Globally networked production processes demand data exchange that transcends company and sector boundaries. In this context, data security and data sovereignty are indispensable. DIN SPEC 27070 specifies the requirements to be met by a security gateway for data exchange, with regards to the gateway architecture and cyber security measures. Sebastian Steinbuss, CTO of International Data Spaces Association, about the publication: “Adding to the International Data Spaces Reference Architecture, the release of the DIN SPEC represents a huge milestone on the way to secure cross-company exchange of industrial manufacturing data. The next step is to make this DIN SPEC an international standard – an ISO standard.” The specification was developed by the German Institute for Standardization (DIN), together with Fraunhofer AISEC, SICK AG and 13 other organizations from industry and research.
A Security Gateway for the Sovereign Data Exchange: The IDS Connector
The IDS connector, which has been specified in line with IDS certification scheme, acts as a security gateway. It can be implemented in different ways depending on the scenario: on microcontrollers, sensors, mobile devices, on servers or in the cloud. Due to the container architecture, the IDS connector also allows trusted execution of apps – those that can sovereignly process data from different sources. The connector is therefore a suitable execution component for Amazon Web Services, Data Intelligence Hub by t-systems or SAP HANA, because it enables the platforms to offer a secure environment in which data sovereignty is guaranteed. Domain-specific application profiles enable embedding in specialist domains with different requirements.
Three Levels of Security
The IDS connector allows three different levels of security: Base, Trust, Trust+. The “base” profile meets basic security requirements for communication across company boundaries. A connector that has been certified according to the “trust” profile provides additional security features such as strict isolation of the service containers and mutual verification of integrity. A “trust+” profile connector even provides protection against manipulation by malicious administrators. These security levels comply with ISO/IEC 62443 (particularly ISO/IEC 62443-4-2) but have been extended by including additional requirements deemed necessary for the IDS ecosystem. That makes DIN SPEC 27070 the first initiative specifying requirements regarding a secure gateway for cross-company data exchange in the manufacturing industry.
Aiming for an International Standard
Gateways for other industries are envisaged for the future. “Our goal is to make DIN SPEC 27070 an international standard,” says Andreas Teuscher, Chief Information Security Officer at SICK AG. “And we see possibilities of broadening its scope and cover other areas of application as well, so that it can evolve into a multipart standard in the medium run.“ Andreas Teuscher worked together with Gerd Brost from Fraunhofer AISEC on driving the development of the standard forward. Both were supported by Martin Uhlherr from DIN (German Institute for Standardization).
Since IDSA facilitated the development workshops, it is possible to provide the DIN SPEC free of charge. To order the DIN SPEC (in German), please click here.
We have also translated the DIN SPEC into English. This version is non-public. We’d be happy to send it to you. Please send us a short request.
For IDSA member companies the DIN SPEC in English is also available on Jive.