Information technology (IT) is changing people's lives at a rapid pace: The Internet and mobile telephony form the basis for today's means of communicating, both privately and for commercial and business purposes. Information is a prerequisite for economic success and the foundation of global business processes. Nowadays, having the required information at the right place and at the right time is a key competitive factor in the international environment. IT, or more accurately information and communications technology (ICT) is taking on an increasingly important role by supporting and speeding up business processes and by creating company value. However, this benefit is also associated with the risks involving the security of information and data. Information security isn't an isolated event, but rather a process which extends over the entire service life of a system or system component. Since information security will have to develop in parallel with other technological advances in the future, the topic is also dealt with on an interdisciplinary basis in the course of standardization, along with the required flow of information. The main goal in this regard is to understand information security as an innovation topic in cross-sector teams and to address it proactively in the relevant areas.
Where do Safety and Security meet? At IEC!
Functional Safety (“Safety”) and IT Security (“Security”) are both key issues in most industries today. Due to an increasing degree of networked technologies in our world security becomes more and more a crucial point: Confidentiality, Integrity and Availability are the main protection targets, that security addresses. Safety had been mainly defined by the goals of protecting humans and environment. But what happens, if a security incident influences the safety function inside a system? If you define measures for safety, they can only be effective, if their robustness against security related attacks can be proven! But how should we proceed, to reach this goal and how should standardization cope with these challenges?
This and other questions have been discussed in an interview between Andreas Harner, VDE|DKE, responsible for IT Security in standardization as a cross-sectional issue and Prof. Dr. Jens Braband, Siemens AG, Infrastructure & Cities Sector, honorary professor at TU Braunschweig.
What’s your personal involvement in standardization?
I have been active in standardization since the 1990s, being one of the major technical contributors to CENELEC EN 50129 as well as EN 50159. Later I was involved in IEC/TC 56 as an editor and contributor to many dependability standards, e. g. IEC 60812, IEC 61165 or the IEC 60300 series. In recent years my focus changed to national prestandards e. g. the DIN V 0831-10x series, but I have recently taken over new assignments in CENELEC and I am an active reviewer of the IEC 62443 through the German mirror committee.
Why is standardization important for your business?
For globally operating companies, standards are business enablers. They support market access and help customers and suppliers to take advantage of economies of scale.
Why is IT Security relevant for railways?
Railways operate very large networks which can’t be physically secured. Some threats to IT Security may also affect safety, while the majority of the attacks will impact availability.
What do you think about trends like “Internet of everything”, “Autonomous vehicles” etc. from a security perspective? Was Goethe right in his famous poem “Der Zauberlehrling”?
In my opinion we are well on the way to use increased connectivity and autonomy also for safety-critical systems, but it will take much longer and will be much harder to achieve than the media suggest. With respect to Goethe’s poem, it is important to note that the apprentice gets into trouble by applying magic that he can invoke, but can’t control and he also does not foresee all the consequences. I agree with Arthur C. Clark who has stated “Any sufficiently advanced technology is indistinguishable from magic”. So we need mastery of the new magic technologies and standards may also help here by setting clear baselines.
Please explain why standardization in IEC/TC 65 is important for you although the majority of your standards is being elaborated by CENELEC?
IEC 61508 and IEC 62443 are relevant also for the railway sector as they are generic standards for automation systems. In some cases we derive our own standards e.g. EN 50128 and EN 50129 from IEC 61508, and for IEC 62443 we try to apply it directly but with additional guidance. Also many of the railway standards are later transferred to IEC/TC 9 to become worldwide Standards.
If you were granted three wishes concerning standardization, what would they be?
Firstly I would like standards to be more goal-based than prescriptive. Prescriptive standards are causing for example a lot of documentary evidence for certification not all of which is really necessary. Secondly I think we must try to achieve broader consensus in the standardization process as in some projects the number of comments received becomes almost unmanageable. Finally I think the working process must become more agile with less face-to-face meetings but more intensive use of online support, e.g. regular webconferences and wiki support for the production of documents.
Prof. Dr. rer. nat. Jens Braband:
“In my opinion we are well on the way to use increased connectivity and autonomy also for safety-critical systems, but it will take much longer and will be much harder to achieve than the media suggest.”