In Cyber-Physical Production Systems (CPPS), integrity and availability of hardware and software components are necessary to ensure product quality and the safety of employees and customers, while the confidentiality of engineering artifacts and product details must be kept to hide company secrets. At the same time, an increasing number of Internet connected control systems causes the presence of new attack vectors. As a result, unauthorized hardware/software modifications of CPPS components through cyber attacks become more prevalent. This development raises the demand for proper protection measures significantly, not only to ensure product quality and security but also the safety of people working with the machinery. In this chapter, we describe vulnerable assets of Operational Technology (OT) and identify information security requirements for these assets. Based on this assessment, possible attack vectors and threat models are discussed. Furthermore, measures against the mentioned threats and security relevant differences between OT and Information Technology (IT) systems are outlined. To manage a CPPS and its related threats, risk management will be addressed in more detail. Although safety and security should no longer be viewed as isolated, there are several challenges of integrating safety and security, which can lead to struggles and trade-offs. For this reason, the “Safety and Security Lab in Industry” currently investigates different aspects of future integrated solutions covering both safety and security. Challenges of such integrated solutions are outlined at the end of the chapter.
This is a preview of subscription content, access via your institution.
Tax calculation will be finalised at checkout
Purchases are for personal use onlyLearn about institutional subscriptions
S. Vitturi, C. Zunino, and T. Sauter, “Industrial communication systems and their future challenges: Next-generation Ethernet, IIoT, and 5G,” Proceedings of the IEEE, vol. 107, no. 6, pp. 944–961, 2019.
I. Reithner, M. Papa, B. Lueger, M. Cato, S. Hollerer, and R. Seemann, “Development and Implementation of a Secure Production Network,” Proceedings of the 31st DAAAM International Symposium, pp. 736–745, 2020.
J. Jasperneite, T. Sauter, and M. Wollschlaeger, “Why we need automation models: Handling complexity in Industry 4.0 and the Internet of Things,” IEEE Industrial Electronics Magazine, vol. 14, no. 1, pp. 29–40, 2020.
E. J. Colbert and A. Kott, Cyber-security of SCADA and other industrial control systems. Springer, 2016, vol. 66.
M. Bajer, “Control systems integration using OPC standard,” AGH Master Thesis, W. Grega-Supervisor, Krakow & Antwerp, 2008.
E. Geisberger and M. Broy, Integrierte Forschungsagenda Cyber-Physical Systems: acatech STUDIE. Deutschland: acatech, 2012.
G. Martins, S. Bhatia, X. Koutsoukos, K. Stouffer, C. Tang, and R. Candell, “Towards a systematic threat modeling approach for cyber-physical systems,” in 2015 Resilience Week (RWS). IEEE, 2015, pp. 1–6.
R. E. Petruse, I. Bondrea, and I. C. Nicolae, “Main requirements of a cyber physical production system demonstrator,” Acta Universitatis Cibiniensis. Technical Series, vol. 71, no. 1, pp. 76–80, 2019.
International Organization for Standardization (ISO), “Robots and robotic devices - Collaborative robots,” Geneva, CH, Feb. 2016.
R. Siegwart, I. R. Nourbakhsh, and D. Scaramuzza, Introduction to Autonomous Mobile Robots, 2nd ed. Cambridge, Massachusetts: The MIT Press, 2004.
O. Khatib, “Mobile manipulators: Expanding the frontiers of robot applications,” in Field and Service Robotics, A. Zelinsky, Ed. Springer, 1998, pp. 6–11.
B. Vogel-Heuser, T. Bauernhansl, and M. ten Hompel, Eds., Handbuch Industrie 4.0 Bd. 2: Automatisierung, 2nd ed., ser. Springer Reference Technik. Berlin: Springer, 2017.
Y. Ro, A. Brem, and P. Rauschnabel, Augmented Reality Smart Glasses: Definition, Concepts and Impact on Firm Value Creation. Gewerbestrasse 11, 6330 Cham, Switzerland: Springer International Publishing AG, 2017, ch. 12, pp. 169–181.
