Framework For Enabling Structured Communication of Security Vulnerabilities in the Production Domain in Industry 4.0

Abstract: As industries are increasingly adapting to new technological trends for data collection and production efficiency, they are fulfilling the description of being part of the industry 4.0 (I4.0) paradigm. This swift development has led to unforeseen consequences concerning managerial and strategic aspects of security. In addition, threats and sophisticated attacks have increased, emphasizing a greater demand for information security management in the industrial setting. For smaller industrial manufacturers, information security management is not always available due the cost of resources, placing them in a challenging position. In addition, I4.0 introduces the area of OT/IT (Operational Technology and Information Technology) convergence, which is often heavily complex, creating the need for cross-competence. Furthermore, consequences from cyber attacks in the production domain can be catastrophic as they may endanger the safety and health of personnel. Thus, smaller manufacturing industries need to utilize existing resources to enable the prerequisites of managing security issues that may come with I4.0. Structuring and effectivizing the communication of security issues is needed to ensure that suitable competence can address security issues in a timely manner. The aspects of communication and competence are not addressed by current security standards and frameworks in the industrial context, nor are they equally applicable for smaller industrial organizations.  This study aims to contribute to the research field of information security in I4.0 by investigating how security vulnerabilities should be communicated at a smaller manufacturing industry that does not have an information security management system. The framework is based on a traditional incident response information flow and was designed at a Swedish manufacturing industry through the narrative of OT or production personnel.