Accessibility
Language
On the one hand, networked machines and devices open up new attack surfaces for the OT network of production in industrial companies. On the other hand, the secure operation and monitoring of globally distributed, networked machines in the Internet of Things (IoT) is an opportunity for digitalization to improve maintenance and service and enable new business models. But how can industrial companies ensure secure communication and access across (global) distances?
Together with users and experts, the ZD.B Cybersecurity Platform of Bayern Innovativ GmbH has launched a six-part online event series to share tried-and-tested best practice solutions and know-how on IT security in industrial IoT environments. From May to July, six compact morning events will focus on concrete best practice examples of secure remote services, anomaly detection, securing IoT devices, the role of governance and architecture in product development and efficient and successful employee training.
"The challenge is the long service life of industrial systems of 20 years and more, which cannot simply be updated and thus offer attackers easy gateways" - said Dr. Thomas Nowey (Chief Information Security Officer, Syskron GmbH / Krones AG) and panelist on May 4, 2021 at our panel discussion "IIoT Security - Challenges and Answers".
"The overall security of industrial IT components is based on an electronic foundation and resilient, trustworthy electronics for future hardware is of great importance" - says Dr. Johann Heyszl (Head of Department / Deputy Director of Fraunhofer AISEC) and also panelist on May 4, 2021 at our panel discussion "IIoT Security - Challenges and Answers".
The update capability of consumer devices is limited by their availability on the Internet, i.e. connectivity cannot always be assumed. When making new investments, future-proof cryptographic procedures, for example, should be required so that they cannot be easily decrypted in a few years' time. It is recommended that companies take a close look at the topic of IT security before commissioning service providers.
When developing new machines and production lines, IT security should be considered from the minimum viable product stage. Security by design is essential because every security breach in machines also carries the risk of personal injury.
Solid basic understanding and updated security know-how
The speakers agreed that even development engineers cannot do without a solid basic understanding and constantly updated security know-how. Web-based training can cover a lot of ground here. It is also crucial to use available standard components and methods, for example from the open source sector, in order to reduce additional work and increase quality. Security and usability need to be brought together much more. The panel discussion produced results such as the importance of exchange in networks, the benefits of a guideline for IIoT security, the indispensability of training efforts and the establishment of a cyber security learning lab.
Part 2: Remote service and remote maintenance - but secure!
Even if IT systems are protected by firewalls, all employees should understand the absolute necessity for cyber security awareness. Tim Maier, Information Security Officer and responsible for the network infrastructure at machine manufacturer Groz-Beckert, emphasized this and referred to formative experiences. For purchased machines, it should be ensured that the manufacturer of the machine may only access the machine remotely after prior consultation. In addition, purchasing guidelines for remote access were drawn up and suppliers were obliged to follow them.
Steffen Zimmermann, head of the VDMA Competence Center Industrial Security working group, cited a survey conducted by the VDMA (German Engineering Federation). According to the survey, machine builders consider the risk of unwanted intrusion by third parties via remote access to be rather unlikely. The biggest gateways for ransomware attacks are not malicious emails, but poorly secured remote access to machines and systems, as can be seen from the graphic.
Insufficient access protection means that only a user name and password are required. These are cracked by brute force attacks and, if successful, sold at a high price on the darknet. Security only works in cooperation between manufacturer and operator was an important "learning".
Part 3: Cyberattacks, outages, internal perpetrators - anomaly detection in industry & critical infrastructures
Cyber criminals are commercial organizations that specifically want to extort ransom money from companies. The perpetrators know that the loss of production of a single system can cause millions in damage. Stefan Gallenberger from Syskron, who has many years of experience in security operations at a manufacturer of production systems used worldwide, emphasizes that there is no one solution that can solve 95% of all security problems in a company. A functioning cyber security concept is much more an interplay of different players, both human and technical.
Basics of the NIST Framework
It is important to follow a systematic approach. Mr. Gallenberger refers here to the NIST concept, which takes a holistic approach and defines security as the daily task of operational monitoring. Dividing the network into individual segments, each protected by its own firewalls, increases protection. The separation of office IT and production OT is particularly critical for anomaly detection.
Gallenberger's final point was that many attacks on systems and firewalls do not initially cause any damage. It is only when firewall rules are changed that major damage to systems can occur. Gallenberger also indicated that this cycle could take several days or weeks and that there was therefore all the time in the world and a good chance of fending off this attack at an early stage. He thus reiterated the need for anomaly detection.
Do you actually know what is happening to you?" Klaus Mochalski started his presentation with this question to the audience. In Mochalski's experience, companies are often surprised when they see the results after a two-week audit of an analysis program. Over 60% of the companies examined were found to be using unnecessary services and devices that should be switched off from a security point of view. In addition, over 50% of the companies used insecure authentication methods with just a user name and password.
