Better protect connected packaging lines from cyber attacks

Within the Engineering of the Future Club, GEPPIA member process and packaging machinery manufacturers, their suppliers and industrial end-users are working together to build concrete solutions for the Factory of the Future. These include connectivity, interoperability, production data processing and predictive maintenance. These are all subjects that have in common the convergence of the OT and IT worlds in the management and supervision of production tools.

Cybersecurity was a natural topic for discussion. It has to be said that the subject lends itself particularly well to collective reflection. The digitalisation of factories is creating increasingly extensive cyber-physical production systems (CPPS) involving a large number of players.

The diversity of the programmes implemented and the multiplication of connection points contribute to the vulnerability of these systems. Concerted action is therefore essential to bring coherence to the security approach and simplify the task of end-users.

Towards "secure by design" packaging lines?

To make the transition to digital production lines with confidence, industrial end-users need solutions designed for a connected environment.

They are therefore encouraging machine manufacturers to design their equipment in line with the best practices promoted by government bodies such as ANSSI, ENISA and CISA.

Four of them would already significantly improve the intrinsic resistance of production lines to cyber attacks:

• A clear separation between the field network and the factory network. Segmentation remains one of the best ways of protecting against cyber attacks or limiting their consequences.
• OS (operating system) updates on operator terminals. It must be possible to patch these OSes when a vulnerability is detected, and it must be easy for the industrial end-user to update them himself. This will optimise IT maintenance throughout the plant.
• Secure processes for updating machine source programs. The update operation must not be able to be used to inject malicious code.
• Strengthening authentication and access rights management procedures.

Xavier Texier

Head of Automation and OT Savencia Group,
Member of the Club Ingénierie du Futur

"The COVID-19 epidemic reminded us just how vital the food industry is: our plants have to remain operational even in times of crisis. But a cyber attack can mean that we have to halt production for several days.

Cybersecurity is all the more essential because, like all industries, we are tending to increase exchanges between OT and IT systems. We need to retrieve data from the field to use it in analysis and management software.

What I expect today from machine and PLC manufacturers is that they offer solutions that integrate fully into our IT infrastructure, and that can interact as effectively as possible with our IT world, whether that's our ERP, our LIMS or our CMMS.

And to do this, I think they need to be based on :

• the best practices in cybersecurity recommended in the IFS (Food Defense, chapter 6) standards and the guidelines set out in the European Cybersecurity Act,
  shared international standards, such as ISA-TR 88.
• We also don't want to be locked into a particular technology; the use of proprietary systems becomes an eliminatory criterion in our selection process.

We also want open systems, which is where the use of OPC-UA comes into its own.

Cybersecurity open to innovation

The main players in the packaging ecosystem are favouring a pragmatic and positive co-construction approach, in line with the vision defended by ANSSI at the 2019 security conference. They have chosen to share their expertise in order to define clear common guidelines, which everyone can build on at their own level.

As a result, end-user manufacturers should eventually have access to a much wider range of secure solutions, avoiding excessive standardisation that could be detrimental to innovation. A real plus for the agri-food and pharmaceutical industries, which are torn between the need to innovate and the absolute necessity of protecting themselves from malicious acts to ensure consumer safety.