Why is security interesting for vision applications?
Sebastian Heidepriem (Sick): I think that’s the fundamental question for all of us. The world is changing and I see that for every asset of a business: Security will become more and more relevant and the world is changing. I believe that spying of a camera in a production line – where you will see perhaps a label – it’s really not that worthwhile. But breaking down the whole machine, breaking down your business, I think that’s the asset that people will need to secure in the future. It will become just a natural precondition for selling products to the market.
Kai-Udo Modrich (Zeiss): From my perspective I will come from the customer side: If we are looking into the transformation of the automotive industry in the meaning of digitization and turning factories to smart factories means for us as the vision community that more and more of our vision systems will be implemented in these future environments. We are now in a fully automated production IT environment, or we could also be part of a cloud-based system where access is possible for each and every area, from the suppliers to the OEM. So that means there’s a huge demand on security systems. Therefore if we – the vision industry – want to supply the automotive industry in future factories, we have to fulfill all the standards that are coming up, even besides security. If we are not doing this, if we are not compliant to that we will make no business.
Axel Berghoff (Phytec): I think it’s not a question about vision. Because if you have a camera with a lens and film material from the old 80s, there is no need for security (apart from the fact that you should pay attention to what you are taking a photo of). It’s the fact that there is a computer behind the sensor. So I think the question of security is directly connected with the microcontroller, with the operating system or whatever is behind the embedded imaging part. And therefore it has nothing to do with vision by itself but with the fact that we are running a computer system. And of course it’s not only the question of security, it’s a question of the maintenance of a product through its life cycle. Threats are coming and hopefully there are solutions for them. But you have to be able to apply them as well. So it’s a question of making a system secure and keeping it secure over its life cycle.
Marian Gläser (Brighter AI): This is part of our core business. We do not specifically look at data security. However, data privacy and being a privacy tech company is in a sense a measure in order to increase the overall security of a system and I couldn’t agree more with Mr. Berghoff. The problem is not vision but its computer system. I would go one step further, where the biggest concerns also in terms of privacy come in is, that the computer system becomes more scalable. Facial recognition started in the 80s, but it’s only since about five years and the advent of deep neural networks that the potential to go through vast amounts of data in a highly scalable manner became possible. We see this utilized more and more on the governmental side as well as in the private space now. Our role of course is the data protection but the security part around it becomes way more relevant nowadays due to scalable tracking systems.
Wouldn’t collecting data that is valuable to companies make it an attractive target for theft, even if it’s just a label?
Heidepriem: Well, in the beginning I said that spying wouldn’t be the big issue. But talking about facial recognition, which is not the focus of factory and logistics automation, I will take back this the statement. I still insist that the privacy of data is a second priority for us because harming the system, breaking down the system is the first target which is attacked in the moment. That is were the fears of the customers are. What I see coming up will – as a side effect – solve the problem with privacy as well. But only signing your data to secure the integrity of the data is not the last solution of security.
Modrich: When we look to the goals of cyber security we have to keep in our mind that it’s not only about privacy and confidentiality. It’s also about integrity and availability of data processes and systems. Therefore we have to look at these three dimensions of cyber security, especially considering the machine vision community and what that mean for us in our business.
Heidepriem: When we look into the past, we always had aperimeter protection. So no one was able to enter the factory and to access the plant. For the future this will break up: we will have connections to the cloud for example. But I think in the future this perimeter protection will be the first measure we will chose, but in a different form. So the connection to the cloud will be secured by a VPN tunnel for example. Therefore, when you secure the perimeters then you can secure the privacy of your factory as well.
Berghoff: I think it’s important to distinguish between ‚does someone have access to the data‘ or to the sensor of an imaging system, because then you have a real problem. Because then he has success to much more than to the storage where data is stored. So when we are talking about encryption of data, we are mainly talking about encryption of data through its process of being transferred. A lot of confidential information is still sent via email. Everybody knows that such information can be easily listened to but still people ignore it and just transfer PDF documents with confidential information trough simple email.
Gläser: Maybe to add on what Mr. Heidepriem said, I do believe as well that privacy is in some use cases not the first priority. It depends on if the data is stored or is not stored. If it’s a continuous stream there’s effectively less risk in terms of privacy regulation, but I believe – and this is also by article 5 from the GDPR – the moment the data is being stored privacy becomes an issue from basically the beginning. Privacy can be a limitation for industries so we have to find ways to incorporate systems and measures that allow a higher privacy layer without limiting industries to use the sensory data. We actually have a couple of projects in the manufacturing area about recording and capturing within factories and it’s a highly delicate privacy topic. But on the other hand process optimization, getting new systems into the industry, is hugely important as well. And this is why I think it’s not about second or first priority. It’s about finding measurements from the start to not have to prioritize, but have privacy in place by default.
How quickly do we need to act or is it already to late? Everybody has been talking about IoT and Industry 4.0 for years and started related projects. But I’m not sure if we have been acting with the same speed for security issues with these projects.