Part 4: Secure Apps for High Voltage - so the lights don't go out!
Can IIoT already be used successfully and safely in critical infrastructure today?
Commissioning, maintenance and troubleshooting without easy access to a load switch in the power grid, for example, is often expensive and dangerous, as Dr. Manuel Sojer pointed out. He is Executive Director Corporate Development at Maschinenfabrik Reinhausen (MR), a hidden champion and innovation leader whose solutions make a significant contribution to the stability of German power grids.
In the project together with Build38, an industrial IoT controller based on smart apps was developed that meets the security requirements of KRITIS components. Dr. Christian Schläger is co-founder and CEO of the software security company Build38, which specializes in mobile apps and their security.
He showed how this app with special security technology can be used on all Android and Apple iOS smartphones and enables secure, traceable and convenient access to critical infrastructure components.
Tasks such as commissioning, maintenance, repair, change of use and data analysis are thus possible directly in the communication between app and device. Service-oriented, digital business models can thus be secured.
Part 5: Security by Governance & Architecture - does IEC 62443 promote secure product development?
With networked devices and machines, IT security begins with the development and choice of IT architecture for devices and the overall system. This applies equally to industry and consumers. The international IEC 62443 series of standards supports this process with the aim of guaranteeing secure operation in cooperation with system operators and suppliers.
Dr. Helene Sigloch works as a product security expert at BSH Hausgeräte GmbH, developing and operating IT-secure household appliances and the HomeConnect system. In her presentation, she referred to the challenge of developing secure IoT products together with partners, subsystem suppliers and developers. In addition to cost considerations, quality requirements, future viability, standards and laws also play a key role. Sigloch made it clear that secure product development encompasses the entire life cycle of the product. From secure planning, through development, to the end of life.
Mr. Daniel Angermeier is deputy head of the Product Protection & Industrial Security department at the Fraunhofer Institute for Applied and Integrated Security (Fraunhofer AISEC). During his presentation, he went into detail about IEC 62443. The standard is part of a higher-level series of standards. The key concepts here are risk-oriented security technology, security lifecycle aspects and an explanation of the general principles of what needs to be done. At the end of his presentation, Angermeier identified the key added value aspects of IEC 62443: in addition to security systems, the simplification of value chains, suitable security countermeasures and future regulations also play a role.
Part 6: "Efficiently & successfully qualifying employees for a safe factory"
When 90% of cybersecurity incidents are caused by people, it's worth investing in your skills. Every employee can be both a threat and a solution. It is therefore necessary to sensitize and qualify everyone in the production environment in an efficient and targeted manner.
This also includes the training of cybersecurity specialists. Professor Dr. Helia Hollmann is head of the Master's degree course in Industrial Security and deputy head of the Institute for Innovative Security HSA_innos at Augsburg University of Applied Sciences (HSA). The Master's degree course in Industrial Safety is a certificate course without admission requirements. The course reflects three different perspectives on the topic of IT security: electrical engineers with a focus on the bit level, computer scientists with a focus on the network level and management with a focus on personnel management and IT law. Prof. Hollmann: "The course attempts to reconcile these three aspects. [...] and to train the participants in the Master's course to be particularly good communicators. This is because "security often fails because everyone only sees their own part and can't talk to the others." (Hollmann). Finally, Ms. Hollmann presented the Industrial Security Laboratory, in which many current security topics can be realistically illustrated without the risk of generating damage.
Keeping an eye on the effectiveness and efficiency of training measures, especially in cybersecurity, is of central importance for Jan Veira, Managing Director & Founder of Uni-versity4Industrie, in the second keynote speech. The reality still works according to the motto "Never change a running system" - old systems & bad passwords are still standard and therefore the main problem with IT security in factories. "How can you get employees on board and train them efficiently and successfully for a secure factory?" It is important to tailor and focus the learning content to the various target groups so that everyone learns what they really need and can also deepen their knowledge through application. In cooperation with the VDMA, Fraunhofer Institutes and other partners, the Learn - Explore - Discuss - Act concept was developed with the elements online learning content - online labs - group work and discussion and the definition of the next steps. This can be provided as a learning management system (LMS) as a cloud-based service or as an in-house solution. It controls the learning process, provides all materials and checks learning progress.
In order to close the gap in the area of employee qualification, it is therefore not only the demand-oriented further development of study courses for IT security specialists that is important in addition to targeted training measures in companies, but also in-service training and tests for all employees, right through to further training courses in IT security for managers from industrial sectors.
The thematic platform will continue to keep an eye on this topic.
You can download the presentations of some of the speakers here:
On Thursday morning, 20.05.2021, part 2 of the series Best Practice IoT Security in the Industrial Environment started. 24 participants accepted the invitation, including six company representatives who offer remote services for customers themselves and four providers of remote service technologies.
