 62443 and security frameworks. The workshop increased the company’s organizational knowledge on product security and provided actionable insights for further strengthening the security of their offerings.

“We learned a lot,” said Costantini. “We have very good engineers, but cybersecurity is a bit on the frontier, and to keep up, you need people working 24 hours a day on just this issue. The people who are working against us are doing exactly that. We need real experts. And, with UL, we trust that we can have the expertise provided by best-in-class security analysts.”

UL Solutions also conducted penetration testing – trying various techniques a hacker would use during a cyberattack — to assess the security level of the UWP 3.0. After the testing was complete, UL Solutions provided Carlo Gavazzi with a report documenting the results and ways to mitigate security risks.

Benefits of independent verification

UL Solutions’ ability to test and assess innovative new technologies was a big benefit to Carlo Gavazzi, according to Costantini.

“ … Unfortunately, there is no worldwide guideline for securing industrial or building automation systems,” explained Costantini. “So our approach was to scan the market to find someone who could support us in better understanding the problem, the consequences and the solution. Someone who has a worldwide viewpoint, in line with our global presence, that can bring us information from other countries, and a partner that has a solid reputation that is recognized worldwide.”

Costantini said that another important benefit of working with UL Solutions was getting third-party review against ISA/IEC 62443 standards of the security status of Carlo Gavazzi products.

He said, “Right now, the market we are involved in is not demanding specific certifications, but people who need to understand more are asking about our status in terms of cybersecurity.”

Looking toward a secure future

With its demonstrated dedication to cybersecurity and decades of history within the industries it serves, Carlo Gavazzi is well-positioned to meet and exceed its customers’ expectations within the rapidly evolving Industry 4.0 space.

“We cannot ask our customers to become experts in cybersecurity,” Costantini said. “So, we needed to find a way to explain to them what we do about security and why it matters. We wanted to increase their awareness about the threats, increase their understanding about the products that we provide, and give confidence to the end users when using our solutions.”