search.noResults

search.searching

saml.title
dataCollection.invalidEmail
note.createNoteMessage

search.noResults

search.searching

orderForm.title

orderForm.productCode
orderForm.description
orderForm.quantity
orderForm.itemPrice
orderForm.price
orderForm.totalPrice
orderForm.deliveryDetails.billingAddress
orderForm.deliveryDetails.deliveryAddress
orderForm.noItems
EMBEDDED TECHNOLOGY FEATURE FEATURE TITLE


Securing software development for Industry 4.0 and the IoT


By Steve Howard and Jill Britton, Perforce I


ndustry 4.0 is changing how organisations manufacture and distribute products, integrating technologies, such as the IoT, cloud computing and analytics, machine learning (ML) and Artificial Intelligence (AI). While the potential benefits are vast, all the elements involved mean Industry 4.0 can quickly become a highly complex environment, dispersed across multiple interconnected devices, systems, locations, and contributors. According to McKinsey, 54% of manufacturing companies now use OEM partnerships in a bid to develop standardised industrial IoT platforms, an eightfold increase since 2019. In turn, that means increased risks and challenges around securing all those devices becomes more challenging. There may be hundreds, thousands or even millions of devices and systems communicating, creating a vast inter- dependent potential attack landscape. A 2022 blog from the National Institute of Standards and technology (NIST) said, “With Industry 4.0, communications and cybersecurity cannot be viewed as isolated processes.” Furthermore, with AI involved, there may be less visibility into the communications between AI-powered devices and systems, with less human intervention involved.


Security management has different facets, but a vital starting point for Industry 4.0 must be securing the software on which it depends. Software is the ‘glue’ that holds all of Industry 4.0’s elements together, responsible for each device or system’s performance and enabling communications between them all.


As development is the stage at which most software vulnerabilities are introduced, which can later be exploited for malicious purposes, a focus on that process must be a priority. Finding ways to discover weaknesses and address them early in coding processes, long before QA processes, let alone production, is non-negotiable. However, while some engineering teams will have experience in software security practices, for others, this may be new territory. Fortunately, there is a variety of existing resources, techniques, and tools on which to draw. For instance, industry standards such as


IEC 62443 have a role to play here as they address the cybersecurity requirements for the development and operation of technology in automation and control systems. Part 4-1 explicitly defines a secure software development lifecycle, such as requirements, definitions, design, implementation, verification, validation, defect management, patch management, and product end-of-life.


Even traditional standards such as ISO 27001, which is specifically for ensuring information security in all processes in an organisation, including IT and HR as well as software development and test, are used, for example, to ensure that the devices used within a manufacturing plant are secure. Security standards often require the use of coding standards to support compliance, and sometimes their use is mandated, even outside of compliance.


Organisations may use several, including writing their own or taking advantage of the valuable guidelines and known


vulnerabilities that are widely available, such as MISRA, CERT, CWE, OWASP and DISA STIG, bringing together many person-years of experience from industry experts. Consider them blueprints for high-quality coding practices, minimising ambiguity, and complexity, leading to clearer, comprehensible, and secure software. For embedded software, CERT C and CERT C++


are particularly beneficial, as these standards specifically target the types of vulnerabilities that apply in an embedded system context.


However, coding standards can take time to apply manually, because extensive understanding of both the rules and the code is needed. Hence, engineering teams tend to look for automation to remove or minimise that effort, such as static analysis tools or Static Application Security Test (SAST) tools. These tools analyse code without it being executed, checking for deviations from the coding guidelines and coding errors that could cause a vulnerability. Static analysis and SAST tools provide a level of inspection, speed, and scale that a human would find difficult to match. Hundreds of checks happen at speed in background mode, thus reducing the impact on busy development teams.


Creating a plan for securing software that includes security and coding standards, as well as tools to accelerate development, will aid organisations in harnessing the vast potential of Industry 4.0. These tools and resources are expected to evolve to keep up with market changes. Securing the software on which Industry 4.0 depends may be challenging, but there is a lot that teams can do, so they can experience the benefits while mitigating the risks.


DECEMBER/JANUARY 2024 | ELECTRONICS FOR ENGINEERS 47


Page 1  |  Page 2  |  Page 3  |  Page 4  |  Page 5  |  Page 6  |  Page 7  |  Page 8  |  Page 9  |  Page 10  |  Page 11  |  Page 12  |  Page 13  |  Page 14  |  Page 15  |  Page 16  |  Page 17  |  Page 18  |  Page 19  |  Page 20  |  Page 21  |  Page 22  |  Page 23  |  Page 24  |  Page 25  |  Page 26  |  Page 27  |  Page 28  |  Page 29  |  Page 30  |  Page 31  |  Page 32  |  Page 33  |  Page 34  |  Page 35  |  Page 36  |  Page 37  |  Page 38  |  Page 39  |  Page 40  |  Page 41  |  Page 42  |  Page 43  |  Page 44  |  Page 45  |  Page 46  |  Page 47  |  Page 48  |  Page 49  |  Page 50  |  Page 51  |  Page 52  |  Page 53  |  Page 54