In two short keynote speeches, the speakers Tim Maier, Information Security Officer and responsible for the network infrastructure at Grotz-Beckert KG, and Steffen Zimmermann, Head of the VDMA Competence Center Industrial Security working group, presented tried-and-tested, secure solutions for remote-controlled machines.
The appearance of security is deceptive
The appearance of security is deceptive, explained Tim Maier during his presentation. Even if IT systems are protected by firewalls, all employees should understand the absolute necessity of cyber security awareness. With regard to purchased machines, Mr. Maier takes the stance "My house, my rules". This is to ensure that the manufacturer of the machine is only allowed to access the machine remotely after prior consultation. In addition, purchasing guidelines for remote access have been drawn up that bind suppliers.
Security only works in cooperation between the manufacturer and operator
Mr. Zimmermann begins by reporting on a VDMA survey in which machine manufacturers stated that they considered the risk of unwanted intrusion by third parties via remote access to be rather unlikely. According to Zimmermann, the biggest gateways for ransomware attacks are not malicious emails, but remote desktop or other remote accesses. Zimmermann cites poor access protection with just a user name and password as the main reason for this. These could sometimes be cracked by simple brute force attacks. At the end of his presentation, Steffen Zimmermann repeatedly made it clear that both manufacturers and operators must not sit back and leave secure operation to the other - security only works when manufacturers and operators work together.
The slides from Mr. Tim Maier can be sent to us on request.
Follow-up report IoT Security Best Practice for Industry - Part 2
On Tuesday morning, June 1, 2021, the third part of the series Best Practice IoT Security in the industrial environment took place. Of the 19 participants, nine stated that they were already running anomaly detection projects. In addition, all respondents stated that their problems could be at least partially solved.
As was the case two weeks ago, two short keynote speeches were given. The two speakers were Stefan Gallenberger, Cybersecurity Consultant at Syskron GmbH, and Klaus Mochalski, founder and Managing Director of Rhebo GmbH. Both have been working in the field of secure data communication and anomaly detection for over 20 years.
A functioning cyber security concept consists of human and technical aspects
At the beginning of his presentation, Gallenberger briefly outlined the relevance of cybersecurity by explaining that cyber criminals are business organizations that specifically want to extort ransom money from companies. This is because the perpetrators know that the loss of production of a single system can cause millions in damage. Gallenberger also made it clear that there is no single approach that can solve 95% of all security problems in a company. A functioning cyber security concept is much more an interplay of different players, both in the human and technical areas.
Over 50% of companies use insecure authentication methods
"Do you actually know what is happening to you?" Klaus Mochalski started his presentation with this question to the audience. In Mochalski's experience, companies often experience a surprise when they see the evaluated data after a two-week audit of an anomaly detection program. Over 60% of the companies surveyed use unnecessary services and devices that should be switched off from a security point of view. In addition, over 50% of the companies used insecure authentication methods with just a user name and password. Gallenberger's final point was that many attacks on systems and firewalls do not initially cause any damage. It is only when firewall rules are changed that major damage to systems can occur. Gallenberger also indicated that this cycle could take several days or weeks and that there was therefore all the time in the world and a good chance of fending off this attack at an early stage. He thus reiterated the need for anomaly detection.
The online seminar from the Best Practice IoT Security in the Industrial Environment series started for the fourth time on Wednesday, June 16, 2021. 27 participants from industry and business accepted the invitation to this event.
The partnership between Maschinenfabrik Reinhausen and Build38 is creating an industrial IoT control system based on smart apps that can be used on Android and Apple iOS smartphones. Why is this necessary?
According to Manuel Sojer from Maschinenfabrik Rheinhausen, the energy transition to renewable energies is turning the world of electricity on its head. Traditional, unidirectional power grids from the power plants to the consumers at different voltage levels were easy to protect with just a few nodes. Today, households are also increasingly feeding electricity into the distribution grids. This means that load controllers are also needed in local distribution grids. These devices are smaller, often installed outdoors, distributed in considerable numbers and therefore more complex to protect than substations. A secure user interface is required to parameterize, monitor and maintain systems. The obvious communication device for this is the smartphone - but does it offer sufficient security?
The central challenge in the IIoT area is a reliable connection
At this point, Christian Schläger makes it clear that the central challenge in the IIoT area is a reliable connection and working with trusted identities. When using apps for industrial plants, especially in critical infrastructure, worlds collide. It is essential that the machine is able to recognize whether the app user really has access authorization and is allowed to issue commands. What sounds simple is all the more challenging to implement. To ensure this, a secure app environment is needed for mobile operating systems. As a spin-off from Giesecke und Devrient, Build38 contributes substantial know-how from other mobile security applications.
