IT security with HEUFT: intelligent, efficient and untouchable

Digitisation, IoT and Systemtechnik 4.0:  big data and networked systems which communicate and cooperate with each other and can be controlled and maintained remotely safeguard product quality while increasing the productivity of complete filling and packaging lines.  Provided that they are effectively protected from viruses, malware and hacker attacks – like the smart quality assurance systems of the HEUFT SPECTRUM II generation.

"The 'S' in 'IoT' stands for security…".  Your IT system administrator will certainly already have heard this tongue-in-cheek almost cynical statement.  And if he hasn't he will immediately understand what is meant:  because the abbreviation for the "Internet of Things" where physical and virtual objects are interconnected, communicate with each other and collaborate in real time does not have an 'S'.  It is supposed to mean:  there is no security in the IoT!

That may sound drastic.  But there really is some truth in that.  And that is extremely serious:  spectacular cases of security holes and hacker attacks with malware dominate the headlines almost every day.  An increasing number of computer viruses, worms or DDoS attacks pose a risk of espionage and sabotage which is not to be underestimated.  This reverses the huge advantages of the IoT as the basis for the so-called fourth industrial revolution into its exact opposite:  instead of markedly increasing automation, availability, production quality and productivity by means of continuously recording operating and quality-related data, constant audit trail documentation, innovative voice control and preventive remote maintenance there is risk of, among other things, lengthy standstills and incalculable production downtimes with the corresponding financial losses, competitive disadvantages and loss of image.

Not providing attack surfaces

In particular cyber physical machines which are based on industrial PCs with conventional operating systems and standard software often provide dangerous malware and ransomware too much attack surface.  Data security is placed in great danger – and thus the manipulation, operational and production reliability of complete filling and packaging lines.  In contrast intelligently networked checking and inspecting systems of the HEUFT SPECTRUM II generation are effectively protected against compromise.  Because they have a self-programmed, proprietary operating system which is independent of external product and support cycles.  Viruses and worms cannot penetrate or dock anywhere in the first place in contrast to Windows or Linux.  The device firmware runs independently directly from the memory of the multiprocessor card which has also been manufactured in house – no further operationally relevant storage media is connected whatsoever.

There are no gateways for malicious software anywhere either.  Open USB ports may be present in other suppliers' machines but you will search in vain with HEUFT!  The systems of the technology leader only have two Ethernet interfaces.  And these are each in their own network and are generally not routed.  One of them makes it possible for authorised technicians to gain access directly to the device via the service laptop by means of a peer-to-peer connection (P2P) using a cable or WLAN in order to safely parameterise it with its own HEUFT NaVi ext adjustment interface.  The checking and inspecting system, e.g. for production data acquisition, line analysis, brand and recipe management, is only linked to the internal production network of the respective filling plant via the second Ethernet interface.  Furthermore it provides the HEUFT TeleService access for a safe remote diagnosis and maintenance – one of the core features of the modern Industry 4.0 systems.

Using a secure tunnel for remote maintenance

A highly protected procedure is used for this which strictly adheres to the recommendations of the German Federal Office for Information Security regarding remote maintenance in an industrial environment:  the in-house developed HEUFT GATEWAY II server establishes a safe tunnel only upon specific request by authorised employees – namely an encrypted VPN IPsec point-to-point connection to the HEUFT service network.  And that is password protected and additionally secured by means of a firewall.  The result:  reliable shielding from access by unauthorised outsiders.  At the same time the future-proof HEUFT GATEWAY II acts as proxy server for the devices so that they are even invisible on the Internet.  The secure P2P connection to the nearest HEUFT VPN node only allows remote maintenance of the device from which the HEUFT TeleService was requested.  The connection setup only proceeds in one direction.  From the system in the filling line directly to HEUFT.  Therefore open ports to the outside are omitted completely – they are simply not required for this.

The HEUFT DeviceManager provides backups, restores and other network-based functions for the reliable administration of intelligent inspection systems.  It has been developed and programmed in house as has all the software used and the latest version is always available in the HEUFT DeviceSupport customer portal.

Creating security systematically – with Systemtechnik 4.0

From the processors, the operating system and the programs used up to the hermetically sealed network connection:  there's a system to HEUFT!  Highly automated solutions from the HEUFT SPECTRUM II modular system not only create full product but also maximum IT, data, operating and manipulation reliability quite systematically.  This upholds the efficiency and productivity of complete filling and packaging lines sustainably not only during remote maintenance.  In this way Industry 4.0 becomes Systemtechnik 4.0 and IoT becomes IoS the Internet of Systems with a capital "S".  And that stands for systematic security!