A. Grau, M. Indri, L. L. Bello, and T. Sauter, “Industrial robotics in factory automation: From the early stage to the Internet of Things,” in IECON 2017 - 43rd Annual Conference of the IEEE Industrial Electronics Society, 2017, pp. 6159–6164.
Statista, “Wie hoch schätzen Sie das Risiko für Ihr Unternehmen ein, Opfer von Cyberangriffen/Datenklau zu werden?,” 2019, accessed: 2020-10-16. [Online]. Available: https://de.statista.com/statistik/daten/studie/760006/umfrage/wahrgenommenes-risiko-von-cyberangriffen-unter-unternehmen-in-deutschland/.
C. Fife, “What’s Required To Secure The IoT?” 2015, accessed: 2020-10-23. [Online]. Available: https://www.citrix.com/blogs/2015/04/09/whats-required-to-secure-the-iot/.
Barrgroup-Dictionary, “Embedded System,” 2020, accessed: 2020-10-14. [Online]. Available: https://barrgroup.com/embedded-systems/glossary-embedded_system.
TÜV Austria, Fraunhofer Austria Research GmbH, “Safety & security in der Mensch-Roboter-Kollaboration,” 2016. [Online]. Available: https://www.tuv.at/fileadmin/user_upload/docs/group/innovation/tuv-austria-white-paper-deutsch/003_tuv_austria_white_paper_III_einfluss_it_security_sicherheit_in_der_mensch_roboter_kollaboration_fraunhofer_DE_WEB.pdf.
M. Kumar, J. Meena, R. Singh, and M. Vardhan, “Data outsourcing: A threat to confidentiality, integrity, and availability,” in 2015 International Conference on Green Computing and Internet of Things (ICGCIoT). IEEE, 2015, pp. 1496–1501.
F. Accerboni and M. Sartor, “ISO/IEC 27001’,” Quality Management: Tools, Methods, and Standards. Emerald Publishing Limited, pp. 245–264, 2019.
Y. Lu and M. Zhu, “A control-theoretic perspective on cyber-physical privacy: Where data privacy meets dynamic systems,” Annual Reviews in Control, vol. 47, pp. 423–440, 2019.
P. Van Aubel, E. Poll, and J. Rijneveld, “Non-repudiation and end-to-end security for electric-vehicle charging,” in 2019 IEEE PES Innovative Smart Grid Technologies Europe (ISGT-Europe). IEEE, 2019, pp. 1–5.
A. Shostack, Threat modeling: Designing for security. John Wiley & Sons, 2014.
R. Vigo, “The cyber-physical attacker,” in International Conference on Computer Safety, Reliability, and Security. Springer, 2012, pp. 347–356.
M. T. Swarup Bhunia, Hardware Security: A Hands-on Learning Approach. Morgan Kaufmann, 2019.
D. Dolev and A. Yao, “On the security of public key protocols,” IEEE Transactions on information theory, vol. 29, no. 2, pp. 198–208, 1983.
M. Rocchetto and N. O. Tippenhauer, “On attacker models and profiles for cyber-physical systems,” in European Symposium on Research in Computer Security. Springer, 2016, pp. 427–449.
N. Hoque, M. H. Bhuyan, R. C. Baishya, D. K. Bhattacharyya, and J. K. Kalita, “Network attacks: Taxonomy, tools and systems,” Journal of Network and Computer Applications, vol. 40, pp. 307–324, 2014.
A. Humayed, J. Lin, F. Li, and B. Luo, “Cyber-physical systems security-a survey,” IEEE Internet of Things Journal, vol. 4, no. 6, pp. 1802–1831, 2017.
C. Bodungen, B. Singer, A. Shbeeb, K. Wilhoit, and S. Hilt, Hacking Exposed Industrial Control Systems: ICS and SCADA Security Secrets & Solutions, 1st ed. New York: McGraw-Hill Education, 2016. [Online]. Available: https://mhebooklibrary.com/doi/book/10.1036/9781259589720.