Heidepriem: We will provide security features and security measures in cameras to fulfill the customers needs. I already know, that we have a product soon ready to be launched with quite a lot security measures and security approaches and we will increase the security step-by-step. This will be necessarily done with the customers together, because it does not make sense to have a camera or any sensor with certain security interfaces and protocols when the counterpart is not supporting these protocols. So we have to work together with the companies providing the PLCs, the machine vision PCs and so on. They will also have to learn how to handle these approaches, to handle certificates, to build up PKIs. I think in the next year we will see a lot of cameras coming up and if we don’t provide any solutions here, then the market will not change. Because when there is nothing provided the customer can’t buy anything. Sure, some customers are complaining that these things are happening to slow. But on the other side it takes time to get it all working together. It’s a community and we will make the entire solution secure within this decade.
Modrich: We, as a machine vision community, entered into these new digitization arenas with a high speed. A lot of AI based solutions were going into smart factories or parts of smart factories but there was no focus on cyber security. So for companies like Sick or Zeiss it’s on the agenda now. We have to fulfill all the rules that are coming out of this arena. But when we look into the startup area or to the smaller companies you have to ask: What is coming to them? If they don’t follow license agreements and regulations in cyber security they will not sell any solutions to big companies. And of course, the end customers are in this situation as well. They now need these technologies, but on the other hand side they have these great risks. And they are also not sure how to step further in the same velocity as we are doing with the technology. When we talk about cyber security, it includes information security and IT security. This is a huge challenge with risks and possibilities for the whole community, including end customers.
Gläser: We are the part that tries to bring the solution to those traction fields and what we see in terms of embedding going directly onto the camera. We started with a pure cloud and on-prem solution to anonymize image and video data mostly for automotive companies. Recently with the Deutsche Bahn, we started to anonymize the data within the trains. The discussions that we have with camera OEMs is that embedding technology to anonymize from the front is favorable in terms of the ecosystem behind. If we can remove PIIs right after the data being collected, then the entire stream afterwards works with essentially anonymized data. The tension fields between privacy and IT actually become smaller for everyone who’s behind it. I see those new technologies as opportunities to actually easen out the way of how to work with image data. One big part will be to embed it on a broad scalable way publicly to collect data anonymized from the start.
How willing are customers to pay for security in your experience?
Berghoff: What is the cost of not paying for it?
Modrich: We see the responsibility at the supplier. They have to define the rules for being part of the production system. And if we are not at the stage that we can really show them what is the value-add for the end customer, if we are complying to all those cyber security standards, then they will not be willing to pay that.
Heidepriem: I think at the end of the day the customer will pay for security. But we can’t say, for example, here is a camera for 10$ without security or he can buy it with security for 15$. The customer won’t accept to pay that extra only for security. But if there are cameras on the market with security and without security, he will just omit choosing the camera without security. So the cameras for the industrial field – the state of the art technology – will include security and they will be slightly more expensive.
Berghoff: Yes, I think this is an important factor: It’s only slightly more expensive. The biggest costs which are caused by security are the costs to change the way how products will be designed and maintained during its life cycle. And I fully agree with Mr. Modrich, it’s a question of the supply chain and also a question of liability that suppliers, not conforming to certain standards, will be rejected by customers. The fact is that they might be liable. Not right now, according to current laws but that could change. Once security raises to state of the art technology, everyone who does not take care of this point could be liable for damage of their customers?
Gläser: Privacy technology only really became relevant in this scale with the introduction of the GDPR in 2018. With that it became to a field in which not all questions can be solved with security anymore. Questions of consent, of removing personal identifiables, etc became relevant. A while back clients used to only implement us at the end of the projects, and sometimes they even forgot about it when planning their budget. So the privacy part was only recently taken as a dedicated topic to have implemented into the projects as well as in the production area.
Will there be a security solution which can be used worldwide or do you have to implement different solutions for each continent or for each country?
Gläser: The standards of the GDPR are so high that with the approval of the compliance with the GDPR we essentially became compliant worldwide. It’s highly respected how the GDPR is basically measuring if the system is complying, not just the anonymization but also other technical organizational measures.
Heidepriem: The good news is that we have with the IEC62443 an international standard which everyone acknowledges. There might be some open questions regarding this standard but it’s accepted by almost everyone in the industry. I hope that we won’t have the same situation as with wireless where we have all these country specific laws. I don’t think we have the time and we should not focus on country-specific solutions.
Berghoff: The fact is that it’s definitely not the technology that is different in any of the countries. But if you’re talking about the process of how to maintain security there are certainly differences. For example, you have to pay attention to where your servers are located. That makes a difference whether you deliver to the EU or to the US. And I also see the discussion about Huawei and their devices in this regard. So technology does not make the difference but there are different opinions about what security actually means.
What security solutions are already available on the market and do we need special vision security?
Heidepriem: What we already have is the perimeter protection. We have firewalls, zones and conduits and you can already secure your application, even when going to the cloud. We already providing solutions and those will be complemented by features on the devices. This is the next step but you already can secure your application today with IT solutions. (bfi)
Interested in watching the complete discussion?
You can still register here: https://openwebinarworld.com/webinar/invision-days-day-2-embedded-vision-ai/