The approach of the two companies proves the feasibility and shows that many other areas of application in other infrastructures or machine networking for commissioning, service and condition monitoring and the implementation of digital business models can be opened up with it.
The fifth part of our event series will take place on Wednesday, June 29, 2021. All further information on the program and speakers, as well as the possibility to register can be found here
On Tuesday, June 29, 2021, the penultimate part of the seminar series Best Practice IoT Security in the Industrial Environment took place. 24 participants from industry and business attended the event.
The topic of the fifth series was secure product development through governance & architecture - does IEC 62443 help? With networked devices and machines, IT security begins with the development and selection of the IT architecture of devices and the overall system. This applies equally to industry and consumers. On the other hand, the international IEC 62443 series of standards aims to guarantee secure operation in the interaction between system operators and suppliers.
Dr. Helene Sigloch, Product Security Expert at BSH Hausgeräte GmbH, and Mr. Daniel Angermeier, Deputy Head of the Product Protection & Industrial Security department at Fraunhofer AISEC, shared their knowledge with the audience in two presentations.
Secure product development covers the entire product life cycle
Sigloch began her presentation by emphasizing the need for individual suppliers and developers to develop secure products. In addition to cost considerations, quality requirements, future viability, standards and laws also play an important role. Sigloch made it clear that safe product development encompasses the entire life cycle of the product. From safe planning, through development, to the end of life.
IEC 62443: Risk-oriented security technology, security lifecycle aspects
Angermeier went into more detail about IEC 62443 during his presentation. The standard is not a single document, but a standard in a series, which is divided into different series. The main concepts here are risk-oriented security technology, security lifecycle aspects and an explanation of the general principles of what to do and how to do it. At the end of his presentation, Angermeier explained the reasons why IEC 62443 makes sense. In addition to general security aspects, the simplification of value chains, suitable security countermeasures and future regulations also play a role.
"Efficiently & successfully qualify employees for a secure factory" on July 13, 2021, 8:30-9:30 a.m.
When 90% of cybersecurity incidents are caused by people, it's worth investing in your skills. Every employee can be both a threat and a solution. It is therefore necessary to sensitize and qualify everyone in the production environment in an efficient and targeted manner. The 6th part of our online seminar series Best Practice IoT Security in the industrial environment took place on Tuesday, July 13 on the topic of "Efficiently & successfully qualifying employees for a secure factory". 11 participants from industry and business took part in the event.
Professor Dr. Helia Hollmann is head of the Master's degree course in Industrial Security and deputy head of the Institute for Innovative Security HSA_innos at Augsburg University of Applied Sciences (HSA). It is organized into seven faculties, where 6500 students are currently studying on around 20 Bachelor's and a further 20 Master's courses. The Institute for Innovative Security HSA_innos was founded in 2017 and, in addition to research and teaching, also pursues the purpose of know-how transfer in the IT security environment. The Master's degree course in Industrial Security was presented in a video. This is a certificate course for which there are no admission requirements. The course reflects three different perspectives on the topic of IT security: electrical engineers with a focus on the bit level, computer scientists with a focus on the network level and management with a focus on personnel management and IT law. Prof. Hollmann: "The course attempts to reconcile these three aspects. [...] and to give the participants in the Master's course the ability to communicate. Because the problem is that everyone only sees their own part and can't talk to the others." Finally, Ms. Hollmann presented the Industrial Safety Laboratory, in which many current safety topics can be realistically illustrated without the risk of causing damage.
Keeping an eye on the effectiveness and efficiency of training measures, especially in cybersecurity, is of central importance, said Jan Veira, Managing Director & Founder of Uni-versity4Industrie in the second keynote speech. The reality still works according to the motto "Never change a running system" - old systems & bad passwords are still standard and therefore the main problem of IT security in factories. "How can you get employees on board and train them efficiently and successfully for a secure factory?" It is important to configure and focus the learning content based on the different target groups so that everyone learns what they really need and can also deepen their knowledge through the application. In cooperation with the VDMA, Fraunhofer Institutes and other partners, the Learn - Explore - Discuss - Act concept was developed with the elements online learning content - online labs - group work and discussion - definition of the next steps.
During the discussion, Mr. Veira was asked how the learning system would be embedded in the companies. He explained that it is possible to book an independently running system (including user administration) or to dock directly to the LMS system with an API interface. Another question was which approach was more promising: training IT specialists to understand production and industry or training production specialists in IT security? Ms. Hollmann answered the question with "Both - this is the only way to gain a holistic understanding of the situation." In order to close the gap in the area of employee qualifications, in addition to targeted training measures in the companies, not only the demand-oriented further development of study courses for IT security specialists but also in-service training courses in IT security for managers from other industrial sectors are important.
The thematic platform will continue to keep an eye on this topic.
Your contact