S. J. Templeton, “Security aspects of cyber-physical device safety in assistive environments,” in Proceedings of the 4th International Conference on PErvasive Technologies Related to Assistive Environments, ser. PETRA ’11. New York, NY, USA: Association for Computing Machinery, 2011. [Online]. Available: https://doi.org/10.1145/2141622.2141685.
A. Treytl, T. Sauter, and C. Schwaiger, “Security measures in automation systems-a practice-oriented approach,” in 2005 IEEE Conference on Emerging Technologies and Factory Automation, vol. 2, 2005, pp. 847–855.
A. Valenzano, “Industrial cybersecurity: Improving security through access control policy models,” IEEE Industrial Electronics Magazine, vol. 8, no. 2, pp. 6–17, 2014.
K. A. Stouffer, V. Pilitteri, M. Abrams, and A. Hahn, “NIST Special Publication 800-82 Revision 2. Guide to Industrial Control Systems (ICS) Security: Supervisory Control and Data Acquisition (SCADA) Systems, Distributed Control Systems (DCS), and Other Control System Configurations Such as Programmable Logic Controllers (PLC),” Gaithersburg, MD, USA, 2015.
“IEC 62443-3-3:2013 Industrial communication networks - Network and system security - Part 3-3: System security requirements and security levels,” 2013.
D. R. Preiss, Risk analysis techniques in engineering. TÜV Austria Akademie GmbH, 2020.
International Organization for Standardization (ISO), “ISO/IEC guide 73:2009 - risk management - vocabulary,” 2009.
D. W. Hubbard, The Failure of Risk Management: Why It’s Broken and How to Fix It. Wiley, 2009.
P. Gregory, CISA Certified Information Systems Auditor All-in-One Exam Guide, Fourth Edition. McGraw-Hill, 2019.
S.-H. Y. Xiaorong Lyu, Yulong Ding, “Safety and security risk assessment in cyber-physical system,” IET Cyber-Physical Systems: Theory & Applications, vol. 4–3, pp. 221–232, 2019.
E. Ruijters and M. Stoelinga, “Fault tree analysis: A survey of the state-of-the-art in modeling, analysis and tools,” Computer Science Review, vol. 15–16, pp. 29–62, 2015. [Online]. Available: https://www.sciencedirect.com/science/article/pii/S1574013715000027.
L. Grunske, R. Colvin, and K. Winter, “Probabilistic model-checking support for FMEA,” pp. 119–128, 10 2007.
M. Rausand and S. Haugen, Hazard Identification. John Wiley & Sons, Ltd, 2020, ch. 10, pp. 259–337. [Online]. Available: https://onlinelibrary.wiley.com/doi/abs/10.1002/9781119377351.ch10.
M. Modarres and S. W. Cheon, “Function-centered modeling of engineering systems using the goal tree-success tree technique and functional primitives,” Reliability Engineering & System Safety, vol. 64, no. 2, pp. 181–200, 1999. [Online]. Available: https://www.sciencedirect.com/science/article/pii/S0951832098000623.
D. Lee, J. Lee, S.-W. Cheon, and J. Yoo, “Application of System-Theoretic Process Analysis to Engineered Safety Features-Component Control System,” 2013.
I. Friedberg, K. McLaughlin, P. Smith, D. Laverty, and S. Sezer, “STPA-safesec: Safety and security analysis for cyber-physical systems,” Journal of Information Security and Applications, vol. 34, pp. 183–196, 2017. [Online]. Available: https://www.sciencedirect.com/science/article/pii/S2214212616300850.
S. Kriaa, M. Bouissou, L. Piètre-Cambacedes, and Y. Halgand, “A Survey of Approaches Combining Safety and Security for Industrial Control Systems,” Reliability Engineering and System Safety, vol. 139, pp. 156–178, 02 2015.
L. Chung and J. C. S. do Prado Leite, On Non-Functional Requirements in Software Engineering. Berlin, Heidelberg: Springer Berlin Heidelberg, 2009, pp. 63–379.
A. Kornecki, N. Subramanian, and J. Zalewski, “Studying interrelationships of safety and security for software assurance in cyber-physical systems: Approach based on Bayesian belief networks,” pp. 1393–1399, 01 2013.
International Organization for Standardization (ISO), “ISO 12100:2010-general principle for design-risk assessment and risk reduction.” 2010.
Federal Ministry for Climate Action, Environment, Energy, Mobility, Innovation and Technology (BMK) Austria, “Sicherheit für die digitale Transformation der Produktion,” 2020, accessed: 2020-10-22. [Online]. Available: https://www.bmk.gv.at/themen/innovation/publikationen/produktion/sigi.html.
J.-P. A. Yaacoub, O. Salman, H. N. Noura, N. Kaaniche, A. Chehab, and M. Malli, “Cyber-physical systems security: Limitations, issues and future trends,” Microprocessors and Microsystems, vol. 77, p. 103201, 2020. [Online]. Available: http://www.sciencedirect.com/science/article/pii/S0141933120303689.
S. F. D’amato and D. W. Mallik, “Plastic molding of articles including a hologram or other microstructure,” Dec. 10 1991, US Patent 5,071,597.
C. A. Cole and J. T. Weber, “Package integrity indicating closure,” Apr. 2 2013, US Patent 8,408,792.
V. Immler, J. Obermaier, K. K. Ng, F. X. Ke, J. Lee, Y. P. Lim, W. K. Oh, K. H. Wee, and G. Sigl, “Secure physical enclosures from covers with tamper-resistance,” IACR Transactions on Cryptographic Hardware and Embedded Systems, vol. 2019, no. 1, p. 51-96, Nov. 2018. [Online]. Available: https://tches.iacr.org/index.php/TCHES/article/view/7334.
Y. Liu, K. Huang, and Y. Makris, “Hardware trojan detection through golden chip-free statistical side-channel fingerprinting,” in Proceedings of the 51st Annual Design Automation Conference, 2014, pp. 1–6.
M. M. T. Bhunia Swarup, The Hardware Trojan War. Springer-Verlag GmbH, 2017. [Online]. Available: https://www.springer.com/de/book/9783319685106.
B. Bailey, “Optimization challenges for safety and security,” 2019, accessed: 2020-09-25. [Online]. Available: https://semiengineering.com/optimization-challenges-for-safety-and-security/.
W. A. Arbaugh, W. L. Fithen, and J. McHugh, “Windows of vulnerability: A case study analysis,” Computer, vol. 33, no. 12, pp. 52–59, 2000.
A. A. Cárdenas, S. Amin, and S. Sastry, “Research challenges for the security of control systems.” in HotSec, 2008.
B. Brenner, E. Weippl, and A. Ekelhart, “Security related technical debt in the cyber-physical production systems engineering process,” in IECON 2019-45th Annual Conference of the IEEE Industrial Electronics Society, vol. 1. IEEE, 2019, pp. 3012–3017.
G. Sabaliauskaite and A. P. Mathur, “Aligning cyber-physical system safety and security,” in Complex Systems Design & Management Asia. Springer, 2015, pp. 41–53.
Editors and Affiliations
© 2023 The Author(s), under exclusive license to Springer-Verlag GmbH, DE, part of Springer Nature
About this chapter
Cite this chapter
Hollerer, S. et al. (2023). Challenges in OT Security and Their Impacts on Safety-Related Cyber-Physical Production Systems. In: Vogel-Heuser, B., Wimmer, M. (eds) Digital Transformation. Springer Vieweg, Berlin, Heidelberg. https://doi.org/10.1007/978-3-662-65004-2_7
Publisher Name: Springer Vieweg, Berlin, Heidelberg
Print ISBN: 978-3-662-65003-5
Online ISBN: 978-3-662-65004